Applocker vs Software restriction policy
Solution 1:
Software Restriction Policy is deprecated by Microsoft (technet effectively claiming SRP is not supported), since Windows 7 Enterprise/Ultimate introduced AppLocker.
In practice SRP has certain pitfalls, for both false negatives and false positives. AppLocker has the advantage that it's still being actively maintained and supported. If AppLocker is an option then it could be the cheaper one - after accounting for your time and risks taken. It's also possible there's a suitable third-party alternative (but this question didn't include that option :).
Hopefully you'd gain perfect understanding of SRP's pitfalls before you fall into any of them </sarcasm>
. Some of them are described in a nice security article from Vadims Podāns.
Known pitfalls
- In the default rules, execution from the
\Windows
folder is permitted. Some sub-folders can be written to by users. Applocker is the same, but at least official documentation mentions this limitation.
"To enumerate all folders with users write access you can use, for example, AccessEnum utility from Sysinternals pack." (or AccessChk).
An NSA document gives 16 examples of folders to blacklist with SRP (although the registry path rules use backslashes incorrectly so must be corrected - see point on registry paths below) and warns about a common over-broad blacklist entry.
The obvious question is why aren't we carefully whitelisting individual paths under \Windows
instead. (Including the \Windows\*.exe
legacy, System32\*.exe
, etc). I didn't notice any answers to this anywhere :(.
- Using environment variables like
%systemroot%
, SRP can be bypassed by users by clearing the environment variable. These are not used in the suggested defaults. However they may be tempting to use. This footgun is fixed in AppLocker, because it never looks at environment variables. - The suggested defaults neglect to allow for the two different
\Program Files
used on modern 64-bit installs. When resolving this using the more secure "registry paths", there are reports of false denials in random situations, which could easily be missed in testing. e.g. see comments on SpiceWorks SRP howto. This is to do with 32-bit applications reading relevant paths from the WOW6432Node of the registry: resolution is to add both these paths to SRP to allow all programs to work on 32-bit and 64-bit machines as Unrestricted whether started from an x64 or x86 host process:%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir%
- The default extensions neglect to forbid PowerShell scripts (*.PS1) supported by Windows. (See video). And APPX too. Also according to Microsoft's comparison table, SRP can't manage "Packaged apps" in Windows 8; I have no idea what this means.
- Registry path rules must not have slashes immediately after the last percent sign (despite being included in Microsoft's own built-in rules for XP/Server 2003) and any backslashes must be replaced with forwardslashes in order for the rule to work (1/2/3).
- Of the sources I found for SRP, none put the full list above together for you. And I only discovered Vadims Podāns' article by accident. What else is lurking out there?
- Many sources recommend simply removing LNK files from the list. (And Web Shortcuts to avoid breaking Favourites?!). Disturbingly, no sources seem to discuss LNK vulnerabilities... or getting script interpreters to run files with an unexpected extension e.g.
wscript /e
... or maybe stuffing enough shellcode in an inline script parameter... etc. - If you try to compromise by allowing LNK files on the desktop, and you leave users with write access to the desktop, they can now bypass your policy entirely. Lovely tip from Vadims Podāns again. Note that the explanation applies to using any extension in a path rule. Microsoft present multiple examples of this including
*.Extension
, with no warning. So you can't trust the official documentation, and it seems unlikely to get fixed now. - [Potential AppLocker disadvantage]. Vadims Podāns reports that SRP entries using mapped drives do not work. The UNC path must be used instead. Maybe they would then apply to access through a mapped drive? it's not 100% clear. Apparently AppLocker was different: it didn't work with either :(. "Due to unknown reason, UNC paths doesn’t work in Applocker! This means that if your application is installed in network, you have to create either hash or publisher rules."
Pragmatic approach
Software whitelisting is potentially a very powerful defense. If we get cynical: this is exactly why Microsoft deprecates the lower-priced versions and invents more complex ones.
Maybe no other option is available (include 3rd-party solutions). Then a pragmatic approach would be to try configuring SRP as simply as possible. Treat it as an extra layer of defense, with known holes. Matching the pitfalls above:
- Start from the default rules (from the pre-Win7 era :).
- Prefer to not use environment variables, e.g.
%systemroot%
. - Add rules to make sure both
\Program Files\
directories are permitted on modern 64-bit machines. The extra "registry paths" you will need to add for\Program Files\
on 64-bit computers are%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%
and%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir%
. - When adding to registry path rules, leave out any backslash immediately after the percent sign, and replace any further backslashes
\
with forwardslashes/
(e.g.%HKEY_LOCAL_MACHINE\Software\CompanyName\CustomApps%App/Bin/start.exe
) - Add PS1 to the list of controlled extensions.
- Understand that a manageable SRP configuration is not secure against a user determined to defeat it. The aim is to help/encourage users to work within the policy, to protect them against attacks like "drive-by downloads".
- Allow LNK files. (Preferably by removing it from the extensions list, not through some path rule).
- See point 7 :).
- Make sure your logon script folder is permitted. The NSA document suggests adding
\\%USERDNSDOMAIN%\Sysvol\
. (See point #2, sigh, then see point #6).
Solution 2:
I agree that SRP has some additional features that AppLocker could really benefit from.
That being said, I see the big benefits of AppLocker (as documented by this comparison) as:
- AppLocker rules can be targeted to a specific user or a group of users, whereas SRP is enforced on the whole computer.
- AppLocker supports audit mode so that rules can be tested in production before being enforced. SRP doesn't have an equivalent log-only mode.