Table of contents for pay-forward
The ISC posted a great article about collaborating and sharing within the security community. I think that’s a great idea so this week I’m doing a series I’m calling “pay it forward” (because I don’t like their term ‘out-sharing’).
Michael Farnum over at An Information Security Space is also doing a security tip-a-day this week. We’re hoping to get something started with security bloggers sharing information and tips. Today he blogs about auditing passwords (white-hat-speak for password cracking). I especially like his method of policy enforcement!
The first in the series here deals with blocking users from running certain applications by using a GPO in Active Directory. To do this we’ll add rules that block the hash of the application. This way users can’t download and rename the executable to get around the block. And to do that, you need to first download to your machine the application you want to block. I usually block the installer executable as well as the application executable.
So once you’ve decided what you want to block and you’ve downloaded it, you’re ready to work with the GPO.
The policy is a workstation policy so either create a new policy or add these settings to your existing workstation policy:
1. In Group Policy Manager, go to Computer Configuration > Software Restriction policies and right-click on Additional Rules and select “New Hash Rule”
2. Browse to the application you want to block, choose the Security level of “Disallowed” (default) and add a description if you want.
The hash is generated for you automagically and now you just hit “ok” and you’ve blocked the application. Note it might take up to 90 minutes for workstations to poll for new GPO’s and download any changes.
This could be a way to help protect you from the insider threat. You can block applications that can be used to attack other machines and the good part about it being a computer GPO is it doesn’t matter who logs into the computer, the application is blocked regardless.
Some of the applications I’ve blocked in my environment include:
- Metasploit framework versions 2.0-2.6
- Metasploit Payload dev kit
There are plenty more applications out there that you might want to block, these are just some examples of what I block in my environment.