Anteaus Posted December 15, 2009 Share Posted December 15, 2009 Software restriction policies provide a useful protection against malware. They do this by preventing executables from being launched from places where malware would typically arrive on the computer, such as download folders within the user-profile, temporary-file folders and USB memory. An additional benefit is the ability to block the installation of unwanted software from auto-running product CDs etc. Whilst you can achieve the same result with Group Policy, doing so is by no means easy as the default settings don't suit this purpose. This script provides an automated config which should suit most standard Windows setups. A system-tray icon provides controls to install/uninstall the policy, and to turn the policy off whilst installing legitimate software. The script need not be run continuously, the policy will remain-in-force even when it is closed. Note: This script and the Group Policy software restrictions should not be used simultaneously. (You can use other policies, just not software restrictions) expandcollapse popup#cs Simple Safer Software Policy Released under the GNU Public Licence v3 Copyleft IWR Consultancy, December 2009. Purpose: Restricts the launch of executables to permitted disk-areas only. Advantages are a degree of protection against: - Malware on USB memory. - Malware being launched from 'temp' or 'download' folders. (which is typical of malicious-website action) - Unauthorised installation of software. - Software-development mistakes, such as accidental launch of untested software on a mission-critical PC. Disclaimer: No responsibiility accepted for any consequence of use. Compile as SoftwarePolicy.exe #ce #RequireAdmin global $inifile=@ScriptDir & "\SoftwarePolicy.ini" global $addMappings=iniRead($inifile,"General","addMappings",1) global $addDesktop=iniRead($inifile,"General","addDesktop",0) global $addRootDirs=iniRead($inifile,"General","addRootDirs",1) global $adminBypass=iniRead($inifile,"General","AdminBypass",0) global $alwaysAllowSystemFolders=iniRead($inifile,"Safety","AlwaysAllowSystemFolders",1) TrayMenu() while 1 sleep(10000) ; Maybe add auto drive-mapping refresh routine here.. ; Also need indicator (flashing icon?) for insecure condition. wend ; End main program --------------- func TrayMenu() Opt("TrayMenuMode",1) TrayCreateItem("Safer Software Policy") TrayItemSetOnEvent(-1,"TrayClick") TrayCreateItem("") TrayCreateItem("Lock") TrayItemSetOnEvent(-1,"TrayClick") TrayCreateItem("Unlock") TrayItemSetOnEvent(-1,"TrayClick") TrayCreateItem("") TrayCreateItem("Settings") TrayItemSetOnEvent(-1,"TrayClick") TrayCreateItem("") TrayCreateItem("Install") TrayItemSetOnEvent(-1,"TrayClick") TrayCreateItem("Uninstall") TrayItemSetOnEvent(-1,"TrayClick") TrayCreateItem("") TrayCreateItem("Exit") TrayItemSetOnEvent(-1,"TrayClick") Opt("TrayIconHide",0) opt("TrayOnEventMode",1) ; TraySetClick(8) TraySetState() endfunc func TrayClick() $t_id=@tray_id $t_msg=TrayItemGetText(@tray_id) Select Case $t_msg = "Safer Software Policy" msgbox(64,"Safer Software Policy by IWR Consultancy","A utility which provides control over where, on disk, programs may be run from.",60) Case $t_msg = "Unlock" RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers","DefaultLevel","REG_DWORD",262144) Case $t_msg = "Settings" Run("notepad " & $iniFile) Case $t_msg = "Lock" RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers","DefaultLevel","REG_DWORD",0) Case $t_msg = "Uninstall" uninstall() Case $t_msg = "Install" install() Case $t_msg = "Exit" exit Case else EndSelect return endfunc func install() $paranoidExts="AUT,AU3,A3X,ADE,ADP,BAS,BAT,CHM,CMD,COM,CPL,CRT,EXE,HLP,HTA,INF,INS,ISP,MDB,MDE,MSC,MSI,MSP,MST,OCX,PCD,PIF,REG,SCR,SHS,URL,VB,WSC" $sensibleExts="A3X,BAT,CHM,CMD,COM,CPL,CRT,EXE,HLP,HTA,INF,INS,ISP,MSC,MSI,MSP,MST,OCX,PIF,REG,SCR,SHS,VB,WSC" $exts=stringreplace($sensibleExts,",",@LF) $temp=RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers","PolicyScope") if @error then $newUser=1 else $newUser=0 endif ; Set global parameters: $settingsKey="HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" RegWrite($settingsKey,"ExecutableTypes","REG_MULTI_SZ",$exts) RegWrite($settingsKey,"DefaultLevel","REG_DWORD",262144) RegWrite($settingsKey,"PolicyScope","REG_DWORD",$adminBypass) RegWrite($settingsKey,"TransparentEnabled","REG_DWORD",1) RegWrite($settingsKey,"AuthenticodeEnabled","REG_DWORD",0) if $alwaysAllowSystemFolders then ;Add default permissions to allow OS to function properly: WritePath(@ProgramFilesDir) if FileExists(@ProgramFilesDir & " (x86)") > 0 then WritePath(@ProgramFilesDir & " (x86)") WritePath(@WindowsDir) WritePath(@SystemDir) WritePath(@WindowsDir & "\*.exe") WritePath(@SystemDir & "\*.exe") WritePath(@ScriptFullPath) endif ; Add network drive mappings: if $addMappings>0 then $dList = DriveGetDrive( "all" ) If NOT @error Then For $ct = 1 to $dList[0] if drivegettype($dList[$ct])="network" then $unc=drivemapget($dList[$ct]) if stringleft($unc,2)="\\" then $slpos=stringinstr($unc,"\",0,3) $server=stringleft($unc,$slpos) WritePath($server) endif endif Next EndIf endif $systemDrive=stringleft(@SystemDir,2) ; add folders in root of system drive: if $addRootDirs>0 then $rootsrch = FileFindFirstFile($systemDrive & "\*.*") While $rootsrch <> -1 $thisFolder = FileFindNextFile($rootsrch) if @error Then ExitLoop if stringinstr(FileGetAttrib($systemDrive & "\" & $thisFolder),"D")=0 then continueloop if stringinstr(FileGetAttrib($systemDrive & "\" & $thisFolder),"S")>0 then continueloop if stringinstr($thisFolder, "Users")=1 then continueloop if stringinstr($thisFolder, "Documents and Settings")=1 then continueloop if stringinstr($thisFolder, "Program Files")=1 then continueloop if stringinstr($thisFolder, "Programs")=1 then continueloop if stringinstr($thisFolder, "Windows")=1 then continueloop if stringinstr($thisFolder, "WINNT")=1 then continueloop if stringinstr($thisFolder, "i386")=1 then continueloop if stringinstr($thisFolder, "drivers")=1 then continueloop $thisPath=$systemDrive & "\" & $thisFolder WritePath($thisPath) wend endif if $addDesktop>0 then WritePath(@DesktopDir) $custom = IniReadSection($inifile, "Custom") If not @error Then For $ct = 1 To $custom[0][0] If ($custom[$ct][1]) OR ($custom[$ct][1]="allow") then WritePath($custom[$ct][0]) endif Next EndIf if $newUser>0 then msgbox(64,"Safer Software Policy","If this is the first time a software-restriction policy has been implemented on this computer, you may need to reboot and then activate 'Lock' from the tray-icon of this utility for the policy to take effect.",30) endfunc func uninstall() RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers","DefaultLevel","REG_DWORD",262144) sleep(500) RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer") endfunc func WritePath($thisPath,$nlevel="262144") if stringinstr($thisPath,"%")then $dType="REG_EXPAND_SZ" else $dType="REG_SZ" endif $thisGUID=GUID($thisPath) RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\" & $nLevel & "\Paths\" & $thisGUID,"ItemData",$dType,$thisPath) endfunc func DelPath($thisPath,$nlevel="262144") $thisGUID=GUID($thisPath) RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\"& $nLevel & "\Paths\" & $thisGUID) endfunc func GUID($enc_instr,$enc_key="75329bcd4be4") ; Note this intentionally differs from the GUIDs generated by Group Policy. $enc_keyct=0 local $enc_ct $enc_outstr="" $enc_xoutstr="" for $enc_ct=1 to stringlen($enc_instr) $enc_keyct=$enc_keyct+1 if $enc_keyct>stringlen($enc_key) then $enc_keyct=1 $enc_keychar=stringmid($enc_key,$enc_keyct,1) $enc_inchar=stringmid($enc_instr,$enc_ct,1) $enc_outchar=hex(bitxor(asc($enc_inchar),asc($enc_keychar)),2) $enc_outstr=$enc_outstr & $enc_outchar next for $enc_ct=1 to stringlen($enc_outstr) $enc_hexchar=stringmid($enc_outstr,$enc_ct,1) if $enc_hexchar <> "0" then $enc_xoutstr=$enc_xoutstr & hex(dec($enc_hexchar)-1,1) endif next $thisGUID="75329bcd4be4" & $enc_xoutstr $thisGUID=stringright($thisGUID,12) $thisGUID="{0016bbe0-a716-428b-822e-" & $thisGUID & "}" return $thisGUID endfunc ; Typical .ini file ; Please note that you need to re-run Install after modifying this file. ; (Future versions may automate this) ; =1 means allow software launch. [General] AddDesktop=0 AddRootDirs=1 AddMappings=1 AdminBypass=0 [Safety] ; Dire warnings should be implicit here.. <g> AlwaysAllowSystemFolders=1 [Custom] ; (examples only) ; d:\=1 ; e:\=1 ; \\servername=1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now