Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment   Page 1 of 2      1   2   Next
curwin

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 11
Reply with quote  #1 
We are trying to prevent our users from running various commands that we don't specifically approve. We have implemented Applocker, but that doesn't prevent the user from running commands beginning with rundll32.exe or regsrv32.exe. In previous versions of Windows the group policy setting "Remove Run menu from Start Menu" was sufficient. But in Windows 10, when a user starts typing any command in search, even with that GP setting enforced, the command runs.

Is there any way to prevent this? It is a significant security issue, and I am surprised that Windows 10, which is generally more secure, in this issue is actually less so.

If not, is there at least a way I can prevent access to the search field? I've already found it on the task bar (even if I set it to "hidden", the user can switch it back to "show search icon" or "show search box"), in the alphabetical list of programs (under "Search") and via the Windows+S and Windows+Q hotkeys.

I tried renaming the folder C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy

That did disable the search function entirely, but it went too far for our needs. It would prevent the users from running their programs from the Start Menu. For example, they couldn't just start typing "Word" and have Microsoft Word open.

Any ideas will be welcome.

Thanks!

David
0
donoli

Senior Member
Registered:
Posts: 530
Reply with quote  #2 
Even if you accomplished that, what about the 'run new task' choice in the task manager?
0
curwin

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 11
Reply with quote  #3 
When the policy "Remove Run menu from Start Menu" is enforced, then the option "Run new task" does not appear in Task Manager.
0
jsclmedave

Administrator
Registered:
Posts: 446
Reply with quote  #4 
Why isnt Applocker stopping the DLL or EXE from running?  Anything in the logs?
__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
curwin

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 11
Reply with quote  #5 
I'm not blocking them in Applocker - they are Windows exectuables. I just don't want the user to run them on their own, particularly with any additional arguments.
0
jsclmedave

Administrator
Registered:
Posts: 446
Reply with quote  #6 
Quote:
Originally Posted by curwin
I'm not blocking them in Applocker - they are Windows exectuables. I just don't want the user to run them on their own, particularly with any additional arguments.


I may be missing something with WIN10 But I "thought" you could deny access to Users while granting access to Admin or Machine Accounts...

It's been awhile so apologies if I am off base..

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
curwin

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 11
Reply with quote  #7 

Quote:
Originally Posted by jsclmedave


I may be missing something with WIN10 But I "thought" you could deny access to Users while granting access to Admin or Machine Accounts...

It's been awhile so apologies if I am off base..


I can deny access to users to run those particular executables. But that's actually going to far.

Take rundll32.exe for example. It is necessary to open any Control Panel applets. And some of those I need to allow the users to access.

On the other hand, it can be used to run very malicious commands.

So I would rather not blacklist it entirely, nor allow it under every circumstance. What I would like to do is to prevent the users from the option of typing a command beginning with "rundll32.exe" so they can't execute any improper commands.

0
gpoguy

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 50
Reply with quote  #8 
So I would like to understand your goals a little bit more. First off, are your users admins on their workstations? Second, if not, what is the perceived benefit of preventing users from executing code from the Search dialog? The reason I ask these questions is that GP has historically been used to try to hide certain features from users, and it is often security by obscurity, rather than anything that will really stop an attacker. So I'm trying to get at the big picture for you here and see what the goal is. If a user is allowed to run a particular executable via *real* OS security, then it is super hard to expect that obfuscating that use in one circumstance (i.e. from the Search dialog) is going to truly protect you from bad behaviors. So, my recommendation is to either prevent the execution of those executables altogether, or have other mechanisms in place (e.g. anti-malware, endpoint security products, etc.) to detect and remediate potential bad uses of that executable.
__________________
Darren Mar-Elia
MS-Group Policy MVP
Founder--SDM Software (https://sdmsoftware.com)
Need Group Policy Training? Check out my Group Policy Fundamentals course: http://pluralsight.com/courses/group-policy-fundamentals
0
curwin

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 11
Reply with quote  #9 

Quote:
Originally Posted by gpoguy
So I would like to understand your goals a little bit more. First off, are your users admins on their workstations? Second, if not, what is the perceived benefit of preventing users from executing code from the Search dialog? The reason I ask these questions is that GP has historically been used to try to hide certain features from users, and it is often security by obscurity, rather than anything that will really stop an attacker. So I'm trying to get at the big picture for you here and see what the goal is. If a user is allowed to run a particular executable via *real* OS security, then it is super hard to expect that obfuscating that use in one circumstance (i.e. from the Search dialog) is going to truly protect you from bad behaviors. So, my recommendation is to either prevent the execution of those executables altogether, or have other mechanisms in place (e.g. anti-malware, endpoint security products, etc.) to detect and remediate potential bad uses of that executable.



Thanks for the questions. I work at an institution very concerned with security, both from within and without. So the users are not local admins (if they were, Applocker would have been fairly useless).

The benefit from preventing users from running code is that unfortunately, there are certain exectutables, like rundll32.exe, regsrv32.exe and net.exe which have both positive and negative uses. As I mentioned regarding rundll32, I can't block it entirely or basic Windows functions like Control Panel options (even the ones I allow) won't work. But if I allow it all, then a user could use the same rundll32.exe to do some really bad stuff (just Google "rundll32" and "bypass" to see a sample of what can be done).

I don't think any antimalware products will help here (and we do have them in place), since again - these are perfectly legal commands (in and of themselves).

I don't think I'm coming up with some new concern or demand. The previous GPO that blocked run did exactly what I would want, and I'm sure that Microsoft designed it for a good reason. I just don't understand why they allowed this backdoor, in what overall is supposed to be a more secure OS.

0
donoli

Senior Member
Registered:
Posts: 530
Reply with quote  #10 
Is there a chance that you might be better off using an Intrusion Detection System?  You maybe able to set it to alert you went certain commands are run.
0
curwin

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 11
Reply with quote  #11 
Quote:
Originally Posted by donoli
Is there a chance that you might be better off using an Intrusion Detection System?  You maybe able to set it to alert you went certain commands are run.


I suppose, but I'd really prefer something that will block, instead of just alert.
0
gpoguy

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 50
Reply with quote  #12 
I think the hard part is that you are asking for contextual blocking of an otherwise allowed set of applications. If a set of applications is allowed to run by the user, then you may need to go to 3rd party tools to control how that application is called. To answer your original question, I did do a quick search of GP to see if there were ways to block execution from the Search dialog and didn't find anything. I also spent a bit of time with Process Explorer trying to see what process was called when you launched something via Search, but it wasn't definitive. So I don't think there is a readily available in-the-box answer to this. I'll keep looking but not hopeful at the moment.

__________________
Darren Mar-Elia
MS-Group Policy MVP
Founder--SDM Software (https://sdmsoftware.com)
Need Group Policy Training? Check out my Group Policy Fundamentals course: http://pluralsight.com/courses/group-policy-fundamentals
0
donoli

Senior Member
Registered:
Posts: 530
Reply with quote  #13 
Quote:
I suppose, but I'd really prefer something that will block, instead of just alert.


I understand that.  However, it seems that Cortana & Run have become so intertwined that it seems impossible to create a GP that will let you create the desired block & at the same time, allow commands such as word.
0
curwin

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 11
Reply with quote  #14 
Thanks for your help. Perhaps you could help me then with two related questions:

a) There is a registry setting (in HKCU) that sets whether the search icon or box in the taskbar is hidden. Is there any way to set permissions on a value and not an entire key? If so, I could give the users read only rights on that value.

b) Is there any way to remove the Search item from the start menu? I see that I can pin it to Start, but I don't know how to remove or hide it entirely.

Thanks!
0
jsclmedave

Administrator
Registered:
Posts: 446
Reply with quote  #15 
Quote:
Originally Posted by curwin
Thanks for your help. Perhaps you could help me then with two related questions:

a) There is a registry setting (in HKCU) that sets whether the search icon or box in the taskbar is hidden. Is there any way to set permissions on a value and not an entire key? If so, I could give the users read only rights on that value.

b) Is there any way to remove the Search item from the start menu? I see that I can pin it to Start, but I don't know how to remove or hide it entirely.

Thanks!


This is a longshot but see if this helps.  I had to hide some Outlook Buttons a long time ago.

http://mcitp86.rssing.com/chan-10331051/all_p1.html

Scroll down to - Enforce Plain Text Outlook 2010



__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.