Software Restiction Policies – Windows GPOL

I hope you are enjoying your day.  Perhaps you found yourself in a pickle with malware and need to finally implement a software restriction policy on your Windows Domain.  Considering the items in question, I am presuming and hoping you have a Group Policy on your side to help manage these machines and users.  Software Restriction Policies (SRP) are here to help you out.

Great!  Since you are looking to add a restrictive group policy, I would suggest making a test OU (Object Unit – I will only define acronyms once) and creating GPO (Group Policy Object).  With your Test OU and user account, I would suggest a VM (Virtual Machine) with that user account having minimal level domain access (Group: Domain Users).  Making our new policy, you want to focus on the following tree of your new policy.

Computer Configuration | Windows Settings | Security Settings | Software Restrictions

Brief pause here.  Respect to SwiftOnSecurity for bringing this conversation up recently on Twitter.  My guide is based from Branko Vucinec’s SRP Guide.  There is also a guide I will link below, that is for when you realize your policy also prevented Admins from installing programs.  There is a fix for that too. ;)

Let’s talk about Environmental Variable Paths (EVP).  These are commonly used by installers and scripters for installing, both legitimate and exploit code & applications.  Ones I am focusing in are:

>@echo %appData%

>@echo %localAppData%

>@echo %temp%

>@echo %tmp%

Echo shows us we have the right file paths and how they output per the active user account.  As noted, we are looking to restrict some access to items in these folders executing.  Along with that, we have some extensions to focus on restricting.  The linked guide covers, while I also add:

  • Archives (7z, zip, rar)
  • EXE
  • JAR
  • MSI
  • VBS
  • COM
  • BAT
  • PS1

Wild list, with some oldies on there.  Let’s just say, you can lots of automation with .bat files.  Everything else listed has more capabilities than that, but if you can call something else from a batch, there are options from there.  This is not meant as an exhaustive stop-all-exploit execution solution!  Honestly nothing really is (and if someone says so, they are lying).  This is about presenting extra layers to prevent exploits from ‘getting the keys to your castle’ in respect to infrastructure.
This is getting wordy on the backdrop narrative… Let’s get going here.  Time to make the policy.
Making our new GPO, jump into the tree and Right-click on SRP then click New Software Restriction Policy.
Under Additional Rules, add our Disallowed exceptions.  These being the EVP list of folders I noted above.  An example being “%temp%*.exe”
We add these by making a New Path Rule.
I could lie to you here, but you have quite a few to add.  Branko’s Guide covers the syntax while my extension list adds other possibilities.  Make the call what is most probable on your network and what you may have seen in attack patterns.  Besides, you are one of the people who has to test this, and ideally one of the 1st to do so… so you can eliminate the immediate conflicts with business operations, before anyone else can try to prevent the implementation from happening.
Good Job.  Now that you finished your new GPO, add your test machine into the linked OU with that policy and have your test account login on said VM or test desktop.  Try to do some standard fare user operations and software patching.  Install Firefox, update Flash, whatever you or anyone else might do on a frequent basis.  If you managed to remove flash from your network.  Give yourself a high-five.
Ok now try to install some software as an Administrator.  In this case, Firefox will fail because it extracts the installer to %localAppData%.  Turns out your policy also applies to Local and Domain Administrators logged into that machine.  Good thing we are testing before launching live, huh?
To resolve this, we are jumping back into that policy you just made.  We need to add an Enforcement exception for Administrators.  The Policy path for that is:

Computer Configuration | Windows Settings | Security Settings | Enforcement

On the Enforcement settings, you will see Apply software restriction policies to the following users: Go ahead and in this middle section, set the radio dot to All users except local administrators MS KB on Enforcement.
Hit OK, Close your policy, jump back onto your VM and run another ‘gpupdate’ command to get the latest policy on that machine.
Diagnostic Note: If you have questions if the policy is actually applying, run RSOP.msc and see the Resultant Set of Policy.  These details will show you what options are set by all GPOs and what one is defining the settings.
Try running that installer again, but this time right-click it and do a Run as Administrator.  It will prompt if you are not logged in with an admin-level account, else it will just run.  Your installer should now properly execute.  In addition and most of all, rouge applications matching your filter rule list, should not be able to run.  The protections are only as good as your rules, so keep an eye out for what applicable stops you can build to protect your network from processes gone awry.

