Simple software-restriction policy

Anteaus · December 15, 2009

Software restriction policies provide a useful protection against malware. They do this by preventing executables from being launched from places where malware would typically arrive on the computer, such as download folders within the user-profile, temporary-file folders and USB memory. An additional benefit is the ability to block the installation of unwanted software from auto-running product CDs etc.

Whilst you can achieve the same result with Group Policy, doing so is by no means easy as the default settings don't suit this purpose. This script provides an automated config which should suit most standard Windows setups.

A system-tray icon provides controls to install/uninstall the policy, and to turn the policy off whilst installing legitimate software. The script need not be run continuously, the policy will remain-in-force even when it is closed.

Note: This script and the Group Policy software restrictions should not be used simultaneously. (You can use other policies, just not software restrictions)

#cs
 Simple Safer Software Policy
 Released under the GNU Public Licence v3
 Copyleft IWR Consultancy, December 2009. 

 Purpose: Restricts the launch of executables to permitted disk-areas only. 
 Advantages are a degree of protection against:
  - Malware on USB memory. 
  - Malware being launched from 'temp' or 'download' folders. (which is typical of malicious-website action)
  - Unauthorised installation of software. 
  - Software-development mistakes, such as accidental launch of untested software on a mission-critical PC. 

Disclaimer: No responsibiility accepted for any consequence of use. 

Compile as SoftwarePolicy.exe
#ce

#RequireAdmin 

global $inifile=@ScriptDir & "\SoftwarePolicy.ini"
global $addMappings=iniRead($inifile,"General","addMappings",1)
global $addDesktop=iniRead($inifile,"General","addDesktop",0)
global $addRootDirs=iniRead($inifile,"General","addRootDirs",1)
global $adminBypass=iniRead($inifile,"General","AdminBypass",0)
global $alwaysAllowSystemFolders=iniRead($inifile,"Safety","AlwaysAllowSystemFolders",1)

TrayMenu()

while 1
 sleep(10000)
 ; Maybe add auto drive-mapping refresh routine here.. 
 ; Also need indicator (flashing icon?) for insecure condition. 
wend

; End main program ---------------

func TrayMenu()
 Opt("TrayMenuMode",1) 
 TrayCreateItem("Safer Software Policy")
 TrayItemSetOnEvent(-1,"TrayClick")
 TrayCreateItem("")
 TrayCreateItem("Lock")
 TrayItemSetOnEvent(-1,"TrayClick")
 TrayCreateItem("Unlock")
 TrayItemSetOnEvent(-1,"TrayClick")
 TrayCreateItem("")
 TrayCreateItem("Settings")
 TrayItemSetOnEvent(-1,"TrayClick")
 TrayCreateItem("")
 TrayCreateItem("Install")
 TrayItemSetOnEvent(-1,"TrayClick")
 TrayCreateItem("Uninstall")
 TrayItemSetOnEvent(-1,"TrayClick")
 TrayCreateItem("")
 TrayCreateItem("Exit")
 TrayItemSetOnEvent(-1,"TrayClick")
 Opt("TrayIconHide",0)
 opt("TrayOnEventMode",1)
 ; TraySetClick(8)
 TraySetState()
endfunc

func TrayClick()
$t_id=@tray_id
$t_msg=TrayItemGetText(@tray_id)
  Select
   Case $t_msg = "Safer Software Policy"
     msgbox(64,"Safer Software Policy by IWR Consultancy","A utility which provides control over where, on disk, programs may be run from.",60)
   Case $t_msg = "Unlock"
    RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers","DefaultLevel","REG_DWORD",262144)
   Case $t_msg = "Settings"
    Run("notepad " & $iniFile)
   Case $t_msg = "Lock"
    RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers","DefaultLevel","REG_DWORD",0)
   Case $t_msg = "Uninstall"
    uninstall()
   Case $t_msg = "Install"
    install()
   Case $t_msg = "Exit"
      exit
   Case else
  EndSelect
return
endfunc

func install()

 $paranoidExts="AUT,AU3,A3X,ADE,ADP,BAS,BAT,CHM,CMD,COM,CPL,CRT,EXE,HLP,HTA,INF,INS,ISP,MDB,MDE,MSC,MSI,MSP,MST,OCX,PCD,PIF,REG,SCR,SHS,URL,VB,WSC"
 $sensibleExts="A3X,BAT,CHM,CMD,COM,CPL,CRT,EXE,HLP,HTA,INF,INS,ISP,MSC,MSI,MSP,MST,OCX,PIF,REG,SCR,SHS,VB,WSC"
 $exts=stringreplace($sensibleExts,",",@LF)
 $temp=RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers","PolicyScope")
 if @error then 
  $newUser=1
 else
  $newUser=0
 endif 
 
 ; Set global parameters: 
 $settingsKey="HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers"
 RegWrite($settingsKey,"ExecutableTypes","REG_MULTI_SZ",$exts)
 RegWrite($settingsKey,"DefaultLevel","REG_DWORD",262144)
 RegWrite($settingsKey,"PolicyScope","REG_DWORD",$adminBypass)
 RegWrite($settingsKey,"TransparentEnabled","REG_DWORD",1)
 RegWrite($settingsKey,"AuthenticodeEnabled","REG_DWORD",0)

 if $alwaysAllowSystemFolders then 
   ;Add default permissions to allow OS to function properly:
   WritePath(@ProgramFilesDir)
   if FileExists(@ProgramFilesDir & " (x86)") > 0 then WritePath(@ProgramFilesDir & " (x86)")
   WritePath(@WindowsDir)
   WritePath(@SystemDir)
   WritePath(@WindowsDir & "\*.exe")
   WritePath(@SystemDir & "\*.exe")
   WritePath(@ScriptFullPath)
 endif
 
 ; Add network drive mappings:
 if $addMappings>0 then 
  $dList = DriveGetDrive( "all" )
  If NOT @error Then
     For $ct = 1 to $dList[0]
        if drivegettype($dList[$ct])="network" then 
          $unc=drivemapget($dList[$ct])
          if stringleft($unc,2)="\\" then
            $slpos=stringinstr($unc,"\",0,3)
              $server=stringleft($unc,$slpos)
              WritePath($server)
          endif
        endif
      Next
   EndIf
 endif
 
 $systemDrive=stringleft(@SystemDir,2)
 ; add folders in root of system drive: 
 if $addRootDirs>0 then 
  $rootsrch = FileFindFirstFile($systemDrive & "\*.*")  
    While $rootsrch <> -1
    $thisFolder = FileFindNextFile($rootsrch) 
    if @error Then ExitLoop
    if stringinstr(FileGetAttrib($systemDrive & "\" & $thisFolder),"D")=0 then continueloop
    if stringinstr(FileGetAttrib($systemDrive & "\" & $thisFolder),"S")>0 then continueloop
    if stringinstr($thisFolder, "Users")=1 then continueloop
    if stringinstr($thisFolder, "Documents and Settings")=1 then continueloop
    if stringinstr($thisFolder, "Program Files")=1 then continueloop
    if stringinstr($thisFolder, "Programs")=1 then continueloop
    if stringinstr($thisFolder, "Windows")=1 then continueloop
    if stringinstr($thisFolder, "WINNT")=1 then continueloop
    if stringinstr($thisFolder, "i386")=1 then continueloop
    if stringinstr($thisFolder, "drivers")=1 then continueloop
    $thisPath=$systemDrive & "\" & $thisFolder
    WritePath($thisPath)
    wend
 endif
 
 if $addDesktop>0 then WritePath(@DesktopDir)
 
  $custom = IniReadSection($inifile, "Custom")
  If not @error Then
    For $ct = 1 To $custom[0][0]
      If ($custom[$ct][1]) OR ($custom[$ct][1]="allow") then 
        WritePath($custom[$ct][0])
      endif
    Next
  EndIf

 if $newUser>0 then msgbox(64,"Safer Software Policy","If this is the first time a software-restriction policy has been implemented on this computer, you may need to reboot and then activate 'Lock' from the tray-icon of this utility for the policy to take effect.",30)

endfunc

func uninstall()
 RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers","DefaultLevel","REG_DWORD",262144)
 sleep(500)
 RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer")
endfunc

func WritePath($thisPath,$nlevel="262144")
 if stringinstr($thisPath,"%")then 
  $dType="REG_EXPAND_SZ"
 else
  $dType="REG_SZ"
 endif 
 $thisGUID=GUID($thisPath)
 RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\" & $nLevel & "\Paths\" & $thisGUID,"ItemData",$dType,$thisPath)
endfunc

func DelPath($thisPath,$nlevel="262144")
 $thisGUID=GUID($thisPath)
 RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\"& $nLevel & "\Paths\" & $thisGUID)
endfunc


func GUID($enc_instr,$enc_key="75329bcd4be4")
; Note this intentionally differs from the GUIDs generated by Group Policy.
 $enc_keyct=0
 local $enc_ct
 $enc_outstr=""
 $enc_xoutstr=""
 for $enc_ct=1 to stringlen($enc_instr)
  $enc_keyct=$enc_keyct+1
  if $enc_keyct>stringlen($enc_key) then $enc_keyct=1
  $enc_keychar=stringmid($enc_key,$enc_keyct,1)
  $enc_inchar=stringmid($enc_instr,$enc_ct,1)
  $enc_outchar=hex(bitxor(asc($enc_inchar),asc($enc_keychar)),2)
  $enc_outstr=$enc_outstr & $enc_outchar
 next
 for $enc_ct=1 to stringlen($enc_outstr)
  $enc_hexchar=stringmid($enc_outstr,$enc_ct,1) 
  if $enc_hexchar <> "0" then
    $enc_xoutstr=$enc_xoutstr & hex(dec($enc_hexchar)-1,1)
  endif
 next
 $thisGUID="75329bcd4be4" & $enc_xoutstr
 $thisGUID=stringright($thisGUID,12)
 $thisGUID="{0016bbe0-a716-428b-822e-" & $thisGUID & "}"
return $thisGUID
endfunc

; Typical .ini file
; Please note that you need to re-run Install after modifying this file.
; (Future versions may automate this)
; =1 means allow software launch.

[General]
AddDesktop=0
AddRootDirs=1
AddMappings=1
AdminBypass=0

[Safety]
; Dire warnings should be implicit here.. <g>
AlwaysAllowSystemFolders=1

[Custom]
; (examples only)
; d:\=1
; e:\=1
; \\servername=1

Sign In

Simple software-restriction policy

Recommended Posts

Anteaus

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Browse

AutoIt Resources

Release

Beta