This tool is based on the old (and deprecated) Software Restriction Policy (SRP) API. I see some posters here stating that AppLocker and SRP are the same thing. Their goal is the same, but they're implemented completely differently.
AppLocker does the enforcement in kernel-mode, so it can't be bypassed with DLL injection. (The kernel side could be patched by a user with local Administrator rights, but that runs afoul of Kernel Patch Protection and raises the bar significantly for an attacker. Users should be using unprivileged accounts for day-to-day work anyway... >grumble<)
I'm not suggesting that this tool isn't useful, but it's not the same thing as AppLocker or Windows Defender Application Control. If SRP ends up being used significantly as a defense attackers will just incorporate bypassing it into their payloads / strategies (start out w/ getting the user to run a Word macro that patches Word's copy of ADVAPI32.DLL, etc).
Is anyone aware of a tool that simplifies setting up AppLocker? I simply would like to whitelist already installed programs and block everything else, ideally without configuring anything.
I opened up the article by just hoping to find this one thing: I simply would like to whitelist already installed programs and block everything else, ideally without configuring anything.
by default %programfiles% and %programfiles(x86)% are whitelisted, so for most users pretty much that's exactly what they will do with Lockdown, launch it click Enable and that is all that needs to be done. Granted you do need to worry about specifically whitelisting programs not installed to those locations, which are few if any for most people, and actually it wouldn't be a bad feature idea to add an automatic scan for them since some apps insist on running from nested %appdata% folders...
Thanks for the heads up on Windows Defender Application Control (WDAC); it was new to me. Microsoft appears to have renamed it to Microsoft Defender Application Control (MDAC):
If you've whitelisted an application that can execute arbitrary code (like the Office products with VBA) then SRP can be bypassed by an unprivileged user.
Presumably AppLocker is implemented in kernel mode because Microsoft realized that doing the whitelisting in user mode was more fraught with potential escapes. The kernel / user security boundary was one they were already defending (and leveraging hardware functionality in processor privilege levels) so creating a new pseudo-security boundary to defend in user mode was a bad idea.
Application-level permissions that aren't enforced by hardware seem like a losing proposition to me. I get that a belt-and-suspenders approach isn't unreasonable, so I guess it's not valueless, but I wouldn't have it as my only line of defense.
(1) $EDITOR probably has syntax highlighting, which will help you understand the text better. Always do your code reviews with the supportive assistance of tools.
(2) If you intend to review a script before you run it on your computer, it is intrinsic to the task that you review the script you are about to run on the computer. As you observe, a malicious user might detect the User-Agent and give a different script. But completely non-malicious changes could happen too: for instance, there could be an update or you could type in the command wrongly and accidentally review one script but run another.
In any case, it's worth noting that the user who wants to review the install script before they run a potentially malicious installer needs to consider whether they actually trust the software they're about to install. A malware author could easily install a binary of potentially-malicious in a perfectly benign way, and it happens that once it's been running for three hours it reads exfiltrates your aws keys on apparently ordinary API requests it makes.
If you don't trust author/distributors (whether it is ad hoc distribution or appstore distribution), it is probably better to rely on third party distributors as found in traditional GNU/Linux distributions. They aren't flawless, but the delays are there partly to help making trusting a random group of independent developers more trustworthy.
If you don't trust first party author/distributors or third party distributors, I guess you have a sufficiently sandboxed setup that means `curl | sh` is actually safe, or else you download the source code, review the whole package, and build it or don't, so you don't want to `curl | sh` anyway.
I'm not sure "Any user who intends to review a script" would do this. I'd bet that most would at most open it, take a quick look and run it. But good advice!
And it has been wildly successful because it allows people to make and distribute applications without an army of volunteer packagers or forcing the user to compile from source. It wouldn't be a problem at all if Desktops had gotten around to the idea of sandboxing everything by default the way mobile did.
Not really. When I'm downloading Firefox, it's digitally signed by Mozilla. When I'm downloading VLC, it's digitally signed by the VideoLAN foundation.
I actually don't think I have a single piece of non-signed executable on my Windows PC.
And what is exactly the difference between "downloading a random executable from the Internet" and "downloading a random digitally signed with a random signature executable from the Internet"?
Either the author is random or it is not, and the signature is not really going to discriminate much in this area...
not quite "two billion" lol and the cheapest I know of is Digicert. You're looking at $499/year or$699/year for the extended validation cert (this is a higher quality cert that passes more security checks.) What is this validation you ask? All kinds of identity verification on the business and it's owner to ensure they are who they say they are and they are located where they say they are. The idea is that bad actors aren't willing to pay $$$ annually for any reason much less to expose their identity. Lockdown uses the EV cert.
It's this sort of attitude that's destroyed the hobbyist programming community for the Windows Platform.
It's also an outdated view:
1. Most Windows software is signed with an Authenticode cert which requires the author to prove who they are to the CA and hand over at least $99.
2. Windows these days has SmartScreen running all the time, which checks executable file hashes against a cloud based database and blocks apps with known issues. Doesn't help if it's an unknown but massively reduces the risk.
3. Windows has a policy that can be enforced that blocks the execution of any software that doesn't pass points #1 and #2.
I'm interested in where you can you get a code certificate for $99? My renewal is coming up and I'm paying $699/annual for a extended validation cert; I'm willing to consider a standard cert but even they are $499/annual. Buying a 3 year cert provides very little discount... that 3 year ev cert on Lockdown and my other apps is a $2000 deal.
That's a yearly cost, but you only need to keep renewing if you are signing and releasing new apps or updates. Existing apps you've signed will remain valid if if you don't renew your cert (unlike websites etc.)
Also, it seems that the LARGE cost for the EV certs is only really needed for things like Windows drivers.
wow, I hadn't researched in a while, but that looks sketchy. I purchased one that cheap some time around 2011 and the company ended up having certs revoked and went out of business, and the next best thing I found was digicert at a fraction of the cost of the comodo and the like.
they do have EV for $350/annual or $750/3 year cert so I might try that it is certainly cheaper than digicert.
and yes EV is good for more than drivers, it allows EXEs to bypass smartscreen prompts that would otherwise trigger on standard certs that have to go through reputation checks in smartscreen.
If you view Microsoft as a threat to your computer, running random unsigned internet binaries isn't going to make your computer safer, even if you're running Microsoft tools. If a random binary has a 1 in 100 chance of being malware, and a Microsoft binary has a 1 in 50 chance of ignoring your interests in the pursuit of some other gain, running Microsoft binaries doesn't make running random binaries one bit safer.
Basically: Microsoft is irrelevant to the equation.
You are better off not using Microsoft products if you don't trust them, and considering the safety and security of artefacts produced by random unsigned internet developers independently of the safety and security of artefacts produced by Microsoft.
Also, if you're subject to this kind of logical fallacy, you might consider not installing Microsoft products just to avoid the distraction in your reasoning. Every platform will have a different set of trade-offs.
That's pretty much my point. If a person's standard of safety is blindly running code from the reckless idiots at Windows Update I'm surprised they'd balk at running an executable whose only reputation is word of mouth. I wouldn't do either.
It presumably doesnt include vbs and python scripts, since as far as windows is concerned those files are no different to bitmap files opening with mspaint?
If you whitelist mspaint, than it doesn't matter where the file is you are opening. So I guess you have to whitelist the python and VBS executables first
Thanks for adding them, Nick. I see from the 1.1.1 release notes that you also added JS, JSE, and PS1 on top of the Windows default list of 30 executable file types.
I would bet it’s using applocker APIs under the hood. Maybe a nicer/easier interface? If I’m right that means Microsoft shipped those with home versions despite not having the group policy endpoints. It may be possible to import local policies to manage it but I’ve never tried.
For a few moments I thought you were being sarcastic about the fact that Software Restriction was deprecated ages ago by mentioning a date two hundred years in the past.
Windows 2008 R2/8.1 introduced Applocker, which was a more advanced replacement for the older SRP.
Current Windows 2019/Windows 10 offers WDAC, which is more advanced still.
There's a lot of security discussions that really don't give these technologies credit. For example, a WDAC policy can prevent early launch rootkits ever loading, and will be enforced by Secure Boot.
Thanks! I really should read up on this stuff at some point. I've actually never had to do any windows coding, so my knowledge about it is sorely lacking.
This is very interesting, it is not an understatement that this is an advanced tool. I wonder, how do you update your your OS and your application with this enabled?
I'm not sure how that applies to this app specifically, but it relies on Windows restriction policies. With those policies normally you have multiple options: You can add the policy to non-admin users only and run updates as an admin. You can allow whole directories, which means that windows update can work as usual. Or you can push new hash updates as needed.
But as I mentioned - I'm not sure how exactly lockdown integrates in this system.
I think the advantage would be that you can use it on Windows versions not supporting AppLocker... (e.g. home). Anyway, as far as I understand it, it actually uses the same underlying mechanism as AppLocker.
SRP isn't Applocker, and Lockdown IS in fact digitally signed... By your rationale it would be a bad idea to use most any software worth using. Also what if the tool were open source would you use it then, or would you not be able to "verify" that I wonder. Not everyone can verify PS scripts either, so what would be the recommendation for those who couldn't?
But it's usually the user data that's the problem, and that's shared to all the other users. So don't let users run unauthorised code by using SRP/Applocker
SRP is enforced in user mode, and it can be circumvented by hooking user mode API calls. Back in 2005 Mark Russinovich blogged about bypassing SRP: https://web.archive.org/web/20061219234012/http://blogs.tech...
AppLocker does the enforcement in kernel-mode, so it can't be bypassed with DLL injection. (The kernel side could be patched by a user with local Administrator rights, but that runs afoul of Kernel Patch Protection and raises the bar significantly for an attacker. Users should be using unprivileged accounts for day-to-day work anyway... >grumble<)
SRP in whitelist mode is more difficult to bypass, but it's still possible to patch it out by using WriteProcessMemory: https://blog.didierstevens.com/2008/06/25/bpmtk-bypassing-sr...
I'm not suggesting that this tool isn't useful, but it's not the same thing as AppLocker or Windows Defender Application Control. If SRP ends up being used significantly as a defense attackers will just incorporate bypassing it into their payloads / strategies (start out w/ getting the user to run a Word macro that patches Word's copy of ADVAPI32.DLL, etc).