Software Restriction Policies: Difference between revisions

From WikiWiki
Jump to navigation Jump to search
(Created page with "=Additional Rules Known exceptions == Path Rules == * C:\Program Files * C:\Program Files (x86) == Certificate Rules == * Microsoft Corporation - OneDrive executes from %loc...")   (change visibility)
 
No edit summary   (change visibility)
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Additional Rules
=Additional ALLOW Rules=
Known exceptions
Known exceptions
== Path Rules ==
== Path Rules ==
* C:\Program Files
* C:\Program Files - all installed applications
* C:\Program Files (x86)
* C:\Program Files (x86) - all installed applications
* %localappdata%\Microsoft\VisualStudio\14.0\Designer\ShadowCache\ - Visual Studio shadow cache (designer)


== Certificate Rules ==
== Certificate Rules ==
Line 10: Line 10:
* Cisco - WebExt executes from %temp%
* Cisco - WebExt executes from %temp%
* Teamviewer - Teamviewer executes from %temp%
* Teamviewer - Teamviewer executes from %temp%
=Additional DENY Rules=
==Path Rules==
* C:\Program Files (x86)\Belgium Identity Card\log\
* C:\Program Files (x86)\Steam\
* C:\Program Files\Log\
* C:\Program Files\Microsoft SQL Server\130\Shared\ErrorDumps\
* C:\Windows\debug\WIA\
* C:\Windows\servicing\Packages\
* C:\Windows\servicing\Sessions\
* C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\
* C:\Windows\System32\spool\drivers\color\
* C:\Windows\System32\Tasks\
* C:\Windows\System32\Tasks_Migrated\
* C:\Windows\SysWOW64\Tasks\
* C:\Windows\Tasks\
* C:\Windows\Temp\




Do run https://mssec.wordpress.com/2015/10/22/applocker-bypass-checker/ on your environment!




= Designated File Types =
* hta
* jar
* js
* jse
* ps1
* wsf
* vba
* vbs
* wsh
* sct
* ...






SRP, AppLocker
SRP, AppLocker

Latest revision as of 10:28, 28 February 2017

Additional ALLOW Rules

Known exceptions

Path Rules

  • C:\Program Files - all installed applications
  • C:\Program Files (x86) - all installed applications
  • %localappdata%\Microsoft\VisualStudio\14.0\Designer\ShadowCache\ - Visual Studio shadow cache (designer)

Certificate Rules

  • Microsoft Corporation - OneDrive executes from %localappdata%\Microsoft\OneDrive
  • Cisco - WebExt executes from %temp%
  • Teamviewer - Teamviewer executes from %temp%

Additional DENY Rules

Path Rules

  • C:\Program Files (x86)\Belgium Identity Card\log\
  • C:\Program Files (x86)\Steam\
  • C:\Program Files\Log\
  • C:\Program Files\Microsoft SQL Server\130\Shared\ErrorDumps\
  • C:\Windows\debug\WIA\
  • C:\Windows\servicing\Packages\
  • C:\Windows\servicing\Sessions\
  • C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\
  • C:\Windows\System32\spool\drivers\color\
  • C:\Windows\System32\Tasks\
  • C:\Windows\System32\Tasks_Migrated\
  • C:\Windows\SysWOW64\Tasks\
  • C:\Windows\Tasks\
  • C:\Windows\Temp\


Do run https://mssec.wordpress.com/2015/10/22/applocker-bypass-checker/ on your environment!


Designated File Types

  • hta
  • jar
  • js
  • jse
  • ps1
  • wsf
  • vba
  • vbs
  • wsh
  • sct
  • ...


SRP, AppLocker