Mis-understandings about Software Restriction Policies (SRP)

Page 4 of 4 Previous  1, 2, 3, 4

View previous topic View next topic Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 on 30/7/2010, 03:54

To be fair, I see a lot of "mis-information" all over the internet (including on various security forums) of people claiming that LUA + SRP is not secure because of privilege escalation etc. Firstly, it's pretty galling to see these claims made when possibly 99.99% of people who make them don't know much about LUA + SRP (including myself haha) to start off. Secondly, they probably don't know much about how exactly these exploits function.

And to be honest, I'm still learning myself. However, I think it is a common mis-conception that LUA + SRP can be easily bypassed via privilege escalation etc, and that it happens all the time. Sure, privilege escalation occurs through many documented vulnerabilities (which have since been patched), but this does not mean much to the home user who has employed this powerful security strategy. As I've illustrated above, these privilege escalation techniques all seem to require local/physical access by malicious users. Not only that, but many of them seem to function at kernel level - if an exploit is specifically discovered at this level, there's not a lot that can be done to mitigate it anyway.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Tranquility on 30/7/2010, 04:07

Once privilege escalation is achieved, executables can be written anywhere, like Windows and Program Files, or attached to existing DLL's already located there - the kind of places malware authors like to hide them. Once there, SRP will do nothing to prevent them from running.

Software like flash and macros provide the mechanism to take advantage of a privilege escalation exploit. The privilege escalation provides the means for writing to Windows, HKLM, and program files, places that LUA would otherwise prevent. Once written to those locations they are free to run uninhibited by SRP.

To think LUA and SRP are invincible we have to believe that privilege escalation does not and will not exist, because it is all that is needed to circumvent both. There simply isn't any way around it.

This goes back to where we started. How might we evaluate a HIPS as compared to LUA and SRP. One way might be if the HIPS is crafted well enough to see that flash is calling a system service it has no business calling (in an attempt to take advantage of a privilege exploit that does not require a buffer overflow that DEP might otherwise prevent - see the DOS virtual machine exploit, and ulitimately download and write a nice little program in the system32 folder and an entry or two in HKLM, or why not a rootkit while they are at it so we can't find the program), and once seeing that initial call, intercept it and prevent it from happening in the first place.

I'm sorry if you find that to be misinformation.

Tranquility
Member
Member

Posts : 18
Join date : 2010-07-23

View user profile

Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 on 30/7/2010, 04:27

Tranquility wrote:Once privilege escalation is achieved, executables can be written anywhere, like Windows and Program Files, or attached to existing DLL's already located there - the kind of places malware authors like to hide them. Once there, SRP will do nothing to prevent them from running.

Software like flash and macros provide the mechanism to take advantage of a privilege escalation exploit. The privilege escalation provides the means for writing to Windows, HKLM, and program files, places that LUA would otherwise prevent. Once written to those locations they are free to run uninhibited by SRP.

What I'm struggling to understand is how files can be written without further execution (I'm sure they can, but I always thought this required some sort of buffer overflow execution or similar). Unfortunately I'm not a programmer (or a computer expert of any kind), so I'm going to be a bit slow on this haha. You mention potential vessels to carry this exploit like flash and macros (both of which are easily mitigated by running appropriate browser protection and simply not enabling macros respectively) - how exactly does the exploit get on to the user's system in the first place?

Tranquility wrote:To think LUA and SRP are invincible we have to believe that privilege escalation does not and will not exist, because it is all that is needed to circumvent both. There simply isn't any way around it.

LUA + SRP are certainly not "invincible" (nothing is), but it seems to be able to stop dead all real-world malware out there. Vulnerabilities are released everyday (not just for Windows programs) but do real malware exist to exploit these specific vulnerabilities that one can come across by eg. browsing the internet? All (third party) security programs have been bypassed at one stage or another, but they are often POC's and not real-world malware. I suppose you could argue that a POC is equivalent to a real-world malware though.

Tranquility wrote:This goes back to where we started. How might we evaluate a HIPS as compared to LUA and SRP. One way might be if the HIPS is crafted well enough to see that flash is calling a system service it has no business calling (in an attempt to take advantage of a privilege exploit that does not require a buffer overflow that DEP might otherwise prevent - see the DOS virtual machine exploit, and ulitimately download and write a nice little program in the system32 folder and an entry or two in HKLM, or why not a rootkit while they are at it so we can't find the program), and once seeing that initial call, intercept it and prevent it from happening in the first place.

