Malware attack hardening using Software Restriction Policies Kamin Miller Warrington College of Business University of Florida
What are Software Restriction Policies? Software restriction policies are GPO enabled rules that indicate if an application is allowed to run or is blocked from running Rules can be applied to any folder on the system A malformed rule could accidentally block parts of the Windows system from running Security levels are Unrestricted(Default), Disallowed, and Basic User Unrestricted is the default level – Software runs as the user context access rights level, i.e. If UAC allows for running the program as an administrator Basic User – Force all programs that match the rule to run in the limited user context Disallowed – Force all programs that match the rule to be unable to execute Each rule can be assigned a security level during creation Rules can be pattern matching by path, hash, internet zone, or publisher certificate matching
How do they help with security? All users, regardless of administrative permissions have full access to their home directories Most applications take advantage of the user’s AppData folder for temporary storage during installs and updates Malware tends to also utilize the user’s local temp folder as a place to start the process of modifying the system By whitelisting only approved apps to run from this folder, we can cut down the ability for malware to enter the system Rules apply to all users, regardless of administrative permission
What Software Restriction Policies do not replace Antivirus/Antimalware policies Limited user accounts User education about malware risks Common Sense
Whitelisting vs Blacklisting By default all apps are blocked Apps that need to be able to run from these folders are explicitly allowed Blacklisting By default all apps are allowed to run Identified malware is explicitly denied execution Whitelisting is less overhead for I.T. to maintain
Warrington College of Business Policy Configuration In Group Policy Management Editor Computer Configuration Policies Windows Settings Security Settings Software Restriction Policies
Warrington College of Business Policy Configuration Software Restriction Policies Enforcement Apply software restriction policies to all software files except libraries Apply software restriction policies to all users When applying software restriction policies, enforce certificate rules
Warrington College of Business Policy Configuration Software Restriction Policies Designated file types Lists what the computer will consider an executable to be evaluated Extensions: ADE, ADP, BAS, BAT, CHM, CMD, COM, CPL, CRT, EXE, HLP, HTA, INF, INS, ISP, JS, LNK, MDB, MDE, MSC, MSI, MSP, MST, OCX, PCD, PIF, REG, SCR, SHS, URL, VB, WSC List is modifiable by the GPO administrator
Warrington College of Business Policy Configuration Software Restriction Policies Additional Rules Path rules to be evaluated %AppData%\*.exe – Disallowed Blocks all executables at the User’s AppData root level from running %AppData%\*\*.exe - Disallowed Block executables in the AppData Subfolders from running %LocalAppData%\*.exe – Disallowed %LocalAppData%\*\*.exe – Disallowed
Warrington College of Business Policy Configuration Software Restriction Policies Additional Rules (continued) Path rules to be evaluated %Temp%\*.zip\*.exe – Disallowed Blocks all executables inside zip archives from being run without being extracted %Temp%\7z*\*.exe - Disallowed Block executables inside 7zip archives from being run without being extracted %Temp%\Rar*\*.exe – Disallowed Block executables inside WinRAR archives from being run without being extracted %Temp%\wz*\*.exe – Disallowed Block executables inside WinZip archives from being run without being extracted
Warrington College of Business Policy Configuration Software Restriction Policies Additional Rules (continued) Certificate rules to be evaluated Google Inc. – Unrestricted Allowed to run from any User Home directory sub folder Mozilla Corporation - Unrestricted Other digitally signed software as needed Certificate verification adds CPU cycles, which may slow down execution of an application
Alternative to Software Restriction Policies AppLocker is similar to Software Restriction Policies, but has more granular support for rules and users, allowing blocking by user group rather than all-or- nothing like Software Restriction Policies Audit mode can be used to test the impact before deploying PowerShell support for creating and modifying rules
AppLocker vs Software Restriction Policies comparison Feature Software Restriction Policies AppLocker Rule scope All users Specific user or group Rule conditions provided File hash, path, certificate, registry path, and Internet zone rules File hash, path, and publisher rules Rule types provided Allow and deny Default rule action Allow or deny Deny Audit-only mode No Yes Wizard to create multiple rules at one time Policy import or export Rule collection PowerShell support Custom error messages https://technet.microsoft.com/en-us/library/dd759113(v=ws.11).aspx
Takeaways Anything that enhances security and minimizes user downtime is a win to I.T. A demo GPO object with these settings can be read with anyone with the “PS_UF_N_ALL_IT_WORKERS_AutoGS” role, called “w-Computers-Security- ExeRestrictions-Demo” for reference Since its implementation, the Warrington College of Business has had 0 Ransomware infections, and a low number of malware UFIRT tickets from UF Security on domain joined machines It is possible to apply these settings locally to a non-domain joined machine
Contact and References Kamin Miller Kamin.miller@warrington.ufl.edu 352-273-1613 References UF Security provided bulletin that linked a set of reference Software Restriction Policy rules https://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware- information#prevent Microsoft TechNet on Software Restriction Policies https://technet.microsoft.com/en-us/library/cc782792(v=ws.10).aspx Microsoft TechNet on AppLocker https://technet.microsoft.com/en-us/itpro/windows/keep-secure/applocker-overview