Pay it forward: Blocking applications in AD

Security,Security Tips

Table of contents for pay-forward

  1. Pay it forward: Blocking applications in AD
  2. Pay it forward: Firewall tips
  3. Pay it forward: Firewall Log Monitoring
  4. Pay it forward: Know Your Network
  5. Pay it forward: Wrap Up
  6. Pay it forward: Success!

The ISC posted a great article about collaborating and sharing within the security community. I think that’s a great idea so this week I’m doing a series I’m calling “pay it forward” (because I don’t like their term ‘out-sharing’).

Michael Farnum over at An Information Security Space is also doing a security tip-a-day this week. We’re hoping to get something started with security bloggers sharing information and tips. Today he blogs about auditing passwords (white-hat-speak for password cracking). I especially like his method of policy enforcement!

The first in the series here deals with blocking users from running certain applications by using a GPO in Active Directory. To do this we’ll add rules that block the hash of the application. This way users can’t download and rename the executable to get around the block. And to do that, you need to first download to your machine the application you want to block. I usually block the installer executable as well as the application executable.

So once you’ve decided what you want to block and you’ve downloaded it, you’re ready to work with the GPO.

The policy is a workstation policy so either create a new policy or add these settings to your existing workstation policy:

1. In Group Policy Manager, go to Computer Configuration > Software Restriction policies and right-click on Additional Rules and select “New Hash Rule”

2. Browse to the application you want to block, choose the Security level of “Disallowed” (default) and add a description if you want.

The hash is generated for you automagically and now you just hit “ok” and you’ve blocked the application. Note it might take up to 90 minutes for workstations to poll for new GPO’s and download any changes.

This could be a way to help protect you from the insider threat. You can block applications that can be used to attack other machines and the good part about it being a computer GPO is it doesn’t matter who logs into the computer, the application is blocked regardless.

Some of the applications I’ve blocked in my environment include:

  • TOR

    • Vidalia
    • Privoxy
  • Skype
  • Metasploit framework versions 2.0-2.6
  • Metasploit Payload dev kit

There are plenty more applications out there that you might want to block, these are just some examples of what I block in my environment.

Next in series

For more information about this topic

  • No Related Post
» Read the whole series: 1,2,3,4,5,6 »

posted by Michael on 07.31.06 @ 10:59 am | 6 Comments

I would love to give a security tip of the day as well… but how can readers find all of the tips at once?

By Anton Chuvakin on 08.02.06 5:02 pm

There really is no way to see all tips of all blogs in one place. However, each blogger is using ‘track-backs’ to link to each other and we’re also talking about each other’s entries within our blogs. That way when someone reads one blog, they know about the other posts and blogs as well. You can contribute to one or give a completely new tip. Whatever you want.

So if you would like to blog a tip of the day, just track back to one our posts and we’ll get links on all sites. So far there are only three of us so it won’t be hard. =)

Hope to hear from you soon!

P.S. I just thought of something we could try; if we each use a specific tag, say ‘security-tips’ or something, then we can all post links to each other’s category. That might make it easier for folks to jump from tip to tip.

By Michael on 08.02.06 7:07 pm

RSS feed for comments on this post. TrackBack URI