Why You Need a Software Restriction Policy (Right Now)

Windows Group Policy tends to get overlooked by most Administrators. Typically, you visit this policy when you first set up a domain—which for many companies is well beyond the first day you start using Windows. By the time you get around to re-visiting Windows Group Policy, most of the applications, users, and groups are already in place.

What’s not very well understood is the Windows Group Policy permissions model that allows attackers to manipulate your system with Ransomware even without any usernames, passwords, or you authorizing their applications.

As a vCISO one of the first and most important policies I try to advise clients on is a Software Restriction Policy. I believe strongly that many Administrators of Microsoft PCs overlook this tool in combating malware because they believe it will break applications and brick machines. They may also think taking away “Administrator” rights for users means they have disallowed the installation and usage of software by those user accounts (even if tricked by hackers).

This is simply not the case.Software on Windows is intended to be run and to run other programs without the user’s credentials involved (Admin or otherwise). A simple example is Microsoft Word. If you were to download a new copy of Word and wanted to install it into the Program Files directory you would first be asked if you are an Administrator and to enter an Admin password. You know, this pop-up thing:

That’s just the install. Running a program is totally different.

If you open Word, the program runs from a directory and it may also chose to run other programs in other directories (Macros, PDF Converters, GotoMeeting, Teams, etc.) While this is awesome for productivity it demonstrates how hackers use the default “Unrestricted” policy on Windows that allows you to run executables (Read more...)

*** This is a Security Bloggers Network syndicated blog from IntelliGO MDR Blog authored by Adam Mansour. Read the original post at: