Software Restriction Policies and logging
in [Terminal Services]
|
From: fredbloggs on 27 Nov 2006 05:52 Hi, I'm investigating the option of Software Restriction Policies to lockdown a new W2k3 Terminal Services farm. I have configured a whitelist and added only those programs that I want users to run which all appears to work fine, in fact the SRP are working just dandy. The question I have is in regards to the logging when a deny is applied. I have configured the registry entry HKLM\SOFTWARE\Policies\Microsoft\windows\safer\codeidentifiers\Logfilename to a relevant logfile which is placing entries for all succesfully run programs and which GUID has allowed this program. However, when a user tries to run a disallowed program (i.e. not specifically allowed) nothing gets placed within the log, an entry appears in the eventlog if the attempt was made from the desktop stating the denied access (or if i specifically deny the file), however I want to catch entries further down than this, i.e. if a user tries to install 'Google toolbar' from IE the SRP are obviously running and stop this, but they don't tell me about this failed program. Any ideas would be greatly appreciated TIA Mark
From: Chris Corio [MSFT] on 8 Dec 2006 14:36 Hello - I'm the Program Manager for Software Restriction Policies. There are a number of things that could be happening given what you've described. First off, anything that is blocked by SRP should create an entry in the log file - if there isn't an entry, chances are SRP didn't affect the file's execution. Other than that, I'm not sure what level of SRP checking you have enabled. If you don't see a log entry it might be something related to IE's security policy. If you can explain the exact repro steps I can check to see what's happening with SRP. Thanks, Chris This posting is provided "AS IS" with no warranties, and confers no rights. "fredbloggs" <fredbloggs(a)discussions.microsoft.com> wrote in message news:300D2B42-DB07-4548-B302-B6C7060E0D1C(a)microsoft.com... > Hi, > > I'm investigating the option of Software Restriction Policies to lockdown > a > new W2k3 Terminal Services farm. > > I have configured a whitelist and added only those programs that I want > users to run which all appears to work fine, in fact the SRP are working > just > dandy. > > The question I have is in regards to the logging when a deny is applied. > > I have configured the registry entry > > HKLM\SOFTWARE\Policies\Microsoft\windows\safer\codeidentifiers\Logfilename > > to a relevant logfile which is placing entries for all succesfully run > programs and which GUID has allowed this program. > > However, when a user tries to run a disallowed program (i.e. not > specifically allowed) nothing gets placed within the log, an entry appears > in > the eventlog if the attempt was made from the desktop stating the denied > access (or if i specifically deny the file), however I want to catch > entries > further down than this, i.e. if a user tries to install 'Google toolbar' > from > IE the SRP are obviously running and stop this, but they don't tell me > about > this failed program. > > Any ideas would be greatly appreciated > > TIA > Mark
From: fredbloggs on 11 Dec 2006 04:01 Hi Chris, Hopefully you can help. I have detailed the SRP policies that are applied by the GPO (below). No other policies are applied by this GPO and as I have said if you disable the policy you can then run / install the desired component which would lead me to believe it is related to SRP and no other IE lockdown policies, user restrictions or such like. The issue I have is the logging facility as I need to know if people are trying to do this and have reliable reporting as such. The server is running Win2003 SP1 (+KB 915061 & KB918011) and I get the same symptoms on several machines running this OS (haven't tried an older one) both with and without Terminal services enabled. IE is version 6.0.3790.1830 I have enabled the logging as mentioned in my previous post HKLM\SOFTWARE\Policies\Microsoft\windows\safer\codeidentifiers\Logfilename Process is as follows: User logs on (am using TS session, not Citrix, does same locally on the desktop) you will see from the SRP log (see below) that a couple of items are disallowed as per the default rule, as you would expect ======================================= Steps to reproduce ======================================= User loads Internet Explorer User browses to http://toolbar.google.com/T4/ User clicks on 'Download Google Toolbar' User clicks on 'Run' when prompted by the 'File download - security warning' box Installer downloads and doesn't run (which is the desired effect) ======================================= When I check the SRP log file that has been created no entry has been placed to say that it has been disallowed because of SRP's If I download the GoogleToolbar installer and save it to disk. When I run this (from the saved location) I get the box stating that it has been disallowed due to SRP and an entry gets placed within the log file. It would seem to me that whilst IE is respecting the SRP restrictions stated, it doesn't respect the logfilename entry. Hope this explains further and possibly gives you a chance to reproduce in your lab. Thanks Mark =================================== Policies applied =================================== Software Restriction Policies/Security Levels Policy Setting Default Security Level Disallowed Software Restriction Policies/Additional Rules Path Rules %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% Security Level Unrestricted %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe Security Level Unrestricted %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe Security Level Unrestricted %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% Security Level Unrestricted \\msfs05\resource$\Logon Security Level Unrestricted C:\Program Files\Internet Explorer\Connection Wizard\*.exe Security Level Disallowed C:\Program Files\NetMeeting\ Security Level Disallowed C:\Program Files\Outlook Express Security Level Disallowed C:\Program Files\Windows Media Player\ Security Level Disallowed C:\Program Files\Windows NT\Windows Messaging Security Level Disallowed C:\WINDOWS\system32\cmd.exe Security Level Disallowed C:\WINDOWS\system32\command.com Security Level Disallowed D:\program files\adobe\reader\Reader\AcroRd32.exe Security Level Unrestricted D:\Program Files\Office\Office10\*.exe Security Level Unrestricted D:\Program Files\Office\Office11\*.exe Security Level Unrestricted D:\Program Files\Office\Visio10\*.exe Security Level Unrestricted D:\Program Files\Office\Visio10\DLL\*.exe Security Level Unrestricted D:\Program Files\WinRAR\*.exe Security Level Unrestricted =========================================== Log file contents - Logon =========================================== cscript.exe (PID = 2248) identified c:\program files\citrix\sma\scripts\CB155444-DAFE-11D8-B092-005056C00008.wsf as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302} userinit.exe (PID = 5776) identified C:\Program Files\Citrix\system32\startssonsvr.exe as Unrestricted using path rule, Guid = {d2c34ab2-529a-46b2-b293-fc853fce72ea} startssonsvr.exe (PID = 5404) identified C:\Program Files\Citrix\ICA Client\SSONSVR.EXE as Unrestricted using path rule, Guid = {d2c34ab2-529a-46b2-b293-fc853fce72ea} userinit.exe (PID = 5776) identified C:\Program Files\Citrix\system32\CtxHide.exe as Unrestricted using path rule, Guid = {d2c34ab2-529a-46b2-b293-fc853fce72ea} cmd.exe (PID = 5552) identified C:\WINDOWS\system32\usrlogon.cmd as Unrestricted using path rule, Guid = {c17114d9-cf3c-410c-b74c-233821361290} cmd.exe (PID = 5552) identified C:\WINDOWS\Application Compatibility Scripts\setpaths.cmd as Unrestricted using path rule, Guid = {c17114d9-cf3c-410c-b74c-233821361290} cmd.exe (PID = 5552) identified C:\WINDOWS\Application Compatibility Scripts\acregl.exe as Unrestricted using path rule, Guid = {c17114d9-cf3c-410c-b74c-233821361290} cmd.exe (PID = 5552) identified C:\WINDOWS\Application Compatibility Scripts\rootdrv.cmd as Unrestricted using path rule, Guid = {c17114d9-cf3c-410c-b74c-233821361290} cmd.exe (PID = 5552) identified C:\WINDOWS\Application Compatibility Scripts\end.cmd as Unrestricted using path rule, Guid = {c17114d9-cf3c-410c-b74c-233821361290} userinit.exe (PID = 5776) identified C:\Program Files\Citrix\system32\cmstart.exe as Unrestricted using path rule, Guid = {d2c34ab2-529a-46b2-b293-fc853fce72ea} cmstart.exe (PID = 5748) identified C:\Program Files\Citrix\System32\wfshell.exe as Unrestricted using path rule, Guid = {d2c34ab2-529a-46b2-b293-fc853fce72ea} userinit.exe (PID = 5776) identified C:\WINDOWS\Explorer.EXE as Unrestricted using path rule, Guid = {e52bd220-b21e-4e56-b8ef-ce5d6bd111ad} explorer.exe (PID = 5652) identified C:\WINDOWS\system32\cpqteam.exe as Unrestricted using path rule, Guid = {c17114d9-cf3c-410c-b74c-233821361290} explorer.exe (PID = 5652) identified C:\Program Files\Citrix\system32\icabar.exe as Unrestricted using path rule, Guid = {d2c34ab2-529a-46b2-b293-fc853fce72ea} explorer.exe (PID = 5652) identified C:\OfficeScan NT\pccntmon.exe as Disallowed using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302} explorer.exe (PID = 5652) identified D:\Program Files\Adobe\Reader\Reader\reader_sl.exe as Disallowed using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302} explorer.exe (PID = 5652) identified C:\WINDOWS\system32\oobechk.exe as Unrestricted using path rule, Guid = {c17114d9-cf3c-410c-b74c-233821361290} =========================================== Log file contents - Loading Internet Explorer =========================================== explorer.exe (PID = 5652) identified C:\Program Files\Internet Explorer\iexplore.exe as Unrestricted using path rule, Guid = {d2c34ab2-529a-46b2-b293-fc853fce72ea} =========================================== This entry appears when trying to run from the saved location =========================================== explorer.exe (PID = 5652) identified U:\My Documents\GoogleToolbarInstaller.exe as Disallowed using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
From: fredbloggs on 21 Dec 2006 05:43 Hi Chris, Just wondering if you had any ideas why logging does not work. As you can see from my other post the restrictions are not due to any other policies and are purely related to SRP. Thanks and hope you have a good chrtistmas Mark "Chris Corio [MSFT]" wrote: > Hello - > > I'm the Program Manager for Software Restriction Policies. > > There are a number of things that could be happening given what you've > described. First off, anything that is blocked by SRP should create an > entry in the log file - if there isn't an entry, chances are SRP didn't > affect the file's execution. Other than that, I'm not sure what level of > SRP checking you have enabled. If you don't see a log entry it might be > something related to IE's security policy. > > If you can explain the exact repro steps I can check to see what's happening > with SRP. > > Thanks, > Chris > > This posting is provided "AS IS" with no warranties, and confers no rights. > > "fredbloggs" <fredbloggs(a)discussions.microsoft.com> wrote in message > news:300D2B42-DB07-4548-B302-B6C7060E0D1C(a)microsoft.com... > > Hi, > > > > I'm investigating the option of Software Restriction Policies to lockdown > > a > > new W2k3 Terminal Services farm. > > > > I have configured a whitelist and added only those programs that I want > > users to run which all appears to work fine, in fact the SRP are working > > just > > dandy. > > > > The question I have is in regards to the logging when a deny is applied. > > > > I have configured the registry entry > > > > HKLM\SOFTWARE\Policies\Microsoft\windows\safer\codeidentifiers\Logfilename > > > > to a relevant logfile which is placing entries for all succesfully run > > programs and which GUID has allowed this program. > > > > However, when a user tries to run a disallowed program (i.e. not > > specifically allowed) nothing gets placed within the log, an entry appears > > in > > the eventlog if the attempt was made from the desktop stating the denied > > access (or if i specifically deny the file), however I want to catch > > entries > > further down than this, i.e. if a user tries to install 'Google toolbar' > > from > > IE the SRP are obviously running and stop this, but they don't tell me > > about > > this failed program. > > > > Any ideas would be greatly appreciated > > > > TIA > > Mark > >
|
Pages: 1 Prev: Managing client-side remote sessions programmatically Next: Windows hangs |