Discussion:
Software Restriction Policies and logging
(too old to reply)
fredbloggs
2006-11-27 10:52:03 UTC
Permalink
Hi,

I'm investigating the option of Software Restriction Policies to lockdown a
new W2k3 Terminal Services farm.

I have configured a whitelist and added only those programs that I want
users to run which all appears to work fine, in fact the SRP are working just
dandy.

The question I have is in regards to the logging when a deny is applied.

I have configured the registry entry

HKLM\SOFTWARE\Policies\Microsoft\windows\safer\codeidentifiers\Logfilename

to a relevant logfile which is placing entries for all succesfully run
programs and which GUID has allowed this program.

However, when a user tries to run a disallowed program (i.e. not
specifically allowed) nothing gets placed within the log, an entry appears in
the eventlog if the attempt was made from the desktop stating the denied
access (or if i specifically deny the file), however I want to catch entries
further down than this, i.e. if a user tries to install 'Google toolbar' from
IE the SRP are obviously running and stop this, but they don't tell me about
this failed program.

Any ideas would be greatly appreciated

TIA
Mark
Chris Corio [MSFT]
2006-12-08 19:36:04 UTC
Permalink
Hello -

I'm the Program Manager for Software Restriction Policies.

There are a number of things that could be happening given what you've
described. First off, anything that is blocked by SRP should create an
entry in the log file - if there isn't an entry, chances are SRP didn't
affect the file's execution. Other than that, I'm not sure what level of
SRP checking you have enabled. If you don't see a log entry it might be
something related to IE's security policy.

If you can explain the exact repro steps I can check to see what's happening
with SRP.

Thanks,
Chris

This posting is provided "AS IS" with no warranties, and confers no rights.
Post by fredbloggs
Hi,
I'm investigating the option of Software Restriction Policies to lockdown a
new W2k3 Terminal Services farm.
I have configured a whitelist and added only those programs that I want
users to run which all appears to work fine, in fact the SRP are working just
dandy.
The question I have is in regards to the logging when a deny is applied.
I have configured the registry entry
HKLM\SOFTWARE\Policies\Microsoft\windows\safer\codeidentifiers\Logfilename
to a relevant logfile which is placing entries for all succesfully run
programs and which GUID has allowed this program.
However, when a user tries to run a disallowed program (i.e. not
specifically allowed) nothing gets placed within the log, an entry appears in
the eventlog if the attempt was made from the desktop stating the denied
access (or if i specifically deny the file), however I want to catch entries
further down than this, i.e. if a user tries to install 'Google toolbar' from
IE the SRP are obviously running and stop this, but they don't tell me about
this failed program.
Any ideas would be greatly appreciated
TIA
Mark
fredbloggs
2006-12-11 09:01:01 UTC
Permalink
Hi Chris,

Hopefully you can help. I have detailed the SRP policies that are applied
by the GPO (below). No other policies are applied by this GPO and as I have
said if you disable the policy you can then run / install the desired
component which would lead me to believe it is related to SRP and no other IE
lockdown policies, user restrictions or such like.

The issue I have is the logging facility as I need to know if people are
trying to do this and have reliable reporting as such.

The server is running Win2003 SP1 (+KB 915061 & KB918011) and I get the same
symptoms on several machines running this OS (haven't tried an older one)
both with and without Terminal services enabled.
IE is version 6.0.3790.1830

I have enabled the logging as mentioned in my previous post
HKLM\SOFTWARE\Policies\Microsoft\windows\safer\codeidentifiers\Logfilename

Process is as follows:
User logs on (am using TS session, not Citrix, does same locally on the
desktop)
you will see from the SRP log (see below) that a couple of items are
disallowed as per the default rule, as you would expect

=======================================
Steps to reproduce
=======================================
User loads Internet Explorer
User browses to http://toolbar.google.com/T4/
User clicks on 'Download Google Toolbar'
User clicks on 'Run' when prompted by the 'File download - security warning'
box
Installer downloads and doesn't run (which is the desired effect)
=======================================

When I check the SRP log file that has been created no entry has been placed
to say that it has been disallowed because of SRP's

If I download the GoogleToolbar installer and save it to disk. When I run
this (from the saved location) I get the box stating that it has been
disallowed due to SRP and an entry gets placed within the log file.

It would seem to me that whilst IE is respecting the SRP restrictions
stated, it doesn't respect the logfilename entry.

Hope this explains further and possibly gives you a chance to reproduce in
your lab.

