BeyondTrust

Tuesday, November 24, 2009

Microsoft Windows 7 AppLocker Does Not Address Least Privilege

The recent release of Microsoft Windows 7 has raised a lot of questions regarding its use in a Least Privileged environment. Working at BeyondTrust, one of the more common features I am asked about is the Microsoft Windows 7 AppLocker settings and if they use it, do they still need to remove admin rights.

From what I see, AppLocker is just Software Restriction Policies (SRP) with some improvements and as a stand-alone solution is not enough to protect an enterprise.

So the answer is, "yes, you sill need to remove admin rights." Below is some history of the feature and my testing results to explain the reason why.

SRP had a bad reputation for some due to its cumbersome setup and maintenance. It was also very easily circumvented. Just run a restricted program from inside a .zip file and voila, there's your restricted application running.

AppLocker has made improvements to both, but maintenance is still an issue.

Behind The Scenes, Why You Still Need to Remove Admin Rights:
For AppLocker, the policies require the Application Identification Service (AppIDSvc) to be be running on the client machine. If you are running Windows 7 with Administrative Rights, this service is easily disabled as well as your AppLocker policies. What's more, as a service, it can be controlled with Registry Settings. I'll talk more about this further on in this post.

Testing:
I wanted to see what it took to initially setup AppLocker, and if it would truly protect my environment by not allowing certain software applications to run. Here's the blow-by-blow:
  1. Logged on as Administrative User
  2. Setup two of the three Default AppLocker Path Rules
    Allow: All apps from Program Files Folder
    Allow: All apps from Windows Folder
  3. Created C:\Tools and C:\Program Files\InstallsAfterAppLocker Folders
  4. Copied notepad.exe to C:\Tools & C:\Program Files\InstallsAfterAppLocker Folders
    Run notepad from C:\Tools - Got an AppLocker message, notepad doesn't start
    (Expected)
    Run notepad from ..\InstallsAfterAppLocker - No Message, but notepad doesn't start
    (Not Expected)
    Run winzip installer from ..\InstallsAfterAppLocker - Install starts but fails half-way
    through (Expected but quarky)
    Downloaded a scientific calculator
    Run from C:\Tools - Got an AppLocker message, Calculator doesn't start (Expected)
    Run from ..\InstallsAfterAppLocker, Runs Fine (Expected)
  5. Booted in SafeMode
    Set AppIDSvc to Disabled
    Downloaded the GooglePack and installed it
    Reset AppIDSvc to Automatic, rebooted in normal startup mode
    After a short time messages began to pop up from the SystemTray from Spyware Doctor
    (Part of the Google Pack)
    Some GooglePack apps didn't run, other worked no problem (Not Expected)
  6. Created several Windows Installer App Rules, Apple was not on the approved publisher list.
    Downloaded the iTunes installer, wouldn't run (Expected)
    Set the AppIdSvc to disabled and rebooted
    Installed iTunes without issue (Expected)
    Reset AppIdSvc to automatic and rebooted
    iTunes still runs without issue

Then I began to think about an Administrator who utilized 'System Services' MS GPO Policy. With this policy you can set a service's startup type. In my testing, even after I disabled the AppIdSvc, I still needed to reboot for the AppLocker policies to be disabled. If GPO set this service to startup when my machine rebooted, I would still have been limited by the AppLocker policies.

As I mentioned above, services can be controlled via Reg Keys. By default, System and Administrators have full rights to HKLM\System\CurrentControlSet\services\AppIDSvc. By removing these rights you effectively negate the ability for Group Policy to alter the settings, thereby ensuring the service will not be started when you reboot.

Summary:

  • Users running with standard user rights would still need a solution to allow apps requiring admin rights to run/install without having the administrator password.
  • User running with Admin Rights can easily circumvent AppLocker.
  • AppLocker is somewhat easier to setup than SRP was, but maintaining a white list of applications is tedious and time-consuming.
  • In my experience, SRP was used to prevent users from running certain applications because they were running as Admins. Often times it wasn't that the company didn't want the application to be run, they were just concerned with what could be done with the application if given admin rights.
  • Using AppLocker alone as a solution for Least Privilege would not be enough to protect your enterprise however, AppLocker and BeyondTrust Privilege Manager used together enable users to run with standard user rights complement each other nicely
 

© 1985-2009 BeyondTrust Software, Inc. All rights reserved.
Site MapContact UsPrivacy Policy/ California Privacy RightsHome