.. Reminder for header structure: Parts (H1) : #################### with overline Chapters (H2) : ******************** with overline Sections (H3) : ==================== Subsections (H4) : -------------------- Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^ Paragraphs (H6) : """"""""""""""""""""" .. |date| date:: .. meta:: :description: Protecting Domain Windows PCs and Servers with SRP :keywords: Security, Samba-AD, documentation, SRP, Software Restriction Policies, GPO .. _samba_SRP: ################################################## Protecting Domain Windows PCs and Servers with SRP ################################################## ********************************************************* Why use SRPs with the GPOs allowed with Active Directory? ********************************************************* Tranquil IT uses :abbr:`SRP (Software Restriction Policies)` at all its managed services clients to prevent the execution of any unknown software or executables. Setting up this type of method requires a little time and listening, as the existing stock of unknown software and executables has to be cleaned up. Once SRP is well mastered, ransomware and other viruses can no longer be launched by users and you have a sure view of what is deployed on the machines in your park. Legitimate enterprise software can then be deployed with the `WAPT software deployment tool `_. At Tranquil IT, we found that 2 SRP :abbr:`GPOs (Group Policy Objects)` provided a good ratio between complexity and efficacy: * *SRP_light*: **Blacklist mode** to block unapproved applications, paths and extensions. * *SRP_hard*: **White List** mode to allow only approved applications, paths and extensions. The strategy will be to first place your users in a *SRP_light* :abbr:`OU (Organizational Unit)`, then gradually switch them to a *SRP_hard* OU. ***************** Implementing SRPs ***************** * Create the 2 UO *SRP_light* and *SRP_hard*. SRP_light ========= * Create the OU *SRP_light*: .. figure:: ../images/samba_new_UO.png :align: center :scale: 100% :alt: Creating a new Organizational Unit Creating a new Organizational Unit * Name your Organizational Unit *SRP_LIGHT*: .. figure:: ../images/samba_new_UO_name.png :alt: Naming the Organizational Unit :align: center :scale: 100% Naming the Organizational Unit * Enable the User Restriction Policy GPO: .. figure:: ../images/samba_newGPO.png :align: center :scale: 100% :alt: Creating the new GPO Creating the new GPO * Go to :menuselection:`RSAT GPO management module -> User Configuration -> Policies-> Windows Settings -> Security Settings -> Software Restriction Policies`. * Then, :menuselection:`Right click -> New Software Restriction Policy`: .. figure:: ../images/samba_newSRP_light.png :align: center :scale: 100% :alt: Creating the new SRP rule Creating the new SRP rule * In :menuselection:`-> Security Level`, leave the security level on :guilabel:`Unrestricted`: .. figure:: ../images/samba_gpo_unrestricted.png :align: center :scale: 100% :alt: Creating the new GPO Creating the new GPO * In :menuselection:`-> Additional Rules`, add **restricted**: * :mimetype:`.js` * :file:`%USERPROFILE%\Download\*` Example with *.js*, create a new path rule in :menuselection:`-> Supplementary Rules` .. figure:: ../images/samba_gpo_newpath_rule.png :align: center :scale: 100% :alt: New path rule of the SRP GPO New path rule of the SRP GPO The path accepts wildcards ``*``, it will be useful for :mimetype:`.js` extensions. .. figure:: ../images/samba_gpo_path_rule_options_js.png :align: center :scale: 100% :alt: Option for the new .js path rule on the SRP GPO Option for the new .js path rule on the SRP GPO It is also possible to use environment variables such as ``%USERPROFILE%`` to apply a rule to all users. .. figure:: ../images/samba_gpo_path_rule_options_user.png :align: center :scale: 100% :alt: Option for the new rule applicable to user profiles on the SRP GPO Option for the new rule applicable to user profiles on the SRP GPO SRP_hard ======== * Go to :menuselection:`RSAT GPO management module -> User Configuration -> Policies-> Windows Settings -> Security Settings -> Software Restriction Policies`. * Then, :menuselection:`Right click -> New Software Restriction Policy`: .. figure:: ../images/samba_newSRP_hard.png :align: center :scale: 100% :alt: Creating the new SRP rule Creating the new SRP rule * In :menuselection:`-> Security Level`, leave the security level on Not authorized; .. figure:: ../images/samba_gpo_disallowed.png :align: center :scale: 100% :alt: Creating the new SRP rule Creating the new SRP rule Software Restriction Strategies and File Types ============================================== * Add :mimetype:`.js` to the list: .. figure:: ../images/samba_add_js_SRP_hard.png :align: center :scale: 100% :alt: Adding .js files to the forbidden list in SRP Hard mode Adding .js files to the forbidden list in SRP Hard mode * Add :mimetype:`ps1` to the list the same way tou added :mimetype:`.js`. * Remove :mimetype:`.lnk` from the list (otherwise problem with Windows XP): .. figure:: ../images/samba_remove_lnk_SRP_hard.png :align: center :scale: 100% :alt: Removing the .lnk extension for WinXP hosts Removing the .lnk extension for WinXP hosts Software Restriction Strategies and Additional Rules ==================================================== * For current and known directories, add these rules as **unrestricted** (Add any directory where authorized executables can be found): .. code-block:: bash %allusersprofile% %LOGONSERVER% %public% %tmp%\getpath.cmd \\ipsrvad \\srvads.domaine.local \\srvads \\applicationmetier .. code-block:: bash %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir% %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)% * For folders to be added in the **forbidden** list: .. code-block:: bash C:\Windows\Temp\* * For registry keys to be potentially restricted (**do not apply for the moment**): .. code-block:: bash %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\Debug %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\PCHEALTH\ERRORREP %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\Registration %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\catroot2 %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\com\dmp %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\FxsTmp %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\spool\drivers\color %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\spool\PRINTERS %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\spool\SERVERS %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\Tasks %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\SysWOW64\com\dmp %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\SysWOW64\FxsTmp %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\SysWOW64\Tasks %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\Tasks %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\tracing Business software ================= * Add to the **unrestricted** list the paths to the business software used in your Organization. The list below is provided as a **EXAMPLE**: .. code-block:: bash C:\AFICEGI C:\AFISRV C:\AFIWEB2 C:\Arpege C:\Carteplus C:\Cilw * Add to the **unrestricted** list the paths to the software you absolutely must use but which are extracted in :file:`Local Settings` under Windows XP, example with the :program:`LogMeIn` applet: .. code-block:: bash %userprofile%\Local Settings\Application Data\LogMeIn Rescue Applet\ .. note:: Whenever possible, it is preferable to use installers that extract the binaries into the intended system directories, such as :file:`C:\\Program Files(x86)\\` or :file:`C:\\Program Files\\`. Using hashing rules =================== It is possible to add file hashes for executables on a USB key for example: * Copy / paste the binary on a share. * Repatriate the binary onto the management machine. * Create a new hash rule: .. figure:: ../images/samba_srp_hash.png :align: center :scale: 100% :alt: New hash rule New hash rule * Select the binary file: .. figure:: ../images/samba_srp_browse.png :align: center :scale: 100% :alt: Fetching the binary file Fetching the binary file * The executable’s information will filled up automatically: .. figure:: ../images/samba_srp_hash_ok.png :align: center :scale: 100% :alt: Hash added to the SRP rule Hash added to the SRP rule * The new hash rule with the executable will appear in the list: .. figure:: ../images/samba_srp_hash_in_list.png :align: center :scale: 100% :alt: List of Hard SRP rules List of Hard SRP rules * Repeat until the executable starts properly (example **TISHelp** or **Berger Levrault Payroll**). Using certificate rules ======================= It is necessary to use a GPO rule to force certificate checking before running software (performance drop). This requires a preliminary testing phase on a staging Organizational Unit. Go to :menuselection:`Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options` and activate :menuselection:`System settings -> Use Certificate Rules on Windows Executables`: .. figure:: ../images/samba_enable_win_cert.png :align: center :scale: 100% :alt: Enabling checks of certificates Enabling checks of certificates Debugging procedure during lockups ================================== * Place all users in the *SRP_light* OU. * Place yourself with your restricted account in the SRP OU and launch all possible applications from all possible servers. * On Terminal Server environments, search for :mimetype:`.exe` in :file:`C:\Users`. * On the file server search for :mimetype:`.exe` in network shares. * Analyze in the :program:`eventvwr` event viewer of each server or workstation the potentially blocked programs and add if needed the path in the additional rules. * Then move some voluntary users into the *SRP_hard* OU and let time do its work. * Depending on the problems and resolution methods you apply, move users step by step into *SRP_hard*: .. figure:: ../images/samba_enable_win_cert.png :align: center :scale: 100% :alt: Enabling checks of certificates Enabling checks of certificates Iterating changes quickly ========================= In case of blocked programs, there is no need to reboot the workstation, just run :command:`gpupdate /force` in user context. This allows you to reapply the new GPO settings without restarting the session.