Ansible and Vagrant. DevOps acronym decoded

Let me start by saying Ive lived the System Admin life for quite some time. The decoding title is in reference to:
Installing, deploying, configuring, and monitoring servers in a rapid deployment manner.
Most important of all, in a non-static and non-fragile manner. TL;DR security – Running services across multiple servers, that can be shut down in the event of intrustion or broken configuration and replaced with a new image with all the required configuration, out the gate on your reployment.
You will be communicating and deploying over SSH sessions, so encrypted communcations are how you ‘make the magic happen’.

Here are some notes I took from a great presentation by Chris Rossi of AppliedTrust, that also got me running my own deployments. I am also working from the following book: Absible for DevOps by Jeff Geerling.

As this is a technical and video game heavy site, Im sure many visitors and members know the struggle of single-thread processes not scaling your gaming hardware. By deploying your server topology with Ansible (Python based) and Vagrant (Ruby syntax) scripting, you get a performance scalable topology, where services can be allocated per Virtual Machine; while also being able to be replaced by a fresh spun VM, in the event of misconfiguration change or security exploit. You also get some botnet-like controls to distribute commands across all or selected servers in your Vagrant configuration.

Personally, I have been learning Python to make tools to assist me in log crawling functions, configuration and other data driven projects. I legit feel like Ansible and Vagrant usage has progressed me beyond making bash script, as the state control / config deployment and validation is light-years beyond cobbling my own scripts from scratch. I have been exploring this for less than a week, so please excuse the details thus far. However I will say this knowledge is really addictive, since I am seeing my personal projects materialized in a deliverable, community cooperative platform of Ansible using Vagrant.

Borrowing from Chris’s presentation, patch deployment and distributing content is the final leg / deliverable of the DevOps process. Considering I am used to living a Windows SysAdmin life with the use of windows cmd and Linux scripting, this point resonates as solid truth in the compliance being the hardest deliverable, while being consistent. Did I mention scaling your network and sever topology? Because that is what you are up to with deploying dynamic servers in a VM environment. Get the most performance per service to VM, with added benefit of essentially real-time monitoring. In the event of a fault, you can also handle the decommission and re-launching of a new, compliant VM in the event of mis-config change / exploit.

Weather talk

The weather is fairly cold locally for the season, but an extra layer is not a bother. So more apt a conversation is security. Without a ton of hyperbole and a flood of links, usage and personal information is why you are seeing most everyone using ‘free services’.  Social relationships are spiking because the technology boom is completely breaking social comprehension of the world they live in.

Why is something being stored relating to what can be found?  The sickness of it is how much marketing is everyday.  If you do not seek out various opinions about, really any matter you seriously have concern about… is frankly, ignorant.  Researching can be exhausting, but if you rely on bias you are facilitating that.  Secure things and work with people.  Share your reason for disagreeing.  Stop imprisoning some of the smartest people for being observant.  Allowing an individual to make a non-baited opinion about what is ‘allowed’.  Maybe stop fighting, especially over text words.

Thank you for reading.  Keep thinking about your well being to help others instead of flip a power leverage trope.

Windows Group Policy & IE settings

I wanted to share some experiences I have been having on an existing AD topology I manage. Backstory: This site has been run by various contractors over a decade or so. Having been a contractor myself in the past, I got pretty familiar with poorly configured server deployments and gaining the task to cleaning them up.

Great. Back to the point, multiple group policies can get messy, but the slop comes into play when you are trying to set Internet Explorer settings to domain machines. IE 11 changes quite a bit of these options around and I actually had policies fail to apply, with IE 11 installed due to all the subsettings for the browser. This is the part where you review what settings were being modified and determine what ones are actually relevant. IMO, some of the settings are defined, for the sake of generating more service calls, than to actually implementing helpful security.

