1
00:00:02,700 --> 00:00:08,280
Even if you find a solution to the first problem even if you have made sure that all programs that are

2
00:00:08,280 --> 00:00:13,520
used in your enterprise are updated this does not automatically mean that you're secure.

3
00:00:15,130 --> 00:00:20,530
As you've seen and one of the earlier modules even if a program itself is trustworthy you can't know

4
00:00:20,530 --> 00:00:26,980
for sure whether at some point a malicious code was inserted to it or not either prior to or at Download

5
00:00:29,170 --> 00:00:33,370
This strongly suggests that you shouldn't allow users to run any programs they want.

6
00:00:35,220 --> 00:00:39,480
We can now observe a slow departure from a model of universally used computers.

7
00:00:39,480 --> 00:00:44,910
This applies also to business machines that are expected to run anything in favor of a shift towards

8
00:00:44,910 --> 00:00:51,530
thinking of computers as a tool to perform specified tasks and functions only.

9
00:00:51,650 --> 00:00:54,230
How can you ensure this.

10
00:00:54,290 --> 00:01:00,000
You should make it impossible for users to run programs that you know to be harmful but since no one

11
00:01:00,000 --> 00:01:04,100
knows of all dangerous programs this has to be done in a different way.

12
00:01:04,170 --> 00:01:08,750
How uses Should that be able to run any programs.

13
00:01:09,940 --> 00:01:13,030
This would make a computer relatively secure.

14
00:01:13,030 --> 00:01:15,500
But if it's also to be functional as well.

15
00:01:15,550 --> 00:01:22,400
You'll need to create an exception list a whitelist programs that are listed on the waitlists can be

16
00:01:22,400 --> 00:01:23,900
assumed to be secure.

17
00:01:25,710 --> 00:01:28,740
You installed them yourself on playing computers.

18
00:01:28,910 --> 00:01:32,260
They should be able to run on them.

19
00:01:32,290 --> 00:01:34,370
Let's not think of how this can be achieved.

20
00:01:37,090 --> 00:01:44,380
If you're using earlier editions of Windows Windows XP and Vista or equivalent software restrictions

21
00:01:44,380 --> 00:01:46,890
policies might be a useful technology.

22
00:01:49,750 --> 00:01:55,160
If you're using newer editions of Windows software restriction policies have evolved to a newer version

23
00:01:55,160 --> 00:02:04,100
called application control policies software restriction policies were problematic in use setting them

24
00:02:04,100 --> 00:02:06,050
up was relatively hard.

25
00:02:06,110 --> 00:02:10,730
It wasn't a hugely difficult task to understand them but creating an exception list would take a lot

26
00:02:10,730 --> 00:02:15,260
of time generalizing some rules was not possible.

27
00:02:17,450 --> 00:02:24,710
Programs were identified based on their certificates their file hash functions paths or internet zones.

28
00:02:24,810 --> 00:02:30,180
The less dubious idea was that if Internet Explorer was used to download a program information about

29
00:02:30,180 --> 00:02:39,110
the source of the file local Internet Internet trusted sites would be written to the program file.

30
00:02:39,140 --> 00:02:44,210
You could make decisions and identify a given code based on this.

31
00:02:44,230 --> 00:02:49,600
The policies don't have a rule that would for example allow running the Office suite both in its 2007

32
00:02:49,600 --> 00:02:52,840
and 2010 version.

33
00:02:52,890 --> 00:02:59,790
We'd like to be able to create several rules or create path rules using wildcards this type of rule

34
00:02:59,790 --> 00:03:04,620
specifies that you can run anything that is inside a folder or anything that is held in a given registry

35
00:03:04,620 --> 00:03:06,490
key.

36
00:03:06,630 --> 00:03:12,460
They're relatively dangerous to allow a program to be run.

37
00:03:12,470 --> 00:03:15,060
You would only need to place it in an appropriate site.

38
00:03:16,920 --> 00:03:22,020
We however want these software restriction policies to work in addition to control and authorization

39
00:03:22,020 --> 00:03:29,370
mechanisms that were discussed earlier that can't be based on this mechanism.

40
00:03:29,380 --> 00:03:34,510
There's no point in trying to create a list of native exceptions or in other words specifying programs

41
00:03:34,510 --> 00:03:41,940
that shouldn't be run this wouldn't do much to secure your systems.

42
00:03:42,120 --> 00:03:46,650
You have to change fixed thought patterns and determine that nothing is allowed except the code and

43
00:03:46,650 --> 00:03:48,680
programs that are sure to be secure.

44
00:03:53,100 --> 00:03:57,370
Let's now examine mechanisms used to implement this.

45
00:03:57,400 --> 00:04:03,390
The first thing that is implemented in a real system that you will see there is a default security level

46
00:04:05,200 --> 00:04:06,730
this is your starting point.

47
00:04:07,820 --> 00:04:14,710
If you don't change any settings a default rule is that anything is allowed to be run.

48
00:04:14,870 --> 00:04:17,590
You can run anything you want on each of your computers.

49
00:04:19,160 --> 00:04:25,690
Then as we mentioned you have rules that identify a software.

50
00:04:25,920 --> 00:04:33,800
You can then explicitly determine the identity of a program if a program is signed digitally.

51
00:04:33,810 --> 00:04:43,960
It can be a certificate a file hash rule a hash function or hashing result an Internet zone or a path.

52
00:04:43,980 --> 00:04:49,050
There are also extra settings that enable you to specify if this entire mechanism will also be applied

53
00:04:49,050 --> 00:04:53,100
to dynamically libraries or executable files only.

54
00:04:53,400 --> 00:05:01,190
Or if it should be applied to administrators or exempt them there is little point in exempting administrators

55
00:05:02,800 --> 00:05:05,130
when you'll be configuring and enabling this.

56
00:05:05,140 --> 00:05:12,090
I have one valuable piece of advice if something goes wrong and you block the ability to launch important

57
00:05:12,090 --> 00:05:19,620
operating system elements you'll have problems for example logging onto the computer after restart the

58
00:05:19,620 --> 00:05:21,970
Safe Mode is really useful in that case.

59
00:05:23,960 --> 00:05:26,320
The mechanisms don't work in safe mode.

60
00:05:26,570 --> 00:05:28,210
They're not run.

61
00:05:28,400 --> 00:05:32,300
You can then log on reconfigure your settings and see if they work.

62
00:05:34,710 --> 00:05:40,230
The order in which the rules are applied is known and well-documented start with the most detailed and

63
00:05:40,230 --> 00:05:48,100
then with the most general one this allows you to create exceptions you can for example allow running

64
00:05:48,100 --> 00:05:53,160
programs that are contained in a given folder except a file of a specified signature.

65
00:05:55,180 --> 00:06:01,380
At the end a default security level rule is checked.

66
00:06:01,470 --> 00:06:08,400
Let's say a few words about internal operating mechanisms after enabling software restriction policies

67
00:06:08,740 --> 00:06:12,020
the following sort of methods for an application are controlled.

68
00