Pay it forward: Blocking applications in AD

Security, Security Tips

The ISC posted a great article about collaborating and sharing within the security community. I think that’s a great idea so this week I’m doing a series I’m calling “pay it forward” (because I don’t like their term ‘out-sharing’).

Michael Farnum over at An Information Security Space is also doing a security tip-a-day this week. We’re hoping to get something started with security bloggers sharing information and tips. Today he blogs about auditing passwords (white-hat-speak for password cracking). I especially like his method of policy enforcement!

The first in the series here deals with blocking users from running certain applications by using a GPO in Active Directory. To do this we’ll add rules that block the hash of the application. This way users can’t download and rename the executable to get around the block. And to do that, you need to first download to your machine the application you want to block. I usually block the installer executable as well as the application executable.

So once you’ve decided what you want to block and you’ve downloaded it, you’re ready to work with the GPO.

The policy is a workstation policy so either create a new policy or add these settings to your existing workstation policy:

1. In Group Policy Manager, go to Computer Configuration > Software Restriction policies and right-click on Additional Rules and select “New Hash Rule”

2. Browse to the application you want to block, choose the Security level of “Disallowed” (default) and add a description if you want.

The hash is generated for you automagically and now you just hit “ok” and you’ve blocked the application. Note it might take up to 90 minutes for workstations to poll for new GPO’s and download any changes.

This could be a way to help protect you from the insider threat. You can block applications that can be used to attack other machines and the good part about it being a computer GPO is it doesn’t matter who logs into the computer, the application is blocked regardless.

Some of the applications I’ve blocked in my environment include:

  • TOR

    • Vidalia
    • Privoxy
  • Skype
  • Metasploit framework versions 2.0-2.6
  • Metasploit Payload dev kit

There are plenty more applications out there that you might want to block, these are just some examples of what I block in my environment.

« Read the whole series: 1,2,3,4,5,6 »

posted by Michael on 07.31.06 @ 10:59 am |

[…] By the way, this security tip is part of a series that Michael at mcwresearch.com and I (and possibly some other bloggers) are trying out this week to see if it catches on.  Michael’s latest tip is here. […]

By An Information Security Place » Blog Archive » Today’s Security Tip: Password Cracking on 08.01.06 3:05 pm

[…] Just got this little story in an email.  The original moral was some kind of feel-good, mamby-pamby crap about sticking together in life (blah blah).  But it actually has some valid security points.  I need some food right now, so I can’t concentrate on forming the morals, but I am sure you will see the implications.  It becomes more appropriate when you consider Michael’s post at MCWResearch.  Enjoy. […]

By An Information Security Place » Blog Archive » Mouse Story on 08.01.06 4:00 pm

I would love to give a security tip of the day as well… but how can readers find all of the tips at once?

By Anton Chuvakin on 08.02.06 5:02 pm

There really is no way to see all tips of all blogs in one place. However, each blogger is using ‘track-backs’ to link to each other and we’re also talking about each other’s entries within our blogs. That way when someone reads one blog, they know about the other posts and blogs as well. You can contribute to one or give a completely new tip. Whatever you want.

So if you would like to blog a tip of the day, just track back to one our posts and we’ll get links on all sites. So far there are only three of us so it won’t be hard. =)

Hope to hear from you soon!

P.S. I just thought of something we could try; if we each use a specific tag, say ’security-tips’ or something, then we can all post links to each other’s category. That might make it easier for folks to jump from tip to tip.

By Michael on 08.02.06 7:07 pm

[…] in as well), I decided to follow along and join the initiative. One of the bloggers called it “pay it forward” to the […]

By IntrusionOnline » Anton Security Tip of the Day #14: More access_log Fun: What Are You Not GETting? on 03.12.08 2:42 pm

RSS feed for comments on this post. TrackBack URI