> The way I understand it, software restriction policies only work for
> applications that are called by the Windows explorer process. If they
> are called by any other process, then the restriction policy does not
> work.
Well, I hope this is not the case, otherwise it would be a major flaw in
this security feature ! Viruses are often spawned by IEXPLORE.EXE or
MSIMN.EXE processes ...
You can check by yourself that SRPs apply to all processes :
- Create a 'deny' rule on NOTEPAD.EXE
- Launch GPUPDATE to update your policy
- Try to launch NOTEPAD from inside CMD.EXE : it won't run
Then I tried on the IIS system service (INETINFO.EXE) : the service DID
start despite the 'deny' rule ... Too bad. I think I will investigate
this further, but indeed SRP won't solve your particular problem.
Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
Mail : nicolas.ruff (at) edelweb.fr
-----------------------------------
> applications that are called by the Windows explorer process. If they
> are called by any other process, then the restriction policy does not
> work.
Well, I hope this is not the case, otherwise it would be a major flaw in
this security feature ! Viruses are often spawned by IEXPLORE.EXE or
MSIMN.EXE processes ...
You can check by yourself that SRPs apply to all processes :
- Create a 'deny' rule on NOTEPAD.EXE
- Launch GPUPDATE to update your policy
- Try to launch NOTEPAD from inside CMD.EXE : it won't run
Then I tried on the IIS system service (INETINFO.EXE) : the service DID
start despite the 'deny' rule ... Too bad. I think I will investigate
this further, but indeed SRP won't solve your particular problem.
Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
Mail : nicolas.ruff (at) edelweb.fr
-----------------------------------
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]