Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Group Policies / How to Block Viruses and Ransomware Using Software Restriction Policies

January 12, 2017 Group Policies

How to Block Viruses and Ransomware Using Software Restriction Policies

We go on with the series of articles on counterstrategies to the viruses and encryption malware (Ransomware, CryptoLocker , etc.) in the corporate environment. Earlier we considered how to configure Windows file server protection using FSRM and restoring encrypted files from VSS snapshots after infection. Today we’ll talk about how to block  ransomware executables (including common viruses and trojans) from running  on user PCs.

Besides antivirus software, another barrier to prevent malware from running on user computers . In Windows environment can be Software Restriction Policies (SRP)  or  AppLocker. We’ll consider the example of using Software Restriction Policies to block viruses and malware.

Software Restriction Policies (SRP) provides the ability to allow or prohibit the launch of executable files using a local or domain Group Policy. The methods of protection against viruses or ransomware using SRP suggests to prohibit running files from specific directories in the user environment, to which malware files or archives usually get. In most cases, files containing a virus are obtained from the Internet or e-mail and saved  to %APPDATA% directory in the user profile (%Temp% and Temporary Internet Files folders are also located here). Temporary copies of unpacked archives are also stored in this directory, when a user without much thought unpacks an archive received by e-mail or downloaded from the Internet.

When you configure SRP two strategies can be used

  • Allow running executables only from certain folders (as a rule, these are %Windir% and Program Files / Program Files x86) — this is the most reliable method, but it requires a long debug time to detect the software that doesn’t work in this configuration
  • Prevent executables in user directories from running — basically, these directories shouldn’t have any executables. However, these are the folders where virus files usually locate on a computer. Moreover, a user without the administrator privileges simply have no rights to write to system directories other than its own. So, a virus won’t be able to place  its body anywhere other than the directory in the user profile

We’ll consider creating SRP using the second strategy as quite reliable and less time-consuming while implementing it. So let’s create a policy that blocks running files from specific locations. On a local computer, you can do it using gpedit.msc console, and if the policy will be used in a domain, create a new policy in Group Policy Management  (gpmc.msc) and link  it to the OU containing user computers.

Note. We strongly recommend to test SRP policies in a group of test computers prior to implementing them. If some legitimate programs don’t start due to SRP you will have to add some permissive rules.

In the GPO Editor, go to Computer Configuration -> Windows Settings -> Security Settings. Right-click Software Restriction Policies and select New Software Restriction Policies.

GPO - New Software Restriction Policy

Select Additional Rules and create a new rule using New Path Rule.

Create a rule that prevents *.exe executables in %AppData% folder from running. Specify the following rule parameters:

  • Path: %AppData%\*.exe
  • Security Level: Disallowed
  • Description: Don’t allow executables to run from %AppData%

SRP policy for appdata folder

In the same way you have to create the deny rules for the paths listed in the table below. Since environment variables and paths in Windows 2003/XP and Windows Vistaor higher differ, the table provides values for the corresponding OS versions. If you still have Windows 2003/XP in your domain, you’d better create a separate policy for them and assign it to the OU containing these computers using GPO WMI filter by the type of the OS.

Description Windows XP and 2003 Windows Vista/7/8/10, Windows Server 2008/2012
Don’t allow executables to run from %LocalAppData% %UserProfile%Local Settings*.exe %LocalAppData%\*.exe
Don’t allow executables from %AppData% subfolders %AppData%\*\*.exe %AppData%\*\*.exe
Don’t allow executables to run from %LocalAppData% subfolders %UserProfile%\Local Settings\*\*.exe %LocalAppData%\*\*.exe
Block executables run from archive attachments opened with WinRAR %UserProfile%\Local Settings\Temp\Rar*\*.exe %LocalAppData%\Temp\Rar*\*.exe
Block executables run from archive attachments opened with 7zip %UserProfile%\Local Settings\Temp\7z*\*.exe %LocalAppData%\Temp\7z*\*.exe
Block executables run from archive attachments opened with WinZip %UserProfile%\Local Settings\Temp\wz*\*.exe %LocalAppData%\Temp\wz*\*.exe
Block executables run from archive attachments opened using Windows built-in Zip support %UserProfile%\Local Settings\Temp\*.zip\*.exe %LocalAppData%\Temp\*.zip\*.exe
Don’t allow executables to run from %temp% %Temp%\*.exe %Temp%\*.exe
Don’t allow executables to run from %temp% subfolders %Temp%\*\*.exe %Temp%\*\*.exe
Optional. Don’t allow executables to run from any directories in the user profile.
Important. Be careful with this rule since some software, like browser plugins, installers, store their executables in the user profile. Create SRP exception rules for these applications
%UserProfile%\*\*.exe UserProfile%\*\*.exe