Thanks

Mark

===================================
Policies applied
===================================
Software Restriction Policies/Security Levels
Policy Setting
Default Security Level Disallowed

Software Restriction Policies/Additional Rules
Path Rules
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
Security Level Unrestricted

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot%*.exe
Security Level Unrestricted

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot%System32\*.exe
Security Level Unrestricted

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
Security Level Unrestricted

\\msfs05\resource$\Logon
Security Level Unrestricted

C:\Program Files\Internet Explorer\Connection Wizard\*.exe
Security Level Disallowed

C:\Program Files\NetMeeting\
Security Level Disallowed

C:\Program Files\Outlook Express
Security Level Disallowed

C:\Program Files\Windows Media Player\
Security Level Disallowed

C:\Program Files\Windows NT\Windows Messaging
Security Level Disallowed

C:\WINDOWS\system32\cmd.exe
Security Level Disallowed

C:\WINDOWS\system32\command.com
Security Level Disallowed

D:\program files\adobe\reader\Reader\AcroRd32.exe
Security Level Unrestricted

D:\Program Files\Office\Office10\*.exe
Security Level Unrestricted

D:\Program Files\Office\Office11\*.exe
Security Level Unrestricted

D:\Program Files\Office\Visio10\*.exe
Security Level Unrestricted

D:\Program Files\Office\Visio10\DLL\*.exe
Security Level Unrestricted

D:\Program Files\WinRAR\*.exe
Security Level Unrestricted

===========================================
Log file contents - Logon
===========================================
cscript.exe (PID = 2248) identified c:\program
files\citrix\sma\scripts\CB155444-DAFE-11D8-B092-005056C00008.wsf as
Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
userinit.exe (PID = 5776) identified C:\Program
Files\Citrix\system32\startssonsvr.exe as Unrestricted using path rule, Guid
= {d2c34ab2-529a-46b2-b293-fc853fce72ea}
startssonsvr.exe (PID = 5404) identified C:\Program Files\Citrix\ICA
Client\SSONSVR.EXE as Unrestricted using path rule, Guid =
{d2c34ab2-529a-46b2-b293-fc853fce72ea}
userinit.exe (PID = 5776) identified C:\Program
Files\Citrix\system32\CtxHide.exe as Unrestricted using path rule, Guid =
{d2c34ab2-529a-46b2-b293-fc853fce72ea}
cmd.exe (PID = 5552) identified C:\WINDOWS\system32\usrlogon.cmd as
Unrestricted using path rule, Guid = {c17114d9-cf3c-410c-b74c-233821361290}
cmd.exe (PID = 5552) identified C:\WINDOWS\Application Compatibility
Scripts\setpaths.cmd as Unrestricted using path rule, Guid =
{c17114d9-cf3c-410c-b74c-233821361290}
cmd.exe (PID = 5552) identified C:\WINDOWS\Application Compatibility
Scripts\acregl.exe as Unrestricted using path rule, Guid =
{c17114d9-cf3c-410c-b74c-233821361290}
cmd.exe (PID = 5552) identified C:\WINDOWS\Application Compatibility
Scripts\rootdrv.cmd as Unrestricted using path rule, Guid =
{c17114d9-cf3c-410c-b74c-233821361290}
cmd.exe (PID = 5552) identified C:\WINDOWS\Application Compatibility
Scripts\end.cmd as Unrestricted using path rule, Guid =
{c17114d9-cf3c-410c-b74c-233821361290}
userinit.exe (PID = 5776) identified C:\Program
Files\Citrix\system32\cmstart.exe as Unrestricted using path rule, Guid =
{d2c34ab2-529a-46b2-b293-fc853fce72ea}
cmstart.exe (PID = 5748) identified C:\Program
Files\Citrix\System32\wfshell.exe as Unrestricted using path rule, Guid =
{d2c34ab2-529a-46b2-b293-fc853fce72ea}
userinit.exe (PID = 5776) identified C:\WINDOWS\Explorer.EXE as Unrestricted
using path rule, Guid = {e52bd220-b21e-4e56-b8ef-ce5d6bd111ad}
explorer.exe (PID = 5652) identified C:\WINDOWS\system32\cpqteam.exe as
Unrestricted using path rule, Guid = {c17114d9-cf3c-410c-b74c-233821361290}
explorer.exe (PID = 5652) identified C:\Program
Files\Citrix\system32\icabar.exe as Unrestricted using path rule, Guid =
{d2c34ab2-529a-46b2-b293-fc853fce72ea}
explorer.exe (PID = 5652) identified C:\OfficeScan NT\pccntmon.exe as
Disallowed using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
explorer.exe (PID = 5652) identified D:\Program
Files\Adobe\Reader\Reader\reader_sl.exe as Disallowed using default rule,
Guid = {11015445-d282-4f86-96a2-9e485f593302}
explorer.exe (PID = 5652) identified C:\WINDOWS\system32\oobechk.exe as
Unrestricted using path rule, Guid = {c17114d9-cf3c-410c-b74c-233821361290}

===========================================
Log file contents - Loading Internet Explorer
===========================================
explorer.exe (PID = 5652) identified C:\Program Files\Internet
Explorer\iexplore.exe as Unrestricted using path rule, Guid =
{d2c34ab2-529a-46b2-b293-fc853fce72ea}

===========================================
This entry appears when trying to run from the saved location
===========================================
explorer.exe (PID = 5652) identified U:\My
Documents\GoogleToolbarInstaller.exe as Disallowed using default rule, Guid =
{11015445-d282-4f86-96a2-9e485f593302}

Continue reading on narkive:
Loading...