A Comprehensive Understanding of Windows Software Restriction Policies

As networks, the Internet, and e-mail are increasingly used in business computing, users find that they often encounter new software. Users must constantly make decisions about whether to run unknown software. Viruses and Trojan horses often deliberately pretend to deceive users' operations. It is very difficult for users to make safe choices to determine which programs should be run. In this case, you need to use the software restriction strategy. Today, let's explain the magical effect of Windows.

Overview

Use software restriction policies to protect your computer environment from untrusted code by identifying and specifying which applications are allowed to run. With hash rules, certificate rules, path rules, and Internet zone rules, programs can be identified in policies. By default, the software can run on two levels: "unrestricted" & "not allowed". In this paper, we mainly use path rules and hash rules, while path rules are the most flexible in these rules, so if there is no special description in the following text, all rules refer to path rules.

2, Additional Rules and Security Levels

Additional Rules

When using software restriction policies, use the following rules to identify the software:

Certificates Rules

A software restriction policy can identify a file by its signed certificate. Certificate rules cannot be applied to files with an .exe or .dll extension. They can be applied to scripts and Windows Installer packages. You can create a certificate that identifies the software and then decide whether to allow the software to run based on the security level settings.

Path Rules

Path rules are identified by the file path of the program. Since this rule is specified by path, the path rule will be invalid after the program moves. Environment variables such as %programfiles% or %systemroot% can be used in path rules. Wildcards are also supported by path rules, and the supported wildcards are * and ?.

Hash Rules

A hash is a series of fixed-length bytes that uniquely identify a program or file. The hash is calculated by the hash algorithm. Software restriction policies can be identified by SHA-1 (Secure Hash Algorithm) and MD5 Hash Algorithm based on the hash of the file. Renamed files or files moved to other folders will produce the same hash.

For example, you can create a hash rule and set the security level to “not allowed" to prevent users from running certain files. Files can be renamed or moved to other locations and still produce the same hash. However, any tampering with the file will change its hash value and allow it to bypass the limit. The software restriction policy will only identify those hashes that have been calculated using the software restriction policy.

Internet Zone Rules

Zone rules apply only to Windows Installer packages. Regional rules can identify software from a designated area of ​​Internet Explorer. These areas are the Internet, local computers, local intranets, restricted sites, and trusted sites.

The types of files affected by the above rules are only those listed in "Assigned File Types". The system has a list of specified file types that are shared by all rules. By default, the file types in the list are: ADE ADP BAS BAT CHM CMD COM CPL CRT EXE HLP HTA INF INS ISP LNK MDB MDE MSC MSI MSP MST OCX PCD PIF REG SCR SHS URL VB WSC , so for normal non-executable Files such as TXT JPG GIF are unaffected. If you think there are threats to the extended files, you can add them to them, or you can think of which extensions are not threatened.

Security Levels

For software restriction policies, by default, the system provides us with two levels of security: "unrestricted" and “not allowed" Br>

Note:

“The allowed level does not contain any file protection operations. You can read, copy, paste, modify, delete, etc. a file set to “not allowed, group policy will not be blocked, of course, your user level has the right to modify the file“ Unrestricted levels are not completely unrestricted, but are not subject to additional restrictions on software restriction policies. In fact, the "unrestricted" program will give the program's parent process permission when the program starts. The access token obtained by the program is determined by its parent process, so the permissions of any program will not exceed Its parent process.

But in fact, there are three levels that are hidden by default. We can open the other three levels by manually modifying the registry. Open the Registry Editor and expand to:

HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\

Safer\\CodeIdentifiers

Create a new DOWRD named Levels with a value of 0x4131000 (4131000 for the sixteen system)

After creating the reopen gpedit.msc, we will see that the other three levels are now turned on.

Unrestricted

The highest privilege, but it is not completely unrestricted, but "the access to the software is determined by the user's access rights", that is, inheriting the parent The permissions of the process.

Basic User

Basic users only have the privilege of "skip traversal check" and refuse to have administrator privileges.

Restricted

is more restrictive than the basic user, but also enjoys the privilege of "skip traversal check".

Untrusted

Access to system resources and user resources is not allowed. The direct result is that the program will not run.

Not allowed

Unconditionally blocking program execution or files being opened

Depending on the size of the permissions, you can sort to: Unrestricted > Basic User > Restricted >Untrusted> Not allowed Previous page1234Next page Total 4 pages