Safeguarding Windows 10 Pro, Part 6: Expert Software Restriction Policy

Video is ready, Click Here to View ×


This is a ‘blind’ introduction to Windows 10 Pro, and an attempt to see if the safeguarding techniques I demonstrated on Windows 8 Pro also apply to the new edition.

This is an ‘expert’ SRP part, where we try to work around badly designed applications that insist on running from non-Program Files locations. Certificate rules can permit such applications if digitally signed by a publisher you trust.

While Applocker doesn’t work in the Pro edition, we can still use its user interface to find…

6 Comments

  1. Hi Gordon I got an update.

    I now have have my system working with dll rules been enforced.

    It seems certificate rules are not working for dll's even tho the rules can be created they simply dont work.
    However if I whitelist the dll's via hash it works, so battle.net works and netflix in chrome works. Its not ideal as chrome updates its netflix dll's at least once a month but at least it works now and is better than not enforcing dll rules.

    As to why it behaves like this I can only assume its a bug, considering microsoft have long ago deprecated SRP as they favour Applocker now.

  2. Hi, I set the default Security Level to restrict all applications, and rebooted my machine. Now it won't boot. It gets to the point where you see a black screen/blue Windows 10 logo and the dots spinning in a circle below that. How do I correct this?

  3. Great videos about W10. Do you know if there is a way to remove the write protection from a folder outside the C, Program files and so on, after the SRP has been enabled like in your previous videos?

  4. Hi Gordon,
    Thanks for your safeguarding series. They helped me a lot in my learning how to safeguard Windows. One thing I cant resolve is that trusted publisers use non-trusted files for their program's to run. For example googledrive sync or Slack. I've asked slack why they keep the Slack App in appdata instead of program-files. Their answer was horable: "Running the app from %LocalAppData% allows us to install and update the app without UAC dialogs." Do you have any idea how to overcome this?

    An example of googledrivesync:
    explorer.exe (PID = 4832) identified C:Program Files (x86)GoogleDrivegoogledrivesync.exe as Unrestricted using certificate rule

    googledrivesync.exe (PID = 5540) identified ??C:UsersusernameAppDataLocalTemp_MEI58522win32api.pyd as Disallowed using default rule

    Thanx in advance.
    Kind regards,
    Erik

  5. Nice video.
    I added blizzard's and google's certificates to SRP a few days back, battle.net however would only work if I disabled DLL file filtering, if I filter DLL's I can only get it to run by adding the path although with the certificate added I Can now set the path rule to basic user instead of unrestricted.
    The google certificate I had to add because even tho chrome is in program files, it has the widevine binaries for some reason in the profile folder, and those have to be allowed to view netflix in chrome. The certificate rule wont work tho, however I discovered that the google certificates for those files are old and out of date and I am assuming SRP wont allow expired cert's so I raised an issue to the chrome developers to fix it.

Leave a Reply

Your email address will not be published.


*