As networks, the Internet, and e-mail are increasingly used in business computing, users find that they often encounter new software. Users must constantly make decisions about whether to run unknown software. Viruses and Trojan horses often deliberately pretend to deceive users' operations. It is very difficult for users to make safe choices to determine which programs should be run. In this case, you need to use the software restriction strategy. Let us explain the magical effect of Windows today.
1. Overview
Use software restriction policies to protect your computer environment from untrusted code by identifying and specifying which applications are allowed to run. With hash rules, certificate rules, path rules, and Internet zone rules, programs can be identified in policies. By default, the software can run on two levels: "unrestricted" & "not allowed". In this paper, we mainly use path rules and hash rules, while path rules are the most flexible in these rules, so if there is no special description in the following text, all rules refer to path rules.
2. Additional Rules and Security Levels
Additional Rules
When using software restriction policies, the following rules are used to identify the software:
Certificate Rules
Software Restriction Policies can be signed by their certificates To identify the file. Certificate rules cannot be applied to files with an .exe or .dll extension. They can be applied to scripts and Windows Installer packages. You can create a certificate that identifies the software and then decide whether to allow the software to run based on the security level settings.
Path Rules
Path rules identify the program by its file path. Since this rule is specified by path, the path rule will be invalid after the program moves. Environment variables such as %programfiles% or %systemroot% can be used in path rules. Wildcards are also supported by path rules, and the supported wildcards are * and ?.
Hash Rules
A hash is a series of fixed length bytes that uniquely identify a program or file. The hash is calculated by the hash algorithm. Software restriction policies can be identified by SHA-1 (Secure Hash Algorithm) and MD5 Hash Algorithm based on the hash of the file. Renamed files or files moved to other folders will produce the same hash.
For example, you can create a hash rule and set the security level to “not allowed" to prevent users from running certain files. Files can be renamed or moved to other locations and still produce the same hash. However, any tampering with the file will change its hash value and allow it to bypass the limit. The software restriction policy will only identify those hashes that have been calculated using the software restriction policy.
Internet Zone Rules
Regional rules apply only to Windows Installer packages. Regional rules can identify software from a designated area of Internet Explorer. These areas are the Internet, local computers, local intranets, restricted sites, and trusted sites.
The types of files affected by the above rules are only those listed in the "assigned file type". The system has a list of specified file types that are shared by all rules. By default, the file types in the list are: ADE ADP BAS BAT CHM CMD COM CPL CRT EXE HLP HTA INF INS ISP LNK MDB MDE MSC MSI MSP MST OCX PCD PIF REG SCR SHS URL VB WSC , so for normal non-executable Files such as TXT JPG GIF are unaffected. If you think there are threats to the extended files, you can add them to them, or you can think of which extensions are not threatened.
Security Levels
For software restriction policies, by default, the system provides us with two levels of security: "unrestricted" and “not allowed"
Note:
“Unallowed" levels do not contain any file protection operations. You can read, copy, paste, modify, delete, etc. a file set to “not allowed, group policy will not be blocked, of course, your user level has the right to modify the file“ Unrestricted levels are not completely unrestricted, but are not subject to additional restrictions on software restriction policies. In fact, the "unrestricted" program will give the program's parent process permission when the program starts. The access token obtained by the program is determined by its parent process, so the permissions of any program will not exceed Its parent process.
But actually, there are three levels that are hidden by default. We can open the other three levels by manually modifying the registry. Open the Registry Editor and expand to:
HKEY_LOCAL_MACHINE\\SOFTWARE\\ Policies\\Microsoft\\Windows\\
Safer\\CodeIdentifiers
Create a new DOWRD named Levels with a value of 0x4131000 (4131000 for the sixteen system)
Reopen gpedit.msc after creation, we will see At the other three levels, it has already been turned on.
Unrestricted
The highest privilege, but it is not completely unrestricted, but "the access to the software is determined by the user's access rights", that is, the permissions of the parent process are inherited.
Basic users
Basic users only have the privilege of "skip traversal check" and refuse to have administrator privileges.
Restricted
has more restrictions than basic users, but also enjoys the privilege of "skip traversal check".
Untrusted
does not allow access to system resources and user resources. The direct result is that the program will not run.
Not allowed
Unconditionally blocking program execution or files being opened
Depending on the size of the permissions, you can sort to: Unrestricted > Basic User > Restricted > Untrusted > Not allowed of