Again, you give the example of the DOS virtual machine exploit, but doesn't that require local/physical access?
http://www.microsoft.com/technet/security/Bulletin/MS10-015.mspx
To exploit either vulnerability, an attacker must have valid logon credentials and be able to log on locally. The vulnerabilities could not be exploited remotely or by anonymous users.
Therefore, wouldn't the (average) home user be safe from these types of exploits?

Tranquility wrote:I'm sorry if you find that to be misinformation.

Well, I think it's only mis-information when it's not justified and explained in context - that doesn't apply to you mate.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 on 30/7/2010, 04:34

Oh and by the way, if I thought LUA + SRP were invincible, I wouldn't be running Sandboxie haha.

EDIT: just been reading several articles about privilege escalation, and it seems Windows is not alone - Linux systems/servers have been affected in the past too, and required appropriate patching. However, this didn't mean that real-world malware was used to infect Linux systems/servers (bad things like viruses don't exist on Linux right haha). Furthermore, all privilege escalation exploits seemed to only realistically apply to corporate environments where (potentially random) people would have direct local/physical access to the computer hardware/software. Again, this would not apply to 99.9999% of people, as there relatively just aren't that many public/private system network administrators around who administer to an environment with potentially random people using large numbers of computers. And besides, those public/private networks can't rely on eg. a HIPS popping up every so often asking the user what he/she wants to do - not only would it potentially drive them crazy, but it would severely inhibit productivity, thereby negatively impacting any potential profit-making etc.

The fact that so many corporate facilities out there use LUA + SRP indicates how powerful this protection is (remember in this context, LUA + SRP is protecting systems from potentially malicious users who do have direct local/physical access to the computer hardware/software). You can only imagine how (even more) powerful LUA + SRP would be for the home user (where there is no such malicious user).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Sadeghi85 on 17/8/2010, 17:46

ssj100 wrote:
So to summarise, in Windows XP Professional default installation, only four folders allow writing and execution in Limited User Accounts. In Windows 7 Ultimate default installation, at least 14 folders allow this! Why Microsoft why!

I just checked with AccessChk and only 7 folders allow writing in 7 32-bit default installation.

RW c:\windows\debug\WIA
RW c:\windows\Registration\CRMLog
RW c:\windows\Tasks
RW c:\windows\tracing
W c:\windows\System32\Tasks
RW c:\windows\System32\catroot2\{F750E6C3-38
RW c:\windows\System32\spool\drivers\color

Sadeghi85
Member
Member

Posts : 66
Join date : 2010-07-22

View user profile

Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Sadeghi85 on 17/8/2010, 19:31

I checked again with an elevated command prompt and there are 4 more folders:

RW c:\windows\Temp
RW c:\windows\System32\FxsTmp
W c:\windows\System32\com\dmp
W c:\windows\System32\spool\PRINTERS

Browsing (or in case of 'FxsTmp', writing) to the above folders caused a UAC prompt.



So does it mean those folders needed to be disallowed in SRP too?

Sadeghi85
Member
Member

Posts : 66
Join date : 2010-07-22

View user profile

Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 on 17/8/2010, 23:24

I would recommend using MrBrian's rules here:
http://www.wilderssecurity.com/showpost.php?p=1679077&postcount=7

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Sully on 18/8/2010, 11:11

ssj100 wrote:By the way, Tranquility, let me pick your brains for a moment (since wat0114, Sully etc don't seem to visit this forum anymore):
This site moves a little slower, so I don't check it as often. At least the areas I am usually interested in.

A common misconception is that it takes being LUA and using SRP to have security. Being secure does not come from what you use, but how you use it. It is good to inform people about LUA, as it could really shore up the defenses of a lot of users out there. One should also point out though that it is possible to be an Admin in day to day use and still remain quite problem free. I personally think the goal should be to inform about LUA but more to teach about why LUA and why not Admin. Simply using LUA/SRP without understanding why only leads to privelage escelation whenever one desires, not because it is appropriate.

Messing with the DACL of the objects and containers of the OS drive is great fun to learn with. I will only say that if you don't implicitly understand what the differences are in the inheritance and propagation, especially in win7/vista, you might want to have an image handy. There is a reason M$ has assigned the ACE the way they did on many containers. But, why not play a little and find out. The rights and restrictions of objects and containers can take you to the next step in your understanding of things, that much is certain.

Sul.

Sully
Member
Member

Posts : 13
Join date : 2010-05-16

View user profile

Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 on 18/8/2010, 11:17

Sully wrote:
ssj100 wrote:By the way, Tranquility, let me pick your brains for a moment (since wat0114, Sully etc don't seem to visit this forum anymore):
This site moves a little slower, so I don't check it as often. At least the areas I am usually interested in.