You can also add your own directories. In our case, we have got the following list of preventive SRP rules.

list of srp rules

As a rule, you should prevent other potentially dangerous files (*.bat,*.vbs, *.js, *.wsh, etc.) from running, since not only *.exe files can contain malicious code. To do it, change the paths in the SRP rules by deleting *.exe occurrences. Thus, you’ll prevent all executables and scenario files in these directories from running. The list of “dangerous” file extensions is specified in the SRP policy parameters in Designated File Types section. As you can see, there is a preset list of executable and script extensions. You can add or delete specific extensions.

You only have to make sure if the Software Restriction Policies work on a client computer. To do it, update the policies using gpupdate /force command and try to run an *.exe  executable from any of the specified folders. The following error message should appear:

Your system administrator has blocked this program. For more info, contact your system administrator.

Your system administrator has blocked this program. For more info, contact your system administrator.

The attempts of running executables from the protected folders blocked by SRP policies can be tracked using Windows Event Log. The events can be found in the Application section with Event ID 866 and SoftwareRestrictionPolicies as the source, the text is similar to the following:

Access to C:\Users\root\AppData\Local\Temp\71EBBB1F-3073-436E-A3DB-D577172DA029\dismhost.exe has been restricted by your Administrator by location with policy rule {31f4bdb9-d39b-4bf3-d628-1b83892c6bd2} placed on path C:\Users\admin\AppData\Local\Temp\*\*.exe.

EventID 866 SoftwareRestrictionPolicies

Tip. If the policy prevents a trusted application from running, you can add this file to the policy exceptions (and create a new rule specifying this *.exe file with the value Unrestricted).

So we have shown a general example of software restriction policy technique (SRP or Applocker) to block viruses, encryption malware or trojans on user computers. The described technique allows to significantly increase the level of system protection from running malicious code by common users.

3 comments
0
Facebook Twitter Google + Pinterest
previous post
GPO Logging Using Gpsvc.log in Windows 7
next post
Activating Windows Server 2016 with KMS Server

Related Reading

Configure User’s Folder Redirection with Group Policy

February 3, 2023

Enable Internet Explorer (IE) Compatibility Mode in Microsoft...

January 27, 2023

How to Disable or Uninstall Internet Explorer (IE)...

January 26, 2023

How to Delete Old User Profiles in Windows?

January 25, 2023

Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

January 17, 2023

3 comments

Vicent Vega January 12, 2017 - 3:37 pm

Great post!! Thank you!!

Here is another SRP GPO example to prevent ransomware:

http://www.sysadmit.com/2015/04/windows-gpo-para-prevenir-cryptolocker.html

Reply
Varadharajan K March 28, 2020 - 11:27 am

So much thnaks for SRP rules, I have already created many rules , but i not added rule for this
%LocalAppData%\*\*.exe

Today i created, after reading your post. Respective corresponding registry keys are located
number 262144 might change for different computers

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths]

Reply
Jeremy Tyson May 17, 2021 - 5:02 pm

As always, great information. Thank you!

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configure User’s Folder Redirection with Group Policy

    February 3, 2023
  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Backup/Restore and Export Local Group Policy Settings to Another Computer
  • How to Configure a Slideshow Screensaver Using GPO
  • Using WMI Filter to Apply Group Policy to IP Subnet
  • Troubleshoot Slow GPO Processing and Login Speed Impact
  • Securing Administrative (Priveleged) Accounts in Active Directory
  • Recovering Encrypted Files from VSS Snapshot after Ransomware Infection
  • Defending Windows Domain Against Mimikatz Attacks
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top