Wednesday, June 25, 2008

Preventing users from executing files using Software Restriction Policies

Traditionally I have used NTFS permissions to restrict access for standard user accounts to certain executable files.

Most notably is reg.exe, when providing a managed workstation (SOE) to prevent standard users from accessing the registry. When coupled with Group Policy to restrict access to registry editing tools (regedit) it is effective in preventing access.

One alternative I had overlooked until recently was Software Restriction Policies. These can be applied as per most policies at the local or Group Policy level.

A user with full permissions to a directory can be blocked from executing files using the Software Restriction Policies.

Using the "Disallowed" Security level, prevents execution regardless of the NTFS permissions the user holds, using Unrestricted honours the user account NTFS permissions.

User has Full Control of the folder C:\Test

Create a New Path rule by running GPEdit.msc
Local Security Policy / Software Restriction Policies / Additional Rules (Same location for a GPO)
New Path Rule
Path: C:\Test
Security Level: Disallowed

When the user executes a file from the path, the system prevents execution of the file.

The system cannot execute the specified program.

This could be applied to the SOE reg.exe scenario outlined earlier.

Another use I can see for this is to have a "scripts / tools" directory that the system can execute from Using a local System scheduled task, but those pesky users can't.

The following Microsoft articles list there purported uses of the facility, but this is interesting if nothing else and provides another tool for SOE builds that I hadn't considered using before.

Other rules can be specified to identify software including

Hash. A cryptographic fingerprint of the file
Certificate. A software publisher certificate used to digitally sign a file
Path. The local or universal naming convention (UNC) path of where the file is stored
See also "Registry Paths" as outlined in the reference documents.
Zone. Internet Zone

Using Software Restriction Policies to Protect Against Unauthorized Software

How Software Restriction Policies Work

No comments: