Designing a Secure Client System in C#

Creation QR Code in C# Designing a Secure Client System

11

2. Should software restriction policies apply to all users or to all users except admin istrators Determine whether it will be harder for administrators to do their job without the ability to run the software that will be disallowed. The option is configured as shown in Figure 11-15.

Figure 11-15 You must determine whether administrators are exempt from software restric tion policies

Designing a Strategy for Hardening Client Operating Systems 11-29

3. Should dynamic-link libraries (DLLs) be exempt For example, if an executable is allowed to run, will you need to also write an allow policy for all of its DLLs 4. What file types are considered to be executable You can add and remove file types, as shown in Figure 11-16, that should be checked and for which you can write software restriction policies.

Figure 11-16 If new file types become available, you can add them to the File Type property and write software restriction policies.

5. Should users, local administrators, or enterprise administrators select trusted pub lishers See Figure 11-17.

Figure 11-17 Restrict administration of trusted publishers by adding only the necessary administrative group.

11-30

11

After policy is designed, the rules themselves are designed. If the security level will be unrestricted (the default), then you write policies that will prevent software from run ning. If the security level will be disallowed, you must write policies that will allow software to run.

Important To include certificate software restriction rules, you must configure the Security Option, System Settings: Use Certificate Rules on Windows executables for software restric tion policies.

There are four types of software restriction policies:

Certificate. Certificate rules allow or restrict software by checking for a signature by a trusted publisher. If the signature is valid and the publisher is approved, the software will be either allowed to run or is not allowed to run, depending on the security level set in the rule. Hash. Hash rules create a hash of a selected executable. When an attempt is made to run an executable, it is hashed and the hash is checked against existing, restricted hashes. If a match is found, the software is allowed to run or is prevented from running, depending on the security level set in the rule. The hash of an executable will never change, so regardless of where the software is located the policy can still take effect. If a new version of the software is released, the hash will not match and the software is not restricted by the policy. Internet Zone. Windows installer package software is allowed or restricted based on the Internet Zone it is downloaded from. Other types of software are not restricted by these rules. Path. A path rule designates a Windows file or registry path in which software will be either allowed or denied. If the software is copied to another path, the policy will not apply. Four default registry paths are set. The default paths allow system software to run even if the security level is set to Disallowed.

Follow these guidelines when designing software restriction policies:

Use path rules with caution. If the security level is set to Unrestricted and your path rule security level is set to Disallowed, users will not be able to run the exe cutables in the path. However, if they can copy the executables to another loca tion, the path rule will not be in effect and they will be able to run the executables.

Designing a Strategy for Hardening Client Operating Systems 11-31

If you need to absolutely prevent unauthorized software from running on the computer, set the software restriction policy security level to Disallowed. A secu rity level of Disallowed will prevent all software from running. Rules can then be written for software that you want to run using any of the rules. Do not remove the four Additional Rules that are set by default. These rules will allow system software to run if you set the security level to Disallowed. If the security level will be set to Disallowed, you must apply rules to allow anything that you want to run, including startup programs, logon scripts, and so on. For every rule that allows or restricts software, design rules that enable or restrict associated software. Associated software is software that might be started by the other software. Design software restriction policies for computers in the computer configuration portion of the GPO, and design them for users in the user configuration section of a GPO.