Windows GPO Software Restrictions Policy not working with %TEMP% variable

I’m trying to put in some meagre additional malware prevention measures, by restricting the execution of *.exe in a handful of locations — in particular, the temporary folders that various compression tools unzip to, when a user might choose to open an executable straight from a Zip file.

From the TechNet article, http://technet.microsoft.com/nl-nl/library/cc786941%28v=ws.10%29.aspx:

You can use environment variables in a path rule. Since path rules are evaluated in the client environment, the ability to use environment variables (for example, %Windir%) allows a rule to adapt to a particular user’s environment.

A path rule can incorporate the ? and * wildcards, allowing rules such as “*.vbs” to match all Visual Basic Script files. The following examples illustrate the use of wildcards:

  • “\DC-??\login$” matches \DC-01\login$, \DC-02\login$
  • “*\Windows” matches C:\Windows, D:\Windows, E:\Windows
  • “c:\win*” matches c:\winnt, c:\windows, c:\windir

I have these Path rules (which I have applied both singularly and in various combinations):

  • %APPDATA%\*.exe
  • %APPDATA%\*\*.exe
  • %LOCALAPPDATA%\*.exe
  • %LOCALAPPDATA%\*\*.exe
  • %TEMP%\*.exe
  • %TEMP%\7z*\*.exe
  • %TEMP%\wz*\*.exe
  • %TEMP%\Rar*\*.exe

…which theoretically should represent executables directly under the user’s temp folder, and executables in temp folders named in the manner that Winzip, WinRAR and 7-zip might name their temp folders (e.g. %TEMP%\7zSF20.tmp\the_file.exe).

The %APPDATA% and %LOCALAPPDATA% ones work; the %TEMP% ones don’t. Executables appear to be blocked under %TEMP% but this is only because, in a default setup, they also match the %LOCALAPPDATA%\*\*.exe rule (Temp is under AppData\Local, by default).

I had originally thought this was an issue with wildcards in partial folder names, but it appears this is specific to the use of the %TEMP% variable (hence the rewrite).

The two workarounds I have confirmed (and why I’d prefer not to use them) are:

  1. using %LOCALAPPDATA%\Temp in place of %TEMP%

    • Strictly speaking, this is not correct, as the %TEMP% variable can be set to differ from %LOCALAPPDATA%\Temp.
  2. using %HKEY_CURRENT_USER\Environment\TEMP%

    • Registry-based path rules seem to apply to all subfolders — I would prefer a slightly lighter touch (so I don’t have to go around whitelisting everything else)
    • Registry-based rules appear to be limited such that you cannot have anything more specific, e.g. %HKEY_CURRENT_USER\Environment\TEMP%\7z*\*.exe
      • I have since discovered %HKEY_CURRENT_USER\Environment\TEMP%7z* will get close (the \ between the variable and the subfolder should not be specified, and you can’t specify a filename mask afterwards)
    • It is also also technically incorrect, as this registry location only contains the value as it should be at the start of a process and not what it might be changed to during the course of that process — e.g. it would not apply if you opened a Command Prompt, issued SET TEMP=C:\ and ran the program from the prompt).

(For what it is worth, I have tried configuring the SRP in both the Computer and User sections of the GPO, both independently and simultaneously, in case one overwrote the other, or %TEMP% was resolved differently at Computer and User level.)

What’s so special about the %TEMP% variable that it would not apply here, whereas something like %LOCALAPPDATA%\Temp\\wz*\\*.exe would?


Update:

It appears that the limitation is specifically with the %TEMP% environment variable. I have edited the question, as such.

Related:

Our server hosting provider asked for our root password

I work at a company that develops and hosts a small business critical system. We have an “Elastic cloud server” from a professional hosting provider.

I recently got an email from them saying that they’ve had some problems with their backup solution and that they needed to install a new kernel. And they wanted us to send them the root password so they could do this work. I know that the email came from them. It’s not support@hotmail.com or anything like that.

I called them and asked them about this, and they were like “yep, we need the password to do this”.

It just seems odd to send the root password over email like this. Do I have any reason to be concerned?

Related:

Application Centric Infrastructure

Cisco ACI helps customers manage and excel in complex environments by increasing operational efficiencies, delivering network automation, and improving security for any combination of on-premises data centers, private, and public clouds. With ACI, customers can increase business agility through network optimization, business protection, and cloud enablement.

Related:

Installing old version of mysql

I’m trying to troubleshoot a database import problem and want to duplicate the environment onto another server. This will require installing an older version of mysql, but the packages that are listed are only showing a recent version. I’m currently running debian wheezy 7.1 and what was installed was the packaged 5.5.31. What is the official way to install an older copy? I guess I could hunt around Google and hope to find some files of the same version to install from source, but this doesn’t seem like a reliable method.

Related:

How to make Tun module running at linux start

i installed Tun using:

modprobe tun

then did:

lsmod | grep tun
tun                    83840  0

Please how to make Tun running at reboot?

This is written on Hamachi website:

...Then add tun to the list of modules by using your favorite text editor and Create /etc/modules-load.d/tun.conf 

#Load tun module at boot.
tun

But this folder foes not exist in my /etc

Is it wise to add line “modprobe tun” into /etc/rc.local ?

Related:

  • No Related Posts

DNS Server, DHCP Client and Server works fine, but request time out occurs when using MikroTik as an access point for a modem

I use 2 Mikrotik wireless router, the first one is connected to modem and it works perfectly (SSID: server-one (hidden)).

Second router ID:

ether1: 192.168.1.1

wlan1: dhcp-client

wlan2: 192.168.2.1

SSID: skywifi

Then, i tried to configure the second router. I set wlan1 to connect to server-one, as a station and dhcp client and received 192.168.50.124 as its IP, 192.168.50.254 as its gateway.

I set wlan2 as an ap-bridge, and set it as dhcp server. Then I create a static route to 0.0.0.0/0 through 192.168.50.254.

Connection OK, DNS to device connecting skywifi works perfectly, i can nslookup google.com. The problem is, when i tried to ping google.com, it always give request time out reply. (Note that I also tried to ping another host too (Wikipedia,Yahoo, etc). The result is also request time out.

Any idea why this things happened?
Thanks,

Related:

Response time measurements for IIS web application

I have a dot net web application, and would like to measure response time.
I currently have two measures. The “inner” measure is made within the web app itself. The “outer” measure is the roundtrip time from the client (including network lag, etc).

Obviously the inner response time is always less than the outer response time, sometimes quite significantly.

What I want is another (possibly more than 1) measure that’s between these two measurements.
How would I take such measurements? For example, a measure that ignores network transmission time, but starts as soon as the request hits the server machine / IIS / my application pool / etc.

Unfortunately I don’t have enough IIS knowledge to even make this question clear, let alone answer it myself.


Edit: Some further information

The web application is a c# calculation engine. There’s no database access, there are no users. The application exposes a WCF endpoint. Response time is fairly consistent at around 200ms, but sometimes spikes, and it is these spikes I’m concerned about. One source of spikes is the application pool recycle (every 29 hours), but we can schedule that.

I’m measuring performance from a client on the server itself to bypass the network. This eliminates many of the spikes, but not all. I’m running the load at 30% CPU usage by the server. The client cpu usage is negligible.

Related:

Blocking STP Traffic

I am using Xen virtualization with a bridged mode netwrk. I noticed that there is a lot of spanning tree (as understand) traffic coming from a network. Such as:

STP 802.1d, Config, Flags [none], bridge-id ......
STP 802.1s, Rapid STP, CIST Flags [Proposal, Learn, Forward, Agreement]

I do not want VPS to receive these messages – is it possible to filter it? I guess i need to do something like:

ebtables -A INPUT -d BGA  -j DROP

But that did not help. What am i doing wrong?

Related: