NTX_SAFER.INF
(for Windows 8 and newer versions of
Windows NT),
NT6_SAFER.INF
(for Windows Vista®,
Windows Server 2008, Windows 7 and
Windows Server 2008 R2) and
XP_SAFER.INF
(for Windows XP, Windows Server 2003 and
Windows Server 2003 R2) configure
Software Restriction Policies
alias
SAFER
with a proven and well-tested ruleset on all
(including Embedded, Home and
Starter) editions of Windows XP,
Windows Server 2003,
Windows Server 2003 R2, Windows Vista,
Windows Server 2008, Windows 7,
Windows Server 2008 R2, Windows 8,
Windows Server 2012, Windows 8.1,
Windows Server 2012 R2, Windows 10,
Windows Server 2016 and
Windows Server 2019.
This technique is known as Application Whitelisting; the setup scripts presented here perform a rather permissive implementation: they allow execution of all applications which are properly installed by an administrator.
Note: the MSDN article Security Considerations: Microsoft Windows Shell provides details for proper installation!
%SystemRoot%\
(typically
C:\Windows\
) and its subdirectories,
%ProgramFiles%\
(typically
C:\Program Files\
) and its subdirectories,
%ProgramFiles(x86)%\
(typically C:\Program Files (x86)\
) and its
subdirectories;
Unlike unreliable, unsafe and vulnerable antivirus
software which almost always fails to detect new or unknown
malware (ransomware,
trojan horses, viruses, worms, …), known as
false negative
, or misdetect legitimate clean software as
malware, known as
false positive
, this method effectively stops all kinds of
known as well as new or unknown
malware and all other
unwanted or unauthorised software that uses executable files to
infest Windows NT installations, while allowing all
legitimate software to run, without introducing new
vulnerabilities or weaknesses!
%ProgramFiles%\
or
%SystemRoot%\
;
Warning: some imbeciles who don’t recognise
the simple word data in %ProgramData%
alias C:\ProgramData
, in %APPDATA%
alias
%USERPROFILE%\AppData\Roaming
alias
C:\Users\‹username›\AppData\Roaming
, or
in %LOCALAPPDATA%
alias
%USERPROFILE%\AppData\Local
alias
C:\Users\‹username›\AppData\Local
, and
are unable to realise its meaning, install but executable files
below these directories!
For a recent demonstration of such gross incompetence, see the
MSKB
article
4052623.
Note: the exemption of privileged users from
Software Restriction Policies
leaves no loophole!
Privileged users can write files in the directories where execution
is allowed, can disable or remove
Software Restriction Policies and can thus execute any
file.
If you want or need to restrict administrators too, use the setup
scripts
NT6_SUPER.INF
(for all editions of Windows Vista,
Windows Server 2008, Windows 7 and
Windows Server 2008 R2) or
XP_SUPER.INF
(for all editions of Windows XP,
Windows Server 2003 and
Windows Server 2003 R2).
Caveat: on Windows 7 and newer
versions of Windows NT, all SAFER security
levels except Unrestricted
alias Fully trusted
are
equivalent to Disallowed
and deny execution!
Determine Your Application Control Objectives:
SRP on Windows Vista and earlier supported multiple security levels. On Windows 7 that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).
Note: user accounts created during
Windows NT setup are but privileged user
administrator accounts!
Change their
account type
to Standard User (on Windows Vista and
newer versions of Windows NT) or
Limited User (on Windows XP,
Windows Server 2003 and
Windows Server 2003 R2) respectively if you use them
for your routine work!
When you set up Windows, you were required to create a user account. This account is an administrator account that allows you to set up your computer and install any programs that you'd like to use. Once you finish setting up your computer, we recommend that you create a standard account and use it for your everyday computing. If you create new user accounts, you should also make them standard accounts. Using standard accounts will help keep your computer more secure.
Note: the dumb
User Accounts
control panel applet denies to demote the last or only privileged
user account even if the builtin (real) Administrator
account has been activated!
Use the real User Accounts control panel applet
instead: to start it, run one of the equivalent command lines
"%SystemRoot%\System32\Control.exe" UserPasswords2 "%SystemRoot%\System32\RunDLL32.exe" "%SystemRoot%\System32\NetPlWiz.dll",UsersRunDllwith administrative privileges.
If you prefer the command prompt over the graphical user interface, run the following command lines with administrative privileges:
"%SystemRoot%\System32\Net.exe" LocalGroup Administrators "%USERNAME%" /Delete "%SystemRoot%\System32\Net.exe" LocalGroup Users "%USERNAME%" /Add
Caveat: don’t forget to
enable
the builtin Administrator
account!
Run the command line
"%SystemRoot%\System32\Net.exe" User Administrator /Active:Yes /PasswordReq:Yeswith administrative privileges to enable it.
Caveat: don’t forget to set a (strong)
password for the builtin Administrator
account!
Caveat: Windows 10 has the nasty habit
to disable the builtin Administrator
account during
updates and upgrades!
Note: the (predefined) privileged user account
NT AUTHORITY\SYSTEM
alias
LocalSystem
is always exempt from
Software Restriction Policies;
the (predefined) unprivileged user accounts
NT AUTHORITY\LOCAL SERVICE
alias
LocalService
and NT AUTHORITY\NETWORK SERVICE
alias
NetworkService
are but subject to them!
ERROR_ACCESS_DISABLED_BY_POLICY
or error 786 alias
ERROR_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY
,
while Windows’ module loader yields a negative
NTSTATUS
0xC0000361 alias
STATUS_ACCESS_DISABLED_BY_POLICY_DEFAULT
,
0xC0000362 alias
STATUS_ACCESS_DISABLED_BY_POLICY_PATH
,
0xC0000363 alias
STATUS_ACCESS_DISABLED_BY_POLICY_PUBLISHER
,
0xC0000364 alias
STATUS_ACCESS_DISABLED_BY_POLICY_OTHER
or 0xC0000372 alias
STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY
respectively.
Note: the Win32 functions
LoadLibrary()
,
LoadLibraryEx()
and
LoadPackagedLibrary()
yield error 5 alias
ERROR_ACCESS_DENIED
instead.
For (portable) executable
files except
DLLs,
one of the messages shown above is displayed and an entry
865,
866,
867,
868
or
882
from source Software Restriction Policies
(on
Windows XP, Windows Server 2003 and
Windows Server 2003 R2) or
Microsoft-Windows-SoftwareRestrictionPolicies
(on
Windows Vista and newer versions of
Windows NT) is written to the Event Log.
For Windows Installer packages, patches and
transformations, one of the messages shown above is displayed and an
entry
1007
or
1008
from source MsiInstaller
is written to the
Event Log.
To retrieve these entries from the Event Log, start the Command Processor and run (one or more of) the following command lines:
"%SystemRoot%\System32\WBEM\WMIC.exe" NTEvent Where "EventCode='865' Or EventCode='866' Or EventCode='867' Or EventCode='868' Or EventCode='882'" Get /Value "%SystemRoot%\System32\WBEM\WMIC.exe" NTEvent Where "SourceName='Software Restriction Policies'" Get /Value "%SystemRoot%\System32\WBEM\WMIC.exe" NTEvent Where "SourceName='Microsoft-Windows-SoftwareRestrictionPolicies'" Get /Value "%SystemRoot%\System32\WBEM\WMIC.exe" NTEvent Where "(EventCode='1007' Or EventCode='1008') And SourceName='MsiInstaller'" Get /Value
Advanced Logging:
%SystemRoot%\Debug\SAFER.log
on Windows XP, Windows Server 2003 and
Windows Server 2003 R2;
%SystemRoot%\System32\LogFiles\SAFER.log
on
Windows Vista and newer versions of
Windows NT.
The NTFS
access rights of the directories %SystemRoot%\Debug\
and %SystemRoot%\System32\LogFiles\
allow only
privileged users (NT AUTHORITY\SYSTEM
alias
LocalSystem
and BUILTIN\Administrators
) to
create the file %SystemRoot%\Debug\SAFER.log
or
%SystemRoot%\System32\LogFiles\SAFER.log
respectively.
The file’s inherited access rights also allow only privileged
users to write, but unprivileged users
(BUILTIN\Users
) to read.
On Windows Vista and newer versions of
Windows NT, file and directory operations of 32-bit
applications run by unprivileged users which fail due to missing
write access rights in %SystemRoot%\
and below as well
as %ProgramFiles%\
and below, on 64-bit editions also
%ProgramFiles(x86)%\
and below, are redirected to the
directory %LOCALAPPDATA%\VirtualStore\
, resulting in
%LOCALAPPDATA%\VirtualStore\Windows\System32\LogFiles\SAFER.log
.
Caveat: the files SAFER.log
can grow
quite large!
Note: they can be cleared or erased any time.
Note: their successor
AppLocker
is available on Ultimate and Enterprise
editions of Windows 7 and newer versions of
Windows NT only, while Device Guard is
available on Enterprise editions of
Windows 10 only.
Unlike antivirus or other so-called security
software which
is often typically vulnerable itself,
Software Restriction Policies introduce no additional
code which allows to leverage successful attacks in the first place!
Some, but not all (now fixed) vulnerabilities in Microsoft®’s anti-malware products for consumers are documented in the MSKB articles 932135, 952044, 2823482, 2847927 and 3074162, the Security Advisories 2491888, 2846338, 2974294, 3074162 and 4022344, plus the Security Bulletins MS07-010, MS08-029, MS13-034 and MS13-058.
The additional updates to harden the anti-malware products for consumers are documented in the MSKB articles 2781197, 2856373, 2883200, 2894853, 2939153, 2976536 and 3025417.
Note: so-called security
products of other
vendors are equally bad or even worse!
Analysis and Exploitation of an ESET Vulnerability:
Do we understand the risk vs. benefit trade-offs of security software?Kaspersky: Mo Unpackers, Mo Problems:
Tavis Ormandy, June 2015
[…]
Attackers can cause I/O via Web Browsers, Email, IM, file sharing, network storage, USB, or hundreds of other vectors. Whenever a message, file, image or other data is received, it’s likely some untrusted data passes through the disk. Because it’s so easy for attackers to trigger emulation of untrusted code, it’s critically important that the emulator is robust and isolated.Unfortunately, analysis of ESET emulation reveals that is not the case and it can be trivially compromised.
Because antivirus products typically intercept filesystem and network traffic, simply visiting a website or receiving an email is sufficient for exploitation. It is not necessary to open or read the email, as the filesystem I/O from receiving the email is sufficient to trigger the exploitable condition.How to Compromise the Enterprise Endpoint:
[…]
Product Design FlawsI've also reported some major design flaws in various other components of Kaspersky Antivirus and Kaspersky Internet Security. The patches for the remote network attacks I had planned to discuss here were delayed, and so I'll talk about them in a second post on this topic once the fixes are live.
Security Software Considered Harmful?
We have strong evidence that an active black market trade in antivirus exploits exists. Research shows that it’s an easily accessible attack surface that dramatically increases exposure to targeted attacks.
Today we're publishing details of multiple critical vulnerabilities that we discovered, including many wormable remote code execution flaws.These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.
On the right, the screen shot of a message box shows antivirus
software that has been disabled by
malware (ab)using
Software Restriction Policies, i.e. this antivirus
software was even unable to protect itself!
Note:
Self-Protection for Antivirus Software
provides an overview!
Trend Micro: Antivirus industry lied for 20 years:
In the antivirus business, we have been lying to customers for 20 years. People thought that virus protection protected them, but we can never block all viruses. Antivirus refresh used to be every 24 hours. People would usually get infected in that time and the industry would clean them up with a new pattern file.Securing That XP Desktop, Part 1:
In the last 20 years, we have been misrepresenting ourselves. No-one is able to detect five and a half million viruses. Nowadays there are no mass virus outbreaks; [malware] is targeted. But, if there are no virus samples submitted, there’s no way to detect them.
The best kind of desktop is a secure desktop. As you all know, hackers are a tricky bunch. You have to go beyond Symantec Antivirus and actually lock Windows down if you want to make sure your computing environment is actually secure.Cyber Resilience And Spear Phishing:
For example, application whitelisting on end-user devices stops advanced and zero day attacks from infecting the system by preventing unauthorised code execution, protecting memory, and blocking attempts to exploit a whitelisted app before it gains a foothold and impacts the business. Application whitelisting is listed as a Quick Win in the SANS Critical Security Controls list and the Australian Government Top 4 Mitigating Controls cybersecurity guidance. According to Australian Signals Directorate Deputy Director Steve Day, attackers have not stolen any sensitive data from government networks because of their adoption of the Top 4 mitigating controls.How to Mitigate Against Targeted Cyber Intrusion:
But there are very effective protections that you can put in place, and they need not require new investment in technology or personnel. The Australian Defence Signals Directorate (DSD) has published guidance on the top 35 strategies to mitigate against targeted cyber intrusion and concluded that at least 85 % of the intrusions they responded to in 2011 and 2012 would have been prevented if only the top four of these mitigations had been in place.
These top four mitigations only require organizations to employ application whitelisting technology, maintain current, patched applications and operating systems and effectively restrict the use of administrative accounts.
One of the common misconceptions about UAC and about Same-desktop Elevation in particular is that it prevents malware from being installed or from gaining administrative rights. First, malware can be written not to require administrative rights, and malware can be written to write just to areas in the user’s profile. More important, Same-desktop Elevation in UAC is not a security boundary and can be hijacked by unprivileged software that runs on the same desktop. Same-desktop Elevation should be considered a convenience feature, and from a security perspective, "Protected Administrator" should be considered the equivalent of "Administrator." By contrast, using Fast User Switching to log on to a different session by using an administrator account involves a security boundary between the administrator account and the standard user session.Update on UAC:
One important thing to know is that UAC is not a security boundary. UAC helps people be more secure, […]Inside Windows 7 User Account Control:
The most effective way to secure a system against malware is to run with standard user privileges.
[…] the primary purpose of elevation is not security, though, it’s convenience: […]The Long-Term Impact of User Account Control:
[…] this is also where we run into some of the limitations of UAC. Remember, there is no effective isolation; there is no security boundary that isolates processes on the same desktop.Note: as shipped, Windows NT but even fails to isolate processes running in different sessions, thereby allowing unprivileged standard users to elevate their privileges to
NT AUTHORITY\SYSTEM
alias
LocalSystem
!
Inside Windows Vista User Account Control:
It’s important to be aware that UAC elevations are conveniences and not security boundaries. A security boundary requires that security policy dictates what can pass through the boundary. User accounts are an example of a security boundary in Windows because one user can’t access the data belonging to another user without having that user’s permission.The Advantages of Running Applications on Windows Vista:
The UAC’s Administrator Approval Mode, which is the default configuration, will allow most applications to run in a standard user mode, even when the user is an administrator. When the administrator privileges are needed, the UAC prompts the user for consent. While this is an effective way to reduce the attack surface, it does not provide the same level of control or security as using a standard user account.
autoElevate
property set in their embedded
application manifest,
Windows Publishercode signing certificate, and
securelocations like
%SystemRoot%\
and its subdirectories.
protected administratorsto write arbitrary files to write-protected and therefore
unrestrictedlocations like
%SystemRoot%\
and its subdirectories and thus bypass
NTFS
ACLs,
Software Restriction Policies, and
AppLocker too!
See
UAC-a-mole
alias qUACkery
for some examples, their exploits and the
mitigations.
To prevent the silent (automatic) elevation, set
UAC to its highest
level Always notify
; to prevent any bypass, use a
Standard User account and disable elevation requests
there:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000002 ; Prompt for consent on the secure desktop
"ConsentPromptBehaviorUser"=dword:00000000 ; Automatically deny elevation requests
Both settings are documented in the
TechNet
article
UAC Group Policy Settings and Registry Key Settings.
Note: according to numbers published by Microsoft in their Security Intelligence Reports, about ½ to ¾ of all (some 600 million) Windows NT installations engaged in their malware telemetry reported only a single active user account.
Google’s Project Zero reported several bugs which allow to bypass UAC that Microsoft won’t fix: Issue 156 and Issue 220.
Also note that in combination with
UAC
Windows Explorer shows surprising
and dangerous behaviour (documented in the
MSKB
article
950934)
which generally impairs security and safety!
To detect directories with additional NTFS ACL entries created by Windows Explorer as well as (writable) files eventually created in these directories from your user account, start the Command Processor, run the following command lines and inspect their output, then remove the additional NTFS ACL entries:
"%SystemRoot%\System32\ICACLs.exe" "%SystemRoot%\*" /FindSID "%USERNAME%" /C /T "%SystemRoot%\System32\ICACLs.exe" "%ProgramFiles%\*" /FindSID "%USERNAME%" /C /T "%SystemRoot%\System32\ICACLs.exe" "%ProgramFiles(x86)%\*" /FindSID "%USERNAME%" /C /T "%SystemRoot%\System32\ICACLs.exe" "%ProgramData%\*" /FindSID "%USERNAME%" /C /TTo prevent these mishaps to happen again,
super hidethe detected directories:
"%SystemRoot%\System32\Attrib.exe" +H +S "‹directory›"To detect directories where Windows Explorer will show this misbehaviour, run the following command line as unprivileged (standard) user:
For /D /R "%SystemRoot%" %? In (*) Do @Dir /A "%?" 1>NUL: 2>NUL: || @Echo %? For /D /R "%ProgramFiles%" %? In (*) Do @Dir /A "%?" 1>NUL: 2>NUL: || @Echo %? For /D /R "%ProgramFiles(x86)%" %? In (*) Do @Dir /A "%?" 1>NUL: 2>NUL: || @Echo %? For /D /R "%ProgramData%" %? In (*) Do @Dir /A "%?" 1>NUL: 2>NUL: || @Echo %?
APPCERT.DLL
must be installed on all versions
of Windows NT to prevent circumvention of
Software Restriction Policies!
On Windows 10 1709 alias Fall Creators Update, the update 4093105 fixes the bug that causes Microsoft Edge to stop after a few seconds.
On Windows 10 1703 alias Creators Update, the update 4093117 fixes the bug that causes Microsoft Edge to stop after a few seconds.
On Windows 7 and Windows Server 2008 R2,
the hotfix
2532445,
the hotfix
2894252,
or the convenience
rollup update
3125574
must be installed to prevent circumvention of
Software Restriction Policies!
On Windows 7, Windows Server 2008 R2 and
newer versions of Windows NT, the optional update
977542
should be installed and the following
Registry
entry should be created to prevent unprivileged users to log on in
Safe Mode
:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"SafeModeBlockNonAdmins"=dword:00000001 ; Disable 'Standard Users' in 'Safe Mode'
On Windows Vista and Windows Server 2008, the optional update 969972 or one of the optional updates 2257986, 2414106 or 2812950 which contain a newer version of the file replaced by 969972 should be installed!
On Windows Server 2003 and Windows Server 2003 R2, the optional update 973825 should be installed!
On systems with AMD64 alias x64 processor
architecture running Windows XP,
Windows Server 2003 or
Windows Server 2003 R2, the optional update
942589
must be installed to enable the special directory
pathname %SystemRoot%\SysNative
!
On Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Embedded POSReady 2009, Windows Embedded Standard 2009, Windows Vista and Windows Server 2008, Software Restriction Policies can be bypassed: the hotfixes 2532445 and 2894252 are not available for these versions of Windows NT!
Note: an adversary must but be able to call the
Win32 function
LoadLibraryEx()
to exercise this bypass.
Since Software Restriction Policies block the direct execution of Win32 applications, an adversary needs to find a way to run code inside one of the trusted Win32 applications installed on a victims computer, which typically means to (ab)use a vulnerability in these applications and compromise them.
On Windows XP, Windows Embedded POSReady 2009 and Windows Embedded Standard 2009, hash rules are not applied to DLLs.
Note: this limitation is documented in the MSKB article 310791.
Certificate rules are not applied to DLLs!
Path rules with more than 133 characters are silently ignored!
CreateProcess()
,
CreateProcessAsUser()
,
CreateProcessWithLogonW()
,
CreateProcessWithTokenW()
,
LoadModule()
and
WinExec()
,
independent of their file extension,
LoadLibrary()
,
LoadLibraryEx()
and
LoadPackagedLibrary()
,
independent of their file extension,
ShellExecute()
and
ShellExecuteEx()
,
depending on their file extension,
portable executablesor open files for execution.
Unless disabled with the following Registry entry, Software Restriction Policies control the execution of scripts interpreted and run by the Windows Script Host, independent of their file extension:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"UseWINSAFER"="0"
Software Restriction Policies control the installation of Windows Installer packages and patches.
Software Restriction Policies don’t control the execution of MS-DOS and 16-bit Windows applications: these run inside the NTVDM alias WOWEXEC subsystem, available only on systems with I386 alias x86 processor architecture.
To disable the NTVDM and the WOWEXEC subsystem, set the Registry entry
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat]
"VDMDisallowed"=dword:00000001
documented in the Security Advisory
979682
and the Security Bulletin
MS13-063,
plus the Registry entry
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WoW]
"DisallowedPolicyDefault"=dword:00000001
documented in the Security Bulletin
MS10-098.
Software Restriction Policies don’t control the
execution of
OS/2 or
POSIX
applications: these run inside their own optional and separate
OS/2 or
POSIX
subsystem, either
SFU
(available for Windows XP and
Windows Server 2003) or
SUA
(available for or included as
Optional Component in
Windows Server 2003 R2, Windows Vista,
Windows Server 2008, Windows 7,
Windows Server 2008 R2, Windows 8 and
Windows Server 2012, but deprecated).
Software Restriction Policies don’t control the interpretation and execution of code, macros or scripts inside Win32 applications unless these explicitly call the Win32 functions that implement SAFER:
SCRObj.dll
,
called for example via
RegSvr32.exe
,
can run arbitrary
Windows Script Components
alias
Scriptlets,
i.e.
COM
objects written in
JScript,
VBScript
or any other scripting language supported by an installed
Windows Script Engine;
executable:
portable executables, i.e. applications and DLLs, independent of their file extension, typically
.EXE
,
.DLL
, .SYS
, .SCR
,
.CPL
, .OCX
, .IME
,
.MUI
, .AX
, .ACM
,
.VCM
, .TSP
, .RLL
,
.WLL
, .XLL
, .COM
,
.EFI
, …;
.MSI
,
.MSP
and .MST
);
.JS
,
.JSE
, .VB
, .VBS
,
.VBE
, .WSC
, .WSF
,
.WSH
, …;
.SCT
);
.PS1
and
.PSM1
);
.BAT
and .CMD
), independent
of their file extension;
.INF
);
.HTA
and .HTC
);
SaferiIsExecutableFileType()
and
AssocIsDangerous()
for details.
Windows’ module loader, the Win32
functions CreateProcess*()
,
WinExec()
,
LoadModule()
,
LoadLibrary*()
and
LoadPackagedLibrary()
,
the Windows Installer, the
Windows Script Host, the PowerShell
interpreter and the Command Processor
call the SAFER functions for every file they open for
execution; only the
Windows Explorer, i.e. the
Win32 functions ShellExecute*()
,
evaluates the list of Designated File Types
and calls the
SAFER functions when a file extension matches.
Except on Home and Starter editions of Windows NT, this list of file extensions can be viewed and modified via the Local Security Policy snap-in of the Microsoft Management Console.
Note: the predefined list of file extensions is
almost identical to the Unsafe File List
of
Internet Explorer, documented in
the MSKB
article
291369.
Caveat: the
Local Security Policy snap-in reads
SAFER settings and rules only from the file
%SystemRoot%\System32\GroupPolicy\Machine\Registry.pol
,
not from the Registry; SAFER settings and
rules written directly and only to the Registry
therefore don’t show in the
Local Security Policy snap-in!
If this file exists, modifications of the SAFER settings or rules written directly and only to the Registry will (periodically) be overwritten with the SAFER settings and rules from the file!
If this file contains neither SAFER settings nor rules
(or does not exist), the
Local Security Policy snap-in
(creates it and) writes the default SAFER settings and
rules to the file and to the
Registry, thereby overwriting existing
SAFER settings and rules in the Registry!
To avoid this, either run the program SRP2LGPO.EXE
(available upon
request)
once to export all SAFER settings and
rules from the Registry to the file
%SystemRoot%\System32\GroupPolicy\Machine\Registry.pol
,
download the (empty
)
REGISTRY.POL
that contains the (missing) setting
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"Levels"=dword:00071000
which enables all SAFER security levels and save it as
%SystemRoot%\System32\GroupPolicy\Machine\Registry.pol
,
or create it from scratch:
COPY CON: "%TMP%\SAFER.TMP" 50 52 65 67 01 00 00 00 5b 00 53 00 4f 00 46 00 PReg....[.S.O.F. 54 00 57 00 41 00 52 00 45 00 5c 00 50 00 6f 00 T.W.A.R.E.\.P.o. 6c 00 69 00 63 00 69 00 65 00 73 00 5c 00 4d 00 l.i.c.i.e.s.\.M. 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 i.c.r.o.s.o.f.t. 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 \.W.i.n.d.o.w.s. 5c 00 53 00 61 00 66 00 65 00 72 00 5c 00 43 00 \.S.a.f.e.r.\.C. 6f 00 64 00 65 00 49 00 64 00 65 00 6e 00 74 00 o.d.e.I.d.e.n.t. 69 00 66 00 69 00 65 00 72 00 73 00 00 00 3b 00 i.f.i.e.r.s...;. 4c 00 65 00 76 00 65 00 6c 00 73 00 00 00 3b 00 L.e.v.e.l.s...;. 04 00 00 00 3b 00 04 00 00 00 3b 00 00 10 07 00 ....;.....;..... 5d 00 ]. ^Z CERTUTIL.EXE /DecodeHex /V "%TMP%\SAFER.TMP" "%SystemRoot%\System32\GroupPolicy\Machine\Registry.pol"
1 file(s) copied. Input Length = 734 Output Length = 162 CertUtil: -decodehex command completed successfully.Note: for details see the MSDN article Registry Policy File Format.
Note: if the file
%SystemRoot%\System32\GroupPolicy\Machine\Registry.pol
is hidden, the Local Security Policy
snap-in fails and displays a (bogus) error message
access denied
when applying changes!
data) from each other as well as from the operating system.
More than 15 years ago Microsoft introduced
Software Restriction Policies
alias
SAFER
and published the
MSDN articles
Using Software Restriction Policies to Protect Against Unauthorized Software,
Using Software Restriction Policies to Protect Against Unauthorized Software
and
How Software Restriction Policies Work
�
From Strategies to Mitigate Cyber Security Incidents:
At least 85 % of the adversary techniques used in targeted cyber intrusions which ASD has visibility of could be mitigated by implementing the following mitigation strategies, referred to as the 'Top 4':�
• use application whitelisting to help prevent malicious software and unapproved programs from running
[…]
From NCSC Applocker Guidance:
Application whitelisting is one of the best available protections against malware.�
More than 15 years ago Microsoft introduced DEP alias W^X and enabled it by default.
� �
But even today all (data) files created in the
User Profiles, the %PUBLIC%\
,
%ProgramData%\
and almost all other data
directories too are still executable: although not
needed the (inheritable)
NTFS
ACLs of all these
directories include execute
permission for files!
And Software Restriction Policies are still not enabled
by default!
�
�
The immediate benefit of an
NTFS
ACL without
execute
permission or the default SAFER ruleset
is: no (unintended) execution of files like
invoice.pdf.exe
etc. stored in data
directories,
so spreading
malware to
Windows NT systems becomes utterly useless.
If you want to try
DEP in the
NTFS
filesystem
for yourself, choose one of the following:
(D;OIIO;WP;;;WD)
meaning
deny execution of files in this directory for everyone, inheritable to all files in all subdirectoriesfor your own
%USERPROFILE%\
directory (or all of them
plus %ALLUSERSPROFILE%\
alias
%ProgramData%\
and %PUBLIC%\
if you have
administrative privileges).
Note: deny
ACL entries have
precedence over allow
ACL entries.
*.exe
) only in the directories
%SystemRoot%\
and %SystemRoot%\System32\
and all executable files in the directory
%ProgramFiles%\
and below.
Note: this ruleset leaves many loopholes!
On systems with AMD64 alias x64
processor architecture, add path rules to allow execution of
%SystemRoot%\SysWoW64\*.exe
and
%SystemRoot%\Sysnative\*.exe
as well as
%ProgramFiles(x86)%\
.
Note: without these additional rules, applications
can’t execute applications for the other
processor
architecture!
Follow the step-by-step instructions presented on How to make a disallowed-by-default Software Restriction Policy.
Note: these instructions let Windows Apps (which were introduced with Windows 8) fail and leave multiple loopholes!
Download and install the setup script
XP_SAFER.INF
(for Windows XP, including embedded editions,
Windows Server 2003 and
Windows Server 2003 R2),
NT6_SAFER.INF
(for Windows Vista and Windows 7
as well as Windows Server 2008 and
Windows Server 2008 R2) or
NTX_SAFER.INF
(for Windows 8, Windows 8.1 and
Windows 10 as well as Windows Server 2012,
Windows Server 2012 R2,
Windows Server 2016 and
Windows Server 2019) respectively.
invoice.pdf.exe
your anti-virus software
fails to detect and Openit.
SAFER has to be installed.
Software Restriction Policies alias SAFER are a builtin feature of Windows XP and newer versions of Windows NT!
SAFER is not available in Home editions.
SAFER is available in all editions of
Windows XP and newer versions of
Windows NT!
Home and Starter editions only lack the
Local Security Policy snap-in of the
Microsoft Management Console.
SAFER is not suited for ordinary users.
The SAFER ruleset configured by the setup scripts
XP_SAFER.INF
, NT6_SAFER.INF
and
NTX_SAFER.INF
is made especially for
ordinary (unprivileged alias standard) users who work with the
applications installed on their computers!
SAFER needs constant maintenance.
The SAFER ruleset configured by the setup scripts
XP_SAFER.INF
, NT6_SAFER.INF
and
NTX_SAFER.INF
allows to run all
properly installed applications which meet the
minimum requirements of the
Designed for Windows guidelines!
I use UAC, I don’t need SAFER.
The UAC does
not protect against execution of programs which run
with standard user rights, for example ransomware
like
Locky
!
SAFER locks me out of my computer.
The SAFER ruleset configured by the setup scripts
XP_SAFER.INF
, NT6_SAFER.INF
and
NTX_SAFER.INF
restricts unprivileged users only, but
not administrators, and does not restrict applications shipped with
Windows NT!
Additionally, Software Restriction Policies are
not active in Safe Mode
, where they can be
disabled, for example via
Registry Editor:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
;"PolicyScope"=dword:00000001 ; exempt 'Administrators'
"TransparentEnabled"=dword:00000000 ; no enforcement
NTX_SAFER.INF
, NT6_SAFER.INF
,
XP_SAFER.INF
, NT6_SUPER.INF
and
XP_SUPER.INF
uses a
belt & suspendersapproach: although the
Default
rule denies execution, additional
Disallowed
rules are defined for almost all paths and
directories except %SystemRoot%\
,
%ProgramFiles%\
and %ProgramFiles(x86)%\
,
i.e. all local drives, all network paths,
%ProgramData%\
, %PUBLIC%\
,
%ALLUSERSPROFILE%\
, %USERPROFILE%\
,
%TEMP%\
, %TMP%\
etc.
All SAFER registry path rules which allow execution
reference only Registry entries below
HKEY_LOCAL_MACHINE
to prevent users from tampering.
Note: never define a SAFER path rule
that allows execution and references an environment variable or a
Registry entry a user can write or modify!
SRP2LGPO.EXE
, the program to export SAFER
settings and rules from the Registry to the file
%SystemRoot%\System32\GroupPolicy\Machine\Registry.pol
,
is a pure Win32 application, written in
ANSI C,
built with the Platform
SDK for
Windows Server 2003 R2
Microsoft Visual C++ Compiler 2010 SP1 from update
2519277,
but without the
MSVCRT
libraries, for use on Windows 2000 and newer versions
of Windows NT.
SRP2LGPO.EXE
is available for the I386
alias x86, AMD64 alias x64
and IA64 processor architectures of
Windows NT.
NTX_SAFER.INF
,
NT6_SAFER.INF
and
XP_SAFER.INF
are packaged in the (compressed and
digitally signed)
cabinet
file
SAFER.CAB
.
Note: on systems with AMD64 alias x64 processor architecture, the installation must be run in the native (64-bit) execution environment!
Note: on systems with AMD64 alias x64 processor architecture, Internet Explorer (x64) must be used!
SAFER.CAB
and verify its digital signature, then open it in
Windows Explorer, extract its
contents, right-click the extracted setup script
NTX_SAFER.INF
,
NT6_SAFER.INF
or
XP_SAFER.INF
respectively to display its context menu and click Installto run the installation.
Logon with your unprivileged (standard) user account.
Right click on the desktop background to display the context menu,
select New
, then Text Document
; change the file
extension .txt
to .cmd
, then press the
Return key.
NTX_SAFER.INF
supports the upgrade from any version of
NT6_SAFER.INF
:
just install its current version!
On Windows XP and Windows Server 2003,
open the Add/Remove Programs applet of the
Control Panel,
tick the checkbox Updates
, select the entry
Softwarebeschränkungsrichtlinien für 'Windows XP/2003 [R2]'
underneath Systemkonfiguration
and click the Remove
button.
On Windows Vista and newer versions of
Windows NT, open the Control Panel and
click the entry View installed updates underneath the
Programs and Features or Programs
category.
In Installed Updates select the entry
Softwarebeschränkungsrichtlinien für 'Windows Vista/2008 [R2]/7'
underneath Systemkonfiguration
and click the
Uninstall
menu entry.
Note: deinstallation neither removes the file
%SystemRoot%\System32\GroupPolicy\Machine\Registry.pol
nor any SAFER settings and rules from it.
NT6_SAFER.INF
and NT6_SUPER.INF
prior to 2017-03-08 had a bug: they
removed the Registry entry to disable unprivileged
user logons in Safe Modeinstead of adding it!
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"SafeModeBlockNonAdmins"=dword:00000001 ; Disable 'Standard Users' in 'Safe Mode'
Note: since this Registry entry does
not exist in standard installations of
Windows® it is unlikely that this bug
had a negative impact.
Use the X.509 certificate to send S/MIME encrypted mail.
Note: email in weird format and without a proper sender name is likely to be discarded!
I dislike
HTML (and even
weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your
nickname.
I abhor top posts and expect inline quotes in replies.
as iswithout any warranty, neither express nor implied.
cookiesin the web browser.
The web service is operated and provided by
Telekom Deutschland GmbH The web service provider stores a session cookie
in the web
browser and records every visit of this web site with the following
data in an access log on their server(s):