Software Restriction Policies

 < Day Day Up > 

Malicious code such as viruses and worms have become an increasing problem. Windows XP introduced a mechanism called Software Restriction Policies that enables administrators to control what images and scripts execute on their systems. The Software Restriction Policies node of the Security Policy Editor, shown in Figure 8-11, serves as the management interface for a machine's code execution policies, although per-user policies are also possible using domain group policies.

Figure 8-11. Software Restriction Policy configuration


Several global policy settings appear beneath the Software Restriction Policies node.

  • The Enforcement policy configures whether restriction policies apply to libraries, such as DLLs, and whether policies apply to users only or to administrators as well.

  • The Designated File Types policy records the extensions for files that are considered executable code.

  • Trusted Publishers control who can select which certificate publishers are trusted.

When configuring a policy for a particular script or image, an administrator can direct the system to recognize it using its path, its hash, its Internet Zone (as defined by Internet Explorer) or its cryptographic certificate, and she can specify whether it is associated with the Disallowed or Unrestricted security policy.

Enforcement of Software Restriction Policies takes place within various components where files are treated as containing executable code. Some of these components are listed here:

  • The user-mode Windows CreateProcess function in \Windows\System32\Kernel32.dll enforces it for executable images.

  • The DLL loading code of Ntdll (\Windows\System32\Ntdll.dll) enforces it for DLLs.

  • The Windows command prompt (\Windows\System32\Cmd.exe) enforces it for batch file execution.

  • Windows Scripting Host components that start scripts \Windows\System32\ Cscript.exe (for command-line scripts), \Windows\System32\Wscript.exe (for UI scripts), and \Windows\System32\Scrobj.dll (for script objects) enforce it for script execution.

Each of these components determines whether the restriction policies are enabled by reading the Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Policies\Windows\Safer\ CodeIdentifiers\TransparentEnabled, which if set to 1, indicates that policies are in effect. Then it determines whether the code it's about to execute matches one of the rules specified in a subkey of the CodeIdentifiers key, and if so, whether or not the execution should be allowed. If there is no match, the default policy, as specified in the DefaultLevel value of the CodeIdentifiers key, determines whether the execution is allowed.

Software Restriction Policies are a powerful tool for preventing the unauthorized access of code and scripts, but only if properly applied. Unless the default policy is set to disallow execution, a user can make minor changes to an image that's been marked as disallowed so that he can bypass the rule and execute it. For example, a user can change an innocuous byte of a process image so that a hash rule fails to recognize it or copy a file to a different location to avoid a path-based rule.

EXPERIMENT: Watching Software Restriction Policy Enforcement

You can indirectly see Software Restriction Policies being enforced by watching accesses to the Registry when you attempt to execute an image that you've disallowed.

  1. Run secpol.msc to open the Local Security Policy Editor, and navigate to the Software Restriction Policies node.

  2. Choose Create New Policies from the context menu if no policies are defined.

  3. Create a path-based disallow restriction policy for \Windows\System32\ Notepad.exe.

  4. Run Regmon, and set an include filter for "Safer." (See Chapter 4 for a description of Regmon.)

  5. Open a command prompt, and run Notepad from the prompt.

Your attempt to run Notepad should result in a message telling you that you cannot execute the specified program, and Regmon should show the command prompt (cmd.exe) querying the local machine restriction policies.


     < Day Day Up > 


    Microsoft Windows Internals
    Microsoft Windows Internals (4th Edition): Microsoft Windows Server 2003, Windows XP, and Windows 2000
    ISBN: 0735619174
    EAN: 2147483647
    Year: 2004
    Pages: 158

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net