Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2405
  • Last Modified:

Cryptolocker blocking group policy path rules whitelist

There are unfortunately people who create malware.
And there is MS, trying to help us by providing things like administrative logins and UAC.
And there are those who spend there time finding their way around the tools MS provides because 'they're inconvenient'
Like the fine folks at Oracle, who give us an updater executable that wants to execute in
c:\users\username\AppData\Local\Temp or %LocalAppData%\Temp if you prefer.
The fine folks from Sage Software do the same thing for their Simply Accounting updates

Those locations also happen to be amongst the locations that CryptoLocker and its ilk execute from.
So, after our brush with that, I have a GPO in place that is

%AppData%\*.exe        Disallowed
%AppData%\*\*.exe     Disallowed
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%     Unrestricted
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%    Unrestricted
%LocalAppData%\*.exe      Disallowed
%LocalAppData%\*\*.exe   Disallowed
%LocalAppData%\Temp\jre*.exe            Unrestricted
%LocalAppData%\Temp\SA201*.exe    Unrestricted


Sadly however, the two unrestricted wildcard items DO NOT get to run.
And their obfuscated structure means I can't just rip them apart to get to the .msi or setup.exe

How do I alter my group policy to permit those PITA installation updates to run while still preserving the prohibition on anything else playing pattycake in the AppData sandbox?
0
Nick67
Asked:
Nick67
  • 8
  • 5
  • 2
  • +1
5 Solutions
 
Cliff GaliherCommented:
You don't. You'll find that updaters that run from a local profile folder, by necessity, also run under that user's account permissions. So if you are following best practices and using UAC and limited accounts, the updater, even if it could execute, would fail to actually update as it wouldn't have permissions to write to the install location. In a managed environment (such as yours) it is common and recommended practice to disable auto updaters and manage updates through a more managed patch management strategy.
0
 
Nick67Author Commented:
Sigh.
I AM the administrator.
And, like with Java, UAC prompts me for credentials, which I give it.
The installer then gets promptly murdered by the Group Policy.

And really, I have neither the budget nor the need for the heavy duty tools.
Everything else can do its job without a lot of hassle.
Office 2013 can auto-update without intervention
So can Flash.
Acrobat Reader prompts for UAC and then does its thing.

But Java and Simply Accounting do not because they insist on distributing an executable that then unpacks in these undesirable locations.  So I need to whitelist them.  How do I do so?
0
 
Cliff GaliherCommented:
As I said ,with group policy alone, you can't. It isn't just the location that is the issue. Flash auto-updates because it installs a service that always runs. So does Office 365. Traditional MSI Office 2013 does not auto-update, but relies on windows update which....runs as a service. They don't run in the use's context at all.

If it could be done in group policy, there wouldn't be a a market for products like Appdeploy or ninitr, or even desktop Authority by Dell. All would solve your issue. None are free. And I never said you weren't an admin. I just was providing background on *why* you were hitting the wall and why the answer is "you can't do that."
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
Donald StewartNetwork AdministratorCommented:
I have success using the Free Community Edition of Privilege manager

http://privilegeforum.scriptlogic.com/
0
 
Nick67Author Commented:
Sigh.
As I said ,with group policy alone, you can't. It isn't just the location that is the issue.
The location is the issue.  If I log on as Enterprise Admin, I cannot run the Java updater because the Group Policy software restrictions rules are set to disallow executables from running in %LocalAppData%\*
My whitelisting of %LocalAppData%\Temp\jre*.exe is not being successfully applied.

Is there some manner of restructuring that policy so that those who have admin-level logins can successfully execute these two wildcard paths?
%LocalAppData%\Temp\jre*.exe            Unrestricted
 %LocalAppData%\Temp\SA201*.exe    Unrestricted
0
 
Donald StewartNetwork AdministratorCommented:
Look at page 7 of this guide

http://www.thirdtier.net/downloads/CryptolockerWaystoaddExemptions.pdf

 Path: %localAppData%\Temp\jre-7u49-windows-i586-iftw.exe

Security Level: Unrestricted

Description: Java auto-update exception.

To add additional exceptions as the Java updater changes revisit this and add values as follows:
%localAppData%\Temp\jre-7u50-windows-i586-iftw.exe
%localAppData%\Temp\jre-7u51-windows-i586-iftw.exe
%localAppData%\Temp\jre-7u52-windows-i586-iftw.exe
..and so on….
0
 
Nick67Author Commented:
I'll have a go at not using a wildcard and see if that is the problem.
PITA though.
Why should a wildcard in a restriction work?
%LocalAppData%\*\*.exe   Disallowed

But a wildcard in a permission fail?
%LocalAppData%\Temp\jre*.exe            Unrestricted
0
 
Donald StewartNetwork AdministratorCommented:
Exemptions just dont work in software restriction policies I'm afraid to say.
0
 
Nick67Author Commented:
Exemptions just don't work in software restriction policies I'm afraid to say.
That contradicts your earlier post though...
0
 
Donald StewartNetwork AdministratorCommented:
sorry I should have said wildcard exemptions
0
 
Donald StewartNetwork AdministratorCommented:
Additional experts ??

There was no feedback on whether ID:40552039 works or not ???

Again you *cant* use wildcards in the exemptions.
0
 
Nick67Author Commented:
Additional experts ??
No disrespect was intended @dstewartjr.
Have a look at my profile.
I am normally on the other side of this rodeo--about 75 questions answered to one asked.

Yesterday morning I got the notice that I had 'abandoned' my Q.
I put in the RA, and posted #40551913
All subsequent posts (including yours) came in the interval between the RA start and RA granted.

We've got a 'sasquatch' here.
It's impossible to prove a negative -- but just one guy saying there's no such thing as a sasquatch isn't really enough proof to put the controversy to rest.

Again you *cant* use wildcards in the exemptions.
Well, now that I think about it, lets test that contention
I will, and if you would be so kind as to follow suit:
Copy notepad.exe into %localAppData%\Temp\ and into %localAppData%\Temp\Test
and then whitelist %localAppData%\Temp\Test\Notepad.exe and %localAppData%\Temp\Note*.*
If, after Group Policy updates, %localAppData%\Temp\Test\Notepad.exe will run and %localAppData%\Temp\notepad.exe won't, your contention that the whitelist wildcard is the problem will have been conclusively proven.

If not...well, we'll blow that up when we get that far.
0
 
Nick67Author Commented:
Hmm.
I get an EventID 866 'murdered by policy for notepad in  %LocalAppData%\Temp\
So the wildcard is clearly not honored.
I copied calc as well as notepad into %localAppData%\Temp\Test\
No prompts, no messages, no Events in Event Viewer -- but they don't run either.

What are your results?
When I whitelist notepad fully, as in
%LocalAppData%\Temp\Notepad.exe
It no longer prompts, or flag in Event Viewer, but it doesn't run either
0
 
btanExec ConsultantCommented:
in fact, as in the applocker faq, deny takes precedence. Specifically, if there is an explicit deny action , it will supersede all other rule including allow or exception rule. As in the faq, it stated as an example,
- a rule created to allow the Everyone group to run any application in the Windows folder except regedit.exe.
- a rule created to allow the Helpdesk group to run regedit.exe.
- In this example, since there was an explicit deny action on regedit.exe, then no other rule permitting the Helpdesk group access to regedit.exe would supersede that rule.

Thought below may be of interest
Why can I not create hash- or path-based rules for Packaged apps?
All Packaged apps and Packaged app installers are signed by the publisher of the package. In contrast, classic apps are not always signed; and therefore, AppLocker supports hash- or path-based rules.
Can you block all applications except from a certain software publisher?

Yes. You can do this by creating a publisher condition rule that allows all files to run that are signed by the specific software publisher. In some cases for binaries that are created dynamically, you could create a path rule condition.

How can I temporarily allow a user to run or install applications?

There are a variety of methods, and the best one will depend on your administrative practices. The following are some possible methods:
You can set the enforcement mode on the relevant rule collection to Audit only so AppLocker will not block any application for the present time. Then, you can change the enforcement mode to Enforce rules when you are ready.

You can create an organizational unit (OU) that has a separate set of rules but does not block the users from running a particular application. Move the user to this OU temporarily while they install the update or application. Then, move them back to the OU where the original rule enforcement occurs.
Can AppLocker detect rule conflicts?

No. However, you can use the Windows PowerShell cmdlets Get-AppLockerPolicy and Test-AppLockerPolicy to check whether specific files are allowed based on an AppLocker policy. A second option is to create a duplicate policy (for example, by using a reference computer), which then allows you to test the policy before deployment and verify that it provides the intended results.
Caution
You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
0
 
Nick67Author Commented:
I am not using AppLocker, I am using Software Restrictions Group Policies, which is a different monster
But
https://technet.microsoft.com/en-us/library/cc780831(v=ws.10).aspx
If two identical rules with differing security levels are applied to software, the more conservative rule takes precedence. For example, if two hash rules--one with a security level of Disallowed and one with a security level of Unrestricted--are applied to the same software program, the rule with a security level of Disallowed takes precedence, and the program will not run.

Although it's buggy as hell.
It should run if whitelisted explicitly, while the folder is disallowed.
It doesn't, and it doesn't give notification or events -- it just doesn't run -- and that's a bug
PITA.

But I am not paying MS to submit a bug report.
Sigh.

Thanks all.
0
 
btanExec ConsultantCommented:
for info - SRP is predecessor of Applocker. Not surprised it is buggy
Can Software Restriction Policies’ rules be migrated to AppLocker rules?

No, not directly. AppLocker rules are not based on the same technology as Software Restriction Policies’ rules. You should carefully analyze your existing Software Restriction Policies’ rules and determine how they would conceptually map to new AppLocker rules.
I was also thinking if there is rule conflict but I believe you have already cover that
Can AppLocker detect rule conflicts?

No. However, you can use the Windows PowerShell cmdlets Get-AppLockerPolicy and Test-AppLockerPolicy to check whether specific files are allowed based on an AppLocker policy. A second option is to create a duplicate policy (for example, by using a reference computer), which then allows you to test the policy before deployment and verify that it provides the intended results.
0
 
Nick67Author Commented:
There was no answer.
The documentation suggests that a fully qualified path Unrestricted should run in a Disallowed folder.
It does not.
Nor does it give the promptings and Event Viewer entries that should follow suppression.
This is clearly a bug, and contrary to expectations given on other sites that fully qualified paths should function, they do not.
PITA.

Thanks to all who posted.
Nick67
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 8
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now