A common misconception is that it takes being LUA and using SRP to have security. Being secure does not come from what you use, but how you use it. It is good to inform people about LUA, as it could really shore up the defenses of a lot of users out there. One should also point out though that it is possible to be an Admin in day to day use and still remain quite problem free. I personally think the goal should be to inform about LUA but more to teach about why LUA and why not Admin. Simply using LUA/SRP without understanding why only leads to privelage escelation whenever one desires, not because it is appropriate.

Messing with the DACL of the objects and containers of the OS drive is great fun to learn with. I will only say that if you don't implicitly understand what the differences are in the inheritance and propagation, especially in win7/vista, you might want to have an image handy. There is a reason M$ has assigned the ACE the way they did on many containers. But, why not play a little and find out. The rights and restrictions of objects and containers can take you to the next step in your understanding of things, that much is certain.

Sul.

Good points Sully. However, I think most people who would even consider using LUA + SRP are going to research things fairly well before, during, and even after implementing it. If you take the time to read through things properly on this forum (and all the associated links), all the information you would ever want/need is there.

And of course, running Admin + "nothing else except an image back-up" can also be safe, depending on what you use your computer for, your personal requirement for peace of mind etc.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Sully on 18/8/2010, 14:01

ssj100 wrote:Good points Sully. However, I think most people who would even consider using LUA + SRP are going to research things fairly well before, during, and even after implementing it. If you take the time to read through things properly on this forum (and all the associated links), all the information you would ever want/need is there.

And of course, running Admin + "nothing else except an image back-up" can also be safe, depending on what you use your computer for, your personal requirement for peace of mind etc.
I would agree, for the more knowledgable user, they would probably research SRP before implementing it. It is not these users though that I would steer my advice for, but the ones that are either just starting thier journey or simply fed up with viruses/malware etc and are looking for ways to stop it. Lots of these will read this very thread. Implementing SRP for them will be something that comes later. They will see LUA and google it to see what it means. They will attempt to try it. But if they don't understand that it is not LUA that keeps them safe, but the lack of they themselves being able to run anything they want that does it.

Teaching novice users to use LUA is a great step. Making them understand that the only way (typically) to compromise thier system is to run something as an Admin is not as prevalent in the descriptions. Even users who are more advanced sometimes don't fully understand the implications of 'running as admin'. It is easy with UAC to click OK. I believe the focus should be more on how to use LUA everyday, and also to set an impression that everything that comes down the pike should not need Admin rights. Afterall, that is the premise of LUA, to not have to need the rights of an admin to do the daily activities.

This is why I balk a bit at UAC. Others see it as a barrier or boundry, I see it as an easier way of elevating to admin level for the average use without much in the way of a warning. Most people I know that still have problems do so because they downloaded something, executed it, and clicked OK on the UAC prompt because it said it needed to.

There is no specific fix. Education is the only recourse. But seeing lots of threads talking about "use LUA for more security" is only half of the solution. If you don't understand that raising anything and everything to admin is the same as being admin, then you gain little from being LUA except those things that go on behind the scenes.

Sul.

Sully
Member
Member

Posts : 13
Join date : 2010-05-16

View user profile

Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 on 18/8/2010, 14:09

Sully wrote:
ssj100 wrote:Good points Sully. However, I think most people who would even consider using LUA + SRP are going to research things fairly well before, during, and even after implementing it. If you take the time to read through things properly on this forum (and all the associated links), all the information you would ever want/need is there.

And of course, running Admin + "nothing else except an image back-up" can also be safe, depending on what you use your computer for, your personal requirement for peace of mind etc.
I would agree, for the more knowledgable user, they would probably research SRP before implementing it. It is not these users though that I would steer my advice for, but the ones that are either just starting thier journey or simply fed up with viruses/malware etc and are looking for ways to stop it. Lots of these will read this very thread. Implementing SRP for them will be something that comes later. They will see LUA and google it to see what it means. They will attempt to try it. But if they don't understand that it is not LUA that keeps them safe, but the lack of they themselves being able to run anything they want that does it.

Teaching novice users to use LUA is a great step. Making them understand that the only way (typically) to compromise thier system is to run something as an Admin is not as prevalent in the descriptions. Even users who are more advanced sometimes don't fully understand the implications of 'running as admin'. It is easy with UAC to click OK. I believe the focus should be more on how to use LUA everyday, and also to set an impression that everything that comes down the pike should not need Admin rights. Afterall, that is the premise of LUA, to not have to need the rights of an admin to do the daily activities.

This is why I balk a bit at UAC. Others see it as a barrier or boundry, I see it as an easier way of elevating to admin level for the average use without much in the way of a warning. Most people I know that still have problems do so because they downloaded something, executed it, and clicked OK on the UAC prompt because it said it needed to.

There is no specific fix. Education is the only recourse. But seeing lots of threads talking about "use LUA for more security" is only half of the solution. If you don't understand that raising anything and everything to admin is the same as being admin, then you gain little from being LUA except those things that go on behind the scenes.

Sul.

I understand what you're saying, but I reckon it's pretty obvious that if you don't understand something, you won't be able to implement it optimally. This applies to many aspects of life, not just computer security haha.

By the way, a good advantage of LUA is clearly seen with the Prevx termination "bypass" discussed here:
http://ssj100.fullsubject.com/other-f6/prevx-305185-terminated-by-zero-day-poc-t238.htm

The "bypass" only works in an Admin account. In this way, even a noob user who elevates everything would benefit (as they'd find it hard to elevate the Prevx process to Admin haha).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by wat0114 on 22/8/2010, 11:14

Hi ssj. I peek through the porch window now and again to see what's going on Smile As Sully alluded to, I also see things moving a little slower here than elsewhere, thus my lack of participation, but once I see something that sparks my interest, I'm in.

Sully wrote:
This is why I balk a bit at UAC. Others see it as a barrier or boundry, I see it as an easier way of elevating to admin level for the average use without much in the way of a warning.

True, if the pc is controlled by an individual who knows the password and especially runs as full-time admin, then even in admin approval mode in Win 7 it doesn't matter if they are stubbornly intent on executing the file that UAC alerted on, especially if they don't understand the prompt type. But I contend if they take an interest in UAC and learn what it's about, they might think think twice before launching the file upon getting a UAC prompt, especially if it's unexpected. Also, remember (of course you know this, LOL) that with UAC enabled, even in the admin account the applications, including browser, run with only standard privileges, so this is another reason why I see it as at least somewhat of a security boundary, an underrated one at that.

Most people I know that still have problems do so because they downloaded something, executed it, and clicked OK on the UAC prompt because it said it needed to.

But the UAC prompt doesn't state it needs to. It asks - with a specific, informational (limited, okay, but informational nonetheless) color-coded prompt - if you want to allow the program to make changes to the computer. I've spoken with people who lament the problems they have combating malware, especially where their teen aged offspring are concerned, but when I talk about and explain the benefits of running LUA and using imaging/restore programs (because they spend an entire day reinstalling Windows and all else with it) they just don't care. They're only interested in running an antivirus such as Nortons /sic or MacAfee /sic because their eyes glaze over and, afterall, "you can't install programs in a limited account". So there you have it, they fully support their little Johnny's or Sally's insatiable appetite for downloading and installing screensavers and video codecs....sigh. It's really a mindset, a mindset that involves a keen interest in computer security with an emphasis on the approach ™ (trademark belongs to ssj Smile ) to take. If it's there, it's easy to take advantage of all that's available, lua, srp and uac included, because the interested individual will learn about it to gain enough of an understanding to use it to their benefit, as opposed to those who don't have it and are only interested in using the computer to satisfy their entertainment needs.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Guest on 22/8/2010, 16:08

The problem is that home pcs are marketed and purchased largely for "entertainment needs" and true "solutions" must be accessible to users that fall into that range or be addressed at a level before the consumer receives the product in the first place. I do not meet anyone in my daily life that uses a pc that would even think of doing some of the things that are suggested here because "I have other things to think about" " I want my pc just to work" " I don't want to wreck anything"
I truly believe that most pc users do not/will not/cannot "mess about" with their pcs
If there was some kind of aftermarket hardware device that you could buy from "compu world" that you could just plug in to the pc for "complete security and privacy" then it might (with a large advertising campaign) just be marketable. Most people believe that the antivirus software that comes with the pc will protect them because "that's what it says on the box"
wat114 wrote: are only interested in using the computer to satisfy their entertainment needs.


Guest
Guest


Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Binky on 12/11/2010, 07:12

ssj100 wrote:You mention potential vessels to carry this exploit like flash and macros (both of which are easily mitigated by running appropriate browser protection and simply not enabling macros respectively) - how exactly does the exploit get on to the user's system in the first place?

I assume that NoScript qualifies as appropriate browser protection, which I use. I share my PC with an inexperienced user too. When either of us goes to a new site, NoScript blocks all scripts by default. Either of us may be fooled into trusting a site at first glance and allowing scripts with NoScript for the main site (we only allow 3rd-party scripts if allowing the main site doesn't make the site work). So, even though we are savvy with NoScript, we can be fooled. This is how exploits can get onto the user's system in the first place.

