Software Restriction Policies: Difference between revisions
Jump to navigation
Jump to search
(Created page with "=Additional Rules Known exceptions == Path Rules == * C:\Program Files * C:\Program Files (x86) == Certificate Rules == * Microsoft Corporation - OneDrive executes from %loc...") (change visibility) |
No edit summary (change visibility) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=Additional Rules | =Additional ALLOW Rules= | ||
Known exceptions | Known exceptions | ||
== Path Rules == | == Path Rules == | ||
* C:\Program Files | * C:\Program Files - all installed applications | ||
* C:\Program Files (x86) | * C:\Program Files (x86) - all installed applications | ||
* %localappdata%\Microsoft\VisualStudio\14.0\Designer\ShadowCache\ - Visual Studio shadow cache (designer) | |||
== Certificate Rules == | == Certificate Rules == | ||
Line 10: | Line 10: | ||
* Cisco - WebExt executes from %temp% | * Cisco - WebExt executes from %temp% | ||
* Teamviewer - Teamviewer executes from %temp% | * Teamviewer - Teamviewer executes from %temp% | ||
=Additional DENY Rules= | |||
==Path Rules== | |||
* C:\Program Files (x86)\Belgium Identity Card\log\ | |||
* C:\Program Files (x86)\Steam\ | |||
* C:\Program Files\Log\ | |||
* C:\Program Files\Microsoft SQL Server\130\Shared\ErrorDumps\ | |||
* C:\Windows\debug\WIA\ | |||
* C:\Windows\servicing\Packages\ | |||
* C:\Windows\servicing\Sessions\ | |||
* C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\ | |||
* C:\Windows\System32\spool\drivers\color\ | |||
* C:\Windows\System32\Tasks\ | |||
* C:\Windows\System32\Tasks_Migrated\ | |||
* C:\Windows\SysWOW64\Tasks\ | |||
* C:\Windows\Tasks\ | |||
* C:\Windows\Temp\ | |||
Do run https://mssec.wordpress.com/2015/10/22/applocker-bypass-checker/ on your environment! | |||
= Designated File Types = | |||
* hta | |||
* jar | |||
* js | |||
* jse | |||
* ps1 | |||
* wsf | |||
* vba | |||
* vbs | |||
* wsh | |||
* sct | |||
* ... | |||
SRP, AppLocker | SRP, AppLocker |
Latest revision as of 10:28, 28 February 2017
Additional ALLOW Rules
Known exceptions
Path Rules
- C:\Program Files - all installed applications
- C:\Program Files (x86) - all installed applications
- %localappdata%\Microsoft\VisualStudio\14.0\Designer\ShadowCache\ - Visual Studio shadow cache (designer)
Certificate Rules
- Microsoft Corporation - OneDrive executes from %localappdata%\Microsoft\OneDrive
- Cisco - WebExt executes from %temp%
- Teamviewer - Teamviewer executes from %temp%
Additional DENY Rules
Path Rules
- C:\Program Files (x86)\Belgium Identity Card\log\
- C:\Program Files (x86)\Steam\
- C:\Program Files\Log\
- C:\Program Files\Microsoft SQL Server\130\Shared\ErrorDumps\
- C:\Windows\debug\WIA\
- C:\Windows\servicing\Packages\
- C:\Windows\servicing\Sessions\
- C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\
- C:\Windows\System32\spool\drivers\color\
- C:\Windows\System32\Tasks\
- C:\Windows\System32\Tasks_Migrated\
- C:\Windows\SysWOW64\Tasks\
- C:\Windows\Tasks\
- C:\Windows\Temp\
Do run https://mssec.wordpress.com/2015/10/22/applocker-bypass-checker/ on your environment!
Designated File Types
- hta
- jar
- js
- jse
- ps1
- wsf
- vba
- vbs
- wsh
- sct
- ...
SRP, AppLocker