Use Windows Server to reject malicious applications for free

It seems impossible to control all applications running in the business environment. In all fairness, achieving this goal requires a lot of effort. We need to develop management policies to restrict the installation and implementation of software and use tools to ensure that these policies are effectively implemented, rather than being moved around like administrative work. The entire process requires testing and error Discovery Based on the attitude of exploration before it can be pushed forward gradually. However, as long as we can accumulate experience from practice, such a processing method will also bring us a lot of returns, including:

Malware is almost completely eliminated. Applications that are not approved or listed in the whitelist cannot be executed.

Desktop System Support problems caused by users' installation of unaudited applications (such as iTunes and Dropbox) will be greatly reduced.

The protection mechanism for data leakage is enhanced, because users cannot use applications that do not match the Group Policy settings, and thus cannot bypass the security policies pre-developed by enterprises.

In this article, I will show you how to control software installation and execution on Windows client computers. Unless otherwise specified, all the operations I mentioned are based on Windows Server and later versions, so you do not have to worry about additional licensing costs due to the use of third-party tools. In addition, I will summarize the advantages and disadvantages of each solution.

Restrict Windows Installer

If you are a loyal supporter of the 20% principle, you can use 80% of your energy to make simple restrictions on the Windows installer to achieve management control effectiveness. The most common method is to use group policies. Create a group policy object (GPO), right-click to edit, in the displayed Group Policy object editor window, choose computer configuration> management template> Windows Components> Windows installer.

Double-click the "Disable Windows Installer" option on the right of the window. To ensure that Windows Installer only accepts the application objects listed in the Group Policy, click "only for unmanaged Applications ". You can also click "always valid" To Disable Windows Installer from processing all software including licensed applications.

The disadvantage of this solution is that it can only affect the software installed through the Windows installer. Many well-known software have independent Installation Tools. In this case, management policies cannot effectively control their installation and implementation. In addition, GPO is not ideal for specific device sub-sets in the business environment, especially when some users have local administrator permissions-this permission means that we trust them in the operations for installing the application. In other words, although there are various limitations, this processing method is at least "better than nothing", and it can indeed prevent some users from performing illegal operations.

However, I have never seen any virus or malware spread through Windows Installer. Therefore, if you want to have additional defense mechanisms to defend against such threats, i'm afraid this solution will not be helpful.

Software Restriction Policy

The Software Restriction Policy (SRP) allows us to implement group policies to control the execution of specific programs. In addition to acting on the existing business environment, SRP is also a management solution suitable for terminal servers or public information support devices. With its help, users can only use a specific function and cannot use management software or download applications and utilities from the Internet.

Windows can correctly identify software restrictions and release standards in different ways. The Hash rule is one of them. It recognizes the features of files and executable files in the program, and then generates a hash algorithm for it.

The Hash mechanism is outstanding in identifying specific versions of the same program, because the hash value varies with the file changes (there must be file differences between the new and old versions of the program ).

Verification Rules use digital signature recognition software, which is extremely important in protecting authorization scripts. The Windows system can also identify the software through the software path and the Internet area (inside the IE browser), so as to strictly control the security of software download activities.

Finally, the Windows system can create rules to help us find software objects that cannot be clearly defined through the trusted list or other management rules. Windows compares programs with rules to check whether the other party meets the software restrictions GPO requirements. If the same program meets multiple management rules, the system will match the core rules for it.

These policies are powerful, but as I mentioned at the beginning of this article, each solution has its own weaknesses: unless you can carefully create exceptional rules (including their applications) for every Windows Executable File that users may need, SRP intervention will make the entire business system quite slow.

SRP may also cause trouble for user logon scripts necessary to create a security environment. If you decide to adopt this scheme, you must thoroughly test all the restriction policies and exception lists in the experiment environment in advance. In addition, we would like to remind you that when we create GPO restrictions for specific software, be sure to add the domain administrator group to the GPO access control list, and GPO cannot have the permission to apply group policies. This is done to give control of the policy itself to the Administrator, instead of locking itself out after closing the door.

After preparing for creating a policy, follow these steps:

Create a new GPO for each restriction policy. Once we find that the restriction is too strict in actual applications, we can easily disable the corresponding policy.

Apply a restriction rule to a device or user through computer configuration or user configuration. The specific procedure is policy> Windows Settings> Security Settings> Software Restriction policy.

Right-click the Software Restriction Policy and select a new software restriction policy from the pop-up menu.

Set a set of default recognition rules: click "Security Level" on the left side of the window, right-click a security level, and select "set as default" in the pop-up function menu ".

Now, we need to create a set of rules to determine whether the software meets the constraints. Right-click "Additional Rules" on the left of the window ", click "new authentication rule" and then select "new Hash rule" and Its File Audit mode, "new Internet region rule" and its Regional Audit mode, "New Path rule", and its file mode or registry item. and other options.

On the right side of the window, double-click the "execute" option. Now let's take a look at how these limits take effect. We recommend that you use the following option: "All software file exception libraries" will help us avoid blocking key system and application function files. "All local administrators except users" indicates that Windows systems strictly enforce the restriction policy only for users outside the local administrator group.

Next, double-click "specify file type" on the right side of the window. we need to review and add the application file extensions involved in the Software Restriction policy. This list must be complete and, if necessary, make sure that the script language used by the enterprise also has a file extension Association.

Finally, double-click "trusted publisher" on the right side of the window ". Here, we can specify whether common users, local administrators, or enterprise Administrators have the right to determine and control the credibility of the digital signature program.

You can use SRO in any version of Windows XP, Windows Vista, Windows 7, or Windows 8, but as a follow-up solution, appLocker features are undoubtedly richer-this is the focus of our next discussion. Currently, AppLocker only appears in the most expensive Windows 7 or Windows 8 Operating System Client.

AppLocker

Microsoft described AppLocker as a new mechanism in WindowsServer2008R2 and Windows7, which comprehensively improved the functions and features of the Software Restriction policy. AppLocker's new features and scalability allow users to create application control rules based on unique file verification techniques and specify which users or groups have the right to run these applications ."

In short, AppLocker is basically the SRP trained for fitness. Perhaps the two most brilliant features are based on the currently installed software automatic creation rules and AppLocker's "Pure audit" operating mode. This means that it can determine whether an application can be released or locked without the need for management personnel to manually set policies. In the initial setup and troubleshooting situations, such features are obviously very considerate.

We can use AppLocker in the Group Policy. First, create a new GPO, right-click it to edit it, and then find this new mechanism according to the Computer Configuration> Windows Settings> Security Settings> application control policy and AppLocker process.

The following shows the use interface of AppLockerGPO, which shows the rule execution configuration and which rules are in the applicable status.

 

AppLocker Group Policy object interface in Windows Server 2008 R2

Compared with SRP, AppLocker is easier to deploy from the whitelist because it can configure related devices. For example, we have just set up a device environment without any restrictions or installing common software in any business environment. As long as you complete the most basic computer settings (for example, deploying an image, an essential process in an enterprise environment), we can enable AppLocker to automatically generate rules for it, the rules themselves can identify trustworthy software executable files in the system through information collection. Finally, you only need to import these rules into the production group policy environment for use by the rule network.

What are the disadvantages of AppLocker? First, it can only run in Windows 7 flagship edition, Windows 7 Enterprise Edition, or Windows 8 Professional Edition. If you are still using Windows XP-or even dealing with Vista-then AppLocker may not be able to help you. However, we can start with the use of Windows 7 devices to experience the actual performance of AppLocker first, and then migrate slowly, so that the new system can automatically accept management rules from group policies. In this case, security only depends on when we fully deploy Windows 7 or Windows 8.

Summary

As long as you hear the word "White List", the first reaction is likely to be: It seems like a troublesome job. This is also true for events. However, the installation and execution of unauthorized software can bring about many benefits-as I mentioned earlier, in addition, patch installation and software upgrade can be avoided in the network and business environment. (Once the restriction mechanism is too loose, users are likely to download and install software at will, resulting in a strange version of the software in the business environment. In addition, 'output' applications represented by Java often have security vulnerabilities, and IT departments are difficult to provide centralized patch installation solutions for unapproved software .)

Relying on the tools that come with Windows, coupled with a little bit of intelligence, you can make your system more secure without spending a penny.

There is a saying in foreign countries that "everything worth doing is worth doing well.

Appendix: Some Comments on User Account Control

You may be wondering why the existing Windows Version (including Windows Vista and later versions) will provide a User Account Control (UAC) mechanism. The most famous feature of this mechanism is that a confirmation dialog box is displayed when we access sensitive content in the system or try to perform operations that may affect system integrity.

For some (or most) applications, it is enough to implement the permission license by using the UAC restriction mechanism alone. Users cannot install software that tries to access or write content to a protected area unless they have super management permissions.

However, the normal installation mechanism of some software (that is, the mechanism that does not involve sensitive areas of the system) may also trigger UAC protection. In addition, some utilities may bind runtime libraries or dynamic distribution mechanisms in executable files, rather than using conventional installation procedures.

Further, some programs, represented by Google Chrome and popular file sharing tool Dropbox, will be directly installed in users' personal configuration spaces. UAC cannot provide protection for such cases. Finally, UAC can hardly control the execution of the software after the installation process is completed. UAC generally takes effect only when permission operations are involved in the software execution process.

UAC is not an ideal solution if you want to restrict all types of software or control the software execution process in the system; we need to manage software installation and execution in the computing environment through other channels