I try to provide fall-back protection in case of human errors. I just don't see how to do it in the case of privilege-escalation exploits with LUA+SRP protection.

Binky
Member
Member

Posts : 35
Join date : 2010-11-10

View user profile

Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 on 12/11/2010, 09:00

Binky wrote:[I assume that NoScript qualifies as appropriate browser protection, which I use. I share my PC with an inexperienced user too. When either of us goes to a new site, NoScript blocks all scripts by default. Either of us may be fooled into trusting a site at first glance and allowing scripts with NoScript for the main site (we only allow 3rd-party scripts if allowing the main site doesn't make the site work). So, even though we are savvy with NoScript, we can be fooled. This is how exploits can get onto the user's system in the first place.

I try to provide fall-back protection in case of human errors. I just don't see how to do it in the case of privilege-escalation exploits with LUA+SRP protection.
Yes, but then that's why you can temporarily allow scripts if you really need to. Even if allowing scripts allows a piece of malware to propagate, it would be sandboxed with Sandboxie (on my setup anyway).

In the extremely rare case of coming across in-the-wild pirvilege-escalation exploits etc, for the security purist, this could be a valid reason for running a third party security application (as most people know, I chose Sandboxie).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Scoobs72 on 17/12/2010, 01:12

I'm struggling to understand the purpose of disabling wscript.exe and cscript.exe. Any malicious script would need to be in C:\windows or C:\Program Files in order to execute in the first place, otherwise it is blocked by the SRP. Since a LUA cannot save to those locations how does any malware cause trouble via Windows Scripting Host? I'm relatively new to SRP, so be gentle please Smile

Scoobs72
Member
Member

Posts : 28
Join date : 2010-11-05

View user profile

Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 on 17/12/2010, 02:10

Good question Scoobs. At the end of the day, blocking wscript.exe and cscript.exe simply adds an extra layer of security (and therefore hardens the SRP) - it attempts to block any malicious activity even earlier on.

As for hard, "Class A" evidence for blocking these executables, I can't provide any haha. In my readings on SRP, there were several recommendations for blocking these executables, although from memory, the reasons for this were purely speculative and theoretical.

However, consider the following example:
1. SRP blocks ".bat" and ".cmd" files by default
2. So why would you need to additionally block "cmd.exe" and "command.com" with your SRP?
3. The theory is that if a malicious file somehow calls up "cmd.exe", then it could be all over. Say a privilege escalation exploit is able to be used via "cmd.exe" only. Therefore, if "cmd.exe" is allowed to be run, it could be all over. "cmd.exe" potentially gives the user a lot of control and access. However, if it is blocked by default, then the exploit is stopped dead in its tracks.
4. Perhaps the same concept applies for the Windows Scripting Host?

But as I said, I'm yet to personally come across any POC's (except for Didier Steven's "macro") or any real-world malware that bypasses SRP, despite actively/desperately looking for them.

Also, I'm sure p2u can tell us more about why the command prompt is often disabled (not just blocked) in corporate network environments. However, in this context, I'm pretty sure it's more related to safety from the actual user (and not so much from eg. spontaneous malicious drive-bys via the web browser).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Scoobs72 on 17/12/2010, 02:28

Understand. Thanks for the explanation. So, given my constraint (Windows 7 Home Premium) the implementation fo SRP via Parental Controls is certainly strong enough in itself. What we're dealing with with wscript.exe, cscript.exe are theoretical possibilities, which if you have 'proper' SRP capabilities (i.e. Pro versions of the O/S) are well worth doing, but you shouldn't lose any sleep if you can't do them due to having Home editions of the o/s. Correct?

Scoobs72
Member
Member

Posts : 28
Join date : 2010-11-05

View user profile

Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 on 17/12/2010, 02:32

Sounds about right. Also, since you're using Sandboxie, there is certainly no sleep to be lost haha.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Scoobs72 on 17/12/2010, 02:38

ssj100 wrote:Sounds about right. Also, since you're using Sandboxie, there is certainly no sleep to be lost haha.

Finally....I can sleep Laughing

Scoobs72
Member
Member

Posts : 28
Join date : 2010-11-05

View user profile

Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by p2u on 19/12/2010, 11:37

ssj100 wrote:I'm sure p2u can tell us more about why the command prompt is often disabled (not just blocked) in corporate network environments.
I think that's just a leftover from the old 'Default Allow' school, when administrators blocked stuff they thought might hurt the evironment. The command prompt, scripting, etc. are basically admin tools and users are supposed to do what they are paid for - work with MS Office - and not play administrators.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Sponsored content


Sponsored content


Back to top Go down

Page 4 of 4 Previous  1, 2, 3, 4

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum