Category: Security

Case of the AppLocker default rules issue

If you have started using AppLocker with Windows 7 you know that the default rules for executable files make sure that administrators can run anything on the box, and that everything from the Windows folder and Program files folder are allowed to be executed. There exists a slight problem with this set of rules.

The default rules are intended for non-administrator users on the machine to be prevented from running any software which is not already installed or managed centrally, in the Program files folder. The default rules are also intended to allow anything from the Windows folder to be executed. Both these rules are sort of safe, as a standard user per default cannot put files in the program files folder to execute them, nor anywhere in the Windows folder.

But, there is this but. Inside the Windows folder there is a folder called “temp”, which believe it or not, standard users can write stuff to and consequently executing it thereby bypassing all the nice security benefits that AppLocker provide.

Well, the standard user just cannot copy an executable to the Temp folder using Windows Explorer, but using traditional copy commands using the command prompt this is fine, and then the executable can be executed.

The problem here might not be that the average user can bypass AppLocker this way, but when securing servers or clients, potential attackers can use this to bypass your security rules.

A simple solution if running with the default rules is to simply add the Windows\Temp folder to the exception list, effectively blocking code from being executed.

Standard users installing applications? Say welcome to the new reality

If you think that you have come a far way making sure all users are running as standard users you must stop and rethink. Well, having all users as standard users is very good from many perspectives but with coming challenges your efforts must not stop there. A growing problem is the fact that more and more applications install in the user space, i.e. in the \users\username\appdata directory instead of the traditional “Program files”.

Also Windows 7 contain Windows Installer 5.0 which sports a new feature which makes the software vendors easily make Windows Installer (MSI files) that install software in the user space instead of program files, and thereby not requiring the user to be administrator or even require a UAC prompt for credentials for an administrative account.

The standard users of course think this is great, meaning they after all can install and run for instance Google Chrome without needing to ask that restrictive IT department. From the IT departments view this fact that standard users can install and run applications is a concern.

The answer to take care of this problem is simply the new Windows feature AppLocker. To be honest it is somewhat like Software Restriction Policies (SRP) but whatever bad things you have heard about SRP you can forget about them. AppLocker contains new features that make the implementation and ongoing management very easy compared to Software Restriction Policies. More about AppLocker in the AppLocker walkthrough.

Hide files and folders which users don’t have permission to

The other day I implemented the Microsoft tool Access-based Enumeration tool for the first time with a customer. The tool installs on Windows Server 2003 and present you with a new tab when you choose Properties on shares on the server. When activated it will make sure that users on their client computers don’t see files and folders in Windows Explorer to which they do not have permission.

Download the Access-based Enumeration tool

Collection of best practices guides

Microsoft is providing best practice analyzers for most of their server products and I have gathered them on a list, for your convenience. These best practices analyzers are extremely good for troubleshooting and for making sure that the servers are performing at their best. Here is the link for the article:
http://www.theexperienceblog.com/technical-articles/collection-of-best-practices-guides/

Turn off UAC in a domain using Group Policies

Some people for whatever reason want to turn off UAC for all or certain computers in a domain using Group Policies. This is done by setting the Computers Configuration > Windows Settings > Local Policies > Security Options > User Account Control: Run all administrators in Admin Approval Mode to disabled. As usual when turning off UAC a reboot is required for the changes to take effect.

Backing up BitLocker recovery keys to Active Directory

Using BitLocker to encrypt your system partition is a very good option to keep the computer and the data on it secure. Starting with Vista SP1 you will be able to encrypt not only the system partition but all the other partitions as well, offering even better security. When you encrypt a partition with BitLocker a recovery key is automatically generated so that you can recover the data on the computer when necessary. By default you have the choice of printing the recovery key or saving it to a USB stick or a network share.

BitLocker Key Recovery ToolHowever using a group policy setting (Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Turn on BitLocker backup to Active Directory)  you can also backup the recovery key to Active Directory, which is a very good suggestion I must say. If you are running Windows Server 2008 you do not have to anything to get this working but if you would like to use Windows Server 2003 with SP1 or later to backup the BitLocker recovery key you must use scripts provided by Microsoft to extend the schema.

Microsoft also offer a tool called BitLocker Recovery Password Viewer which can be downloaded directly from Microsoft Premier Services. When this tool is installed it introduce another tab in a computer objects Properties called “BitLocker Recovery” where the BitLocker recovery keys are listed for your viewing pleasure in the case of necessary restoration. The only negative part about the tool is that it can only be installed on a Windows XP or Windows Server 2003 computer as it require that you have installed the “Window Server 2003 Administration tools for SP1” on Windows XP to get the control panel for Active Directory Users and Computers.

UPDATE: I forgot to add the link to the page where you can find all the necessary information as well as the “extend schema”-script. Here it is!

Vista SP1 change causes Kerberos problems

After installing SP1 I can no longer access my network shares which contain my Documents. After contacting Microsoft they have concluded that there actually is a change in the way Windows Vista SP1 handle Kerberos communication. The changes affect only when you use Active Directory to store accounts which is then mapped using altSecurityIdentity to use the password from an external Kerberos server. In my case we are using a Heimdal Kerberos server but the problem might affect users of MIT Kerberos as well. Logging in to the Windows system itself is not a problem, the only problem seems to be when accessing file shares (using CIFS).

Until the Heimdal Kerberos is patched to solve this problem there is a work around for the problem. On the client computer you have to add a registry key with your domain name and then add a REG_SZ value named “SpnMappings” with the value “.your.domain.com” in the registry key below:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ 
Kerberos\HostToRealm\YOUR.DOMAIN.COM

After restarting the computer you can access the network share as expected.

Manage ActiveX controls with GPOs in Vista

As you might know there is no good way to control the installation or blocking of ActiveX controls for standard user accounts. Windows Vista introduces a cure to this, and it is called ActiveX Installer Service. This service is not installed by default but can be found in Programs and Features > Turn Windows features on or off. I recommend that you add this component using an unattended answer file in corporate environments. Once installed you can control if a standard user should be able to install certain ActiveX controls or not. I have not found any good step-by-step guides for configuring this so here it comes:

1. When you go to a web site and try to install an ActiveX control, an event is logged in the event viewer specifying the exact origin and http or https address where the ActiveX control resides.

2. Enter the address you found above in the group policy setting “Approved Installation Sites for ActiveX Controls” found in Computer configuration\Administrative templates\Windows Components\ActiveX Installer Service with the additional settings for example 2,2,0,0.

To allow for instance the Windows Genuine Advantage to be allowed to be installed by a regular user you can add the address http://download.microsoft.com with 2,2,0,0. Now you can refresh the policy on your test computer and go to Microsoft Download Center and there try to validate and install the WGA ActiveX control as a regular user account without administrative privileges. Voilà!

Smart card problems with Dell Latitude and Vista

I only have my domain administrator account on a smart card to improve security in my domain, but this is not working as one can expect in Vista. Sometimes, especially when I wake the computer from sleep but also at other times, the credential tile for smart card authentication vanishes as the Smart card service stop working somehow. The only solution to this issue is to reboot the computer unfortunately. After becoming sick and tired of the problem I called Dell from which I got a beta driver. This driver seems to be somewhat more stable but not 100 percent stable. SP1 makes no difference either.

The Vista DVD considered to be a security threat

The Windows Vista DVD is to be considered a security threat! By starting a computer from the Vista installation DVD and choose to Repair the computer instead of installing Vista, the user gets to a number of choices amongst them a command line (cmd.exe). By starting the command line tool you will have full access to all files on the computer and might easily copy them to a removable device of your choice. This is a big difference from Windows XP where you at least had to login to the Recovery Console with an administrator account, in Vista you just get full access to all the user and system files on the computer, no questions asked.

I however live by the principle that if anyone has physical access to a computer it might be compromised anyway, but still it is good to know about this potential security hole. Laptop computers might contain sensitive data and can easily be accessed by anyone who gain access to it if it should be stolen for example. The only way to my knowledge to protect from this “attack” is to use BitLocker (or possibly other encryption software). By using BitLocker the system partition is encrypted and you cannot access it using the method I describe above. If you install Service Pack 1 for Vista you will also be able to encrypt all partitions and disks on your computer, protecting your files and data further, not just the system partition. The BitLocker encryption function is only available with Windows Vista Enterprise and Ultimate Edition