So about the faults. In this case, I had a few servers that did not report to the local WSUS patch server. Turns out bad policies were the cause of this. I removed the multi-policies that were not applying valid settings, and shortly after said servers started reporting to my WSUS list. Message here being, revisit your group policies, export them to XML and review them. If you have a bunch applying different settings, consider merging them. Policies can also be exported, so doing that before making changes, will give you a control of what the config was, before you made any changes.

Back to cleaning malware off a machine one of the helpdesk people ignored the other day. Living the dream. Lol not so much there.

Edit: Oh yes, let me add some helpful commands for tinkering with your group policy. It should be obvious, but keep notes of what you change, especially if changing the active policies. You do not want to break the parts that are working / critical to operations.

rsop.msc = Resultant Set of Policy.  This will show you what policies are applied and what the settings are.  Also errors will display here if the policy fails.
gpupdate = Group Policy update tool.  Run 'gpupdate /force' to apply all settings @ execution time.

Log into your WSUS server and confirm the machine in question is reporting to the patch server. You can run the following command to have it query the WSUS server for patches.

wuauclt /detectnow

This should shortly display a tooltip bubble with pending updates. Assuming you approved them on the WSUS server, the client machines should see them and you can install them. Pick your install method via Group Policy to determine if you want them to auto install or prompt the user to install them. Review your reports in WSUS to see how many are being installed and if any are having errors installing.

Tor browsing via Raspberry Pi

I recently explored setting up an OnionPi to be a dedicated device for browsing .onion sites and obfuscating the source IP address. Just to say it, you don’t have to be doing ‘criminal’ stuff to be using tor. I just wanted to get that out there and encourage more people to explore the ‘darknet’ / ‘deepweb’ / etc. I followed an Adafruit guide on setting up my OnionPi. I will describe more about the device, how it functions and some extra feedback, relating to the guide on installation.

Presuming you have a Raspberry Pi and supported Wireless adapter, you will be plugging in a wired internet cable to your Pi, that will share the onion-routed internet connection over wireless. Once you complete the configuration and install steps, your Pi will be ready to route your wireless traffic over TOR.
If you are more curious about tor and what it is about, checkout

The guide I worked from is this link on AdaFruit. The kicker here, is that you really need your Wireless setup for the Tor install process to work and for the Tor service to work properly. So really, You want to start with installing WiFi and DHCP support.
Before you start, be sure to set a custom password for root and pi accounts on your Raspbian (or whatever you choose) OS.

I did not run the installation script, since I figured it would be easier to troubleshoot if I manually ran each step / configuration command. Besides I got to learn in the process of manually following along, so win bonus.

Once you setup your WiFi Access Point, go for the Tor install and configuration. Once done, fire up the service and check your internet-facing IP (WhatisMyIP or any similar site will do). You will also know you are on Tor, because CAPTCHA prompts will be more common in your browsing.
A fun little fact I noticed, is to browse .onion pages, you still want to have the Tor Browser installed. Any other browser will still benefit from an obfuscated IP Address, but you will get an error trying to browse to .onion sites.

One of the main benefits of setting up a hardware-based Tor device, is you can connect whatever wireless enabled device you wish to it. There have been many write-ups and conversations about the Tor Browser alone, being vulnerable to leaking data… especially if your connection is not fully-routed through an onion router. Not to say using an onion router is 100% untraceable, but every little bit helps.

Extra notes, that really apply to any web browsing, is to install add-blocking plugins. Advertising has been a known attack vector for years now and it only becomes more common. Visitors to this site may be aware of my lack of love for online advertising. Different strokes for different folks and all of that.

To conclude this post, I also want to mention Tails. This is a USB based operating system that is very handy in browsing tor, especially on the go. If you want to use your own OS and applications on the tor network, that is where the extra work of setting up an OnionPi (Raspberry Pi Device with Tor installed) is helpful to you.

Encrypt stuff guide

This thread will be a collection of resources on how to use encryption, tool use suggestions and where possible, usage explanations.

I’m fine with reading technical documents, however I also value time and the ability to convey a point, without a huge time investment. The easier and more clearly encryption can be used, the better everyone will be.
Be it an individual or some sort of state agency / boogeyperson, more layers and protections are a good thing. Having protections does not make one a criminal, either.

CryptSetup LUKS guide. There are command syntax examples and console response dialogs.

Cryptsetup is nice, as it also handles mounting of drives and partitions. If you are unable to mount a drive, you will likely need to install cryptsetup. This should also work to mount any TAILS persistent volumes you have setup.
For more info on DM-Crypt (cryptsetup), the Arch wiki is a great resource.

Samples of flow (1st link)
01 step: install cryptsetup (dm-crypt)
02 step: confirm your drive target and valid partition (gparted or parted to get your /dev/(drive))
03 step: initialize your drive

# cryptsetup -y -v luksFormat /dev/xvdc

(This is setting up your passcode to access drive)
04 step:

# cryptsetup luksOpen /dev/xvdc backup2

(Mounts newly configured drive)
05 step: format the LUKS partiton (needless to say, you really want to have the correct drive or you have lost data on the drive you are using)

# dd if=/dev/zero of=/dev/mapper/backup2

(This will take quite some time. Let the cursor do it’s work, check your hdd led to confirm activity)

Google Data Mining

I wanted to share the details listed in Google services with your history. will let you check through search history, advertising settings and so on.

To clear them, you want to click the vertical … bar and select Delete options. Pick advanced and All Time.
You will need to do this for each record set / option of google services. If you use chrome and log in, you will surely see some data there. Personally, I think Google is playing a little Cover-Your-Ass by disclosing these tools to general users. Along those lines, I find it hard to pretend other major data players, do not do the same thing with user data.

Here is a guide on the privacy settings. Remember your GPS history is there and that some content will persist, even after a clear all history. You ‘Pause’ the tracking services. Interesting wording there.

Fall 2015 security topics

October is a great month and one of my favorite seasons. As the consumer holiday shopping season comes up, the amount of disclosures seem to scale up as well. Granted the last year continues a steady stream of disclosures on bugs, exploits, and patches that may address them. Allow me to take a moment to point out that malware distribution through advertising networks, is not only a thing but has become pretty common. This has been one of those things I suspected, but have more recently seen to become a common attach vector.

Speaking of security, we certainly live in a world where more than windows platforms are targeted. Be it flash, java, or some other variant… issues arise. Social network sites like to do post-reactive security. However putting up a condition based lock for something originally designed to be accessible, tends to lead into the additive protection being side-stepped. For some odd reason, security in the design phase seems to remain under-looked or overlooked completely. Scale also is a factor, since getting the scope of all use is difficult to do, before implementation and feature requests come into play.

Rambling aside, let’s note the more common infection of linux machines being herded into botnets. A nice technical read at the link.
Mobile phones are not immune either. Android has it’s abandoned versions (4.3 and lower) and apple iOS has patches until a device is considered ‘end of life’. Keeping in mind the patches, only cover the disclosed and more publicly disclosed exploits. So yes, mobile phones are being used as attack vectors.

Cryptography wise, your key is great, but when the machine gets exploited, your credentials to that encrypted drive have (multiple) risks of being stolen. If a government can do it, you should bet individuals or 3rd party contracting groups have the same or potentially more means to do the same.

Finally, you can enjoy some art of the security nature.

Deny Windows 10 Rollout info

If you wish to not install Windows 10, and also prevent the sharing of installers off your connection, you will want to make sure not to / remove the KB3035583 update.

I am considering a Windows 10 test install, but not to wipe over my main windows install. However the use of my connection, a la Xbox Live methods, is not so much in my interests.

Here are some extra GWX details.

Without making this a huge rant of observations in Windows 10 thread, I will say that the privacy controls need to actually not phone back to microsoft servers, when you set the options that are supposed to disable that feature. Also automatic forced updating is not my cup of tea. I believe in testing.
Call me crazy.