软件制约在窗口7
这些是一些快的笔记从一个会议在AppLocker由保罗· A。 Cooke,技术爱德EMEA 2008年:
您也许看见了, I ?在软件制约政策写的几篇文章ve (SRP)在Windows XP和窗口景色之下为 www.windowsecurity.com (如下所示)。 I ?m非常愉快告诉您,那微软现在改进了这种功能并且给它改名入: AppLocker!
不幸地我不可能带来您任何screenshots (由于NDA),但是我可以告诉您几件事关于基本的功能。 与AppLocker您在您的窗口(7)环境里能更加容易地消灭不需要和未知的应用。 您能强制执行应用标准化? 两个从安全(malware)和从管理观点(准许&用户控制)。
什么多数组织设法,它那些日子限制用户是标准用户(非管理员)在他们的地方机器? 然而这实际上不是感觉安全作为它的足够管理员。 跑作为标准用户是 没有 对所有的解答我们的问题。 许多应用可能做坏材料,甚而在用户上下文之内? 象窃取数据,删除数据,操作的数据,加密的数据,创造bot网,送发送同样的消息到多个新闻组,社会工程学等。 等. 这是可靠对于在用户上下文安装的应用(象Google镀铬物),或者笠头的规则executables ?t实际上安装? 他们跑!
如果您想要控制应用,如那,什么能跑,并且什么不要能? 然后您需要另一种方法。 AppLocker来到抢救!
AppLocker是修造在数字签名附近? 签字软件executables和DLLs。 这也是一个选择在SRP在Windows XP之下,是我们有道路、文件名,回锅碎肉&证明规则,但那时处理和强制执行是相当坚硬的。 与窗口7,新的GUI增加到小组政策编辑支持软件规则的容易的创作。 我们有规则的3个类型:
- 允许规则: 和一样Whitelisting (?已知的好? 软件)
- 否认规则: 和一样列入黑名单(?已知的坏? 软件)
- 例外: 排除从允许或否认规则
当然允许规则是被推荐的方法? ?缺省否认所有应用? 统治(Whitelisting),但以具体应用网络管理员想要允许用户跑。 作为管理员,您得到具体应用颗粒状控制,强制执行谁可能跑并且/或者安装他们(如果他们有适当的权利和允许)。
管理由小组政策完成下 计算机配置 > 应用控制政策, but strangely enough you have to put in affected users and groups (still unclear whether or not the SYSTEM account is still excluded from SRP checks). So this is actually Computer policies that are able to hit users, like loopback or group policy preferences.
You can create multiple rule sets and take advantage of specific attributes, like app version (equal/above/below X.0.0.0), filename (executable name), product publisher (the valid root certificate used to sign), product suite (like ?Microsoft Office 2007?) ? and wildcards seems to be supported still.
You can control executables, installers (MSI), scripts, and DLLs, using certificates (publisher), HASH or path rules. The disadvantage of using HASH rules is, that the HASH will change if the application is updated, certificate/publisher rules are much more flexible because the signature is still going to be there (unless the developers totally mess up). So always try to go for publisher rules, certificates are here to stay :)
Can be run in 3 modes: Enforce policy, Enforce Policy using Group Policy Inheritance and Audit Only mode! The latter is pretty cool, as you can configure a Software Restriction Policy, and test it out before you go ?live?.
AppLocker supports import and export of rules, which can be very useful, but one of the best new features is, that there?s no need to create all the rules manually ? you have the option to ?automatically generate rule?, this feature will analyze a ?reference machine? (not sure if this has to be the local machine yet) and files in a given folder on that machine (not sure if this can be a share yet). You can compare this to a ?snapshot? feature, take all files in this folder (and subfolders), and make an allow rule from that (certificate based preferably).
The new rule creation tools and wizards seem pretty straight forward ? but you really need to think about the SRP design before you go for it, and test intensively, or else you?ll end up in serious trouble ;-)
I just can?t wait to test this deeply and bring you more information!
Previous article series on SRP:
Default Deny All Applications (Part 1)
Default Deny All Applications (Part 2)
Microsoft AppLocker description:
http://www.microsoft.com
.
Popularity: 1%
Written by Jakob H. Heidelberg. Read more great feeds at is source WEBSITE
no comments.
Read more articles on otherSoftware and AppLocker and srp and Group Policy and teched and Microsoft.
- [+] Digg: Feature this article
- [+] Del.icio.us: Bookmark this article
- [+] Furl: Bookmark this article
