Using software restriction policies to close points of entry... 13 replies

  • 1
  • 2

Please wait...

Freyr VIP Member

A2Files Staff

46,875 XP

6th February 2005

11 Uploads

4,275 Posts

0 Threads

#1 9 years ago

I was looking at Software restriction policies a while back, and a random idea popped into my head.

It's possible to set a directory so you can't launch any executable code from it. If you do this to the temp, temporary internet files and the outlook temp directory it all but prevents the users from doing stupid things like running viruses attached to emails and getting drive by downloads.

The only thing I can't see at the moment is the disadvantage to doing this, and neither can any of my fellow sysadmins. I don't suppose anybody here has any ideas why doing it would be a bad idea?




Smitty025

The local Paultard

50 XP

24th May 2003

0 Uploads

6,469 Posts

0 Threads

#2 9 years ago

What's to stop a user from copying the file out of that directory or saving it to another place?




Freyr VIP Member

A2Files Staff

46,875 XP

6th February 2005

11 Uploads

4,275 Posts

0 Threads

#3 9 years ago

Nothing, but the idea is to prevent people from mistakes, like clicking on an attachment in an email that is actually a virus instead of a text file or drive by infections through IE. You'd hope that they wouldn't then go and save it to the hard drive once they get a warning its executable code. (it wouldn't stop them from opening non executable/dangerous files)

Its not like you can protect them from everything!

I mean, you can do a software restriction policy forbidding everything by default and then making exceptions for wanted programs by hashes, I know this works because I got fed up rebuilding my brothers machine and locked it down to the point where its actually impossible to mess up, but that takes a lot more work than just disallowing a couple of folders.




Mr. Pedantic

I would die without GF

234,620 XP

8th October 2006

0 Uploads

23,127 Posts

0 Threads

#4 9 years ago
What's to stop a user from copying the file out of that directory or saving it to another place?

You can't really stop anyone from doing something if they're that determined, but it's just another level of security. If people are stupid enough, they find a way to circumvent even the best of intentions and the best measures.




Smitty025

The local Paultard

50 XP

24th May 2003

0 Uploads

6,469 Posts

0 Threads

#5 9 years ago
Mr. Pedantic;4851769You can't really stop anyone from doing something if they're that determined, but it's just another level of security. If people are stupid enough, they find a way to circumvent even the best of intentions and the best measures.

Well that's exactly my point. The allure of free money from a Nigerian king is very strong to some people.




Mr. Pedantic

I would die without GF

234,620 XP

8th October 2006

0 Uploads

23,127 Posts

0 Threads

#6 9 years ago

I'm not following...




Junk angel

Huh, sound?

166,880 XP

29th January 2007

0 Uploads

15,678 Posts

0 Threads

#7 9 years ago

Well unless I'm mistaken. If you have UAC on and are running IE with security on, it runs IE in a sandboxed mode. So that should give you a similar protection. Otherwise. If you ask me, It might be best to limit a number of basic places where users tend to download absentmindedly exes. Like the desktop as well.




Mr. Pedantic

I would die without GF

234,620 XP

8th October 2006

0 Uploads

23,127 Posts

0 Threads

#8 9 years ago
Otherwise. If you ask me, It might be best to limit a number of basic places where users tend to download absentmindedly exes. Like the desktop as well.

That wouldn't stop someone for long. If my dad had done that for my computer, even when I was seven or eight, I would probably have figured around that in about half an hour. It would have been inconvenient, but not major by any stretch of the imagination.




Junk angel

Huh, sound?

166,880 XP

29th January 2007

0 Uploads

15,678 Posts

0 Threads

#9 9 years ago
That wouldn't stop someone for long. If my dad had done that for my computer, even when I was seven or eight, I would probably have figured around that in about half an hour. It would have been inconvenient, but not major by any stretch of the imagination.

Agreed. But it throws on at least one more thing the user has to think about before running the exe.:P

But yes restricting access to the temp folder might be a good idea.




Freyr VIP Member

A2Files Staff

46,875 XP

6th February 2005

11 Uploads

4,275 Posts

0 Threads

#10 9 years ago

Smitty025;4851774Well that's exactly my point. The allure of free money from a Nigerian king is very strong to some people.[/quote]

Mr. Pedantic;4851777I'm not following...

Nor am I, because i'm talking about a way of stopping executable code from running to prevent drive by attacks and accidental infections and your talking about cons, which are done via text anyway.

It would stop a file from auto running when you look at an email with the preview pane on, or infecting your computer simply by visiting a webpage. It would also stop someone from opening a file attached to the email, but it would not stop someone from copying the file out of the folder and then running it.

However, that requires definite action from the end user when they have already been warned its executable code. You can only protect people so far!

[quote=Junk angel;4851807]Well unless I'm mistaken. If you have UAC on and are running IE with security on, it runs IE in a sandboxed mode. So that should give you a similar protection. Otherwise. If you ask me, It might be best to limit a number of basic places where users tend to download absentmindedly exes. Like the desktop as well.

You couldn't do it on the desktop, as this would prevent you from running shortcuts from the desktop. Besides, the real point is to stop people from accidenly getting drive by downloads from websites using active X and dodgy attachments through outlook.

And I was thinking more for XP/2K than Vista, however it would work for vista as well.




  • 1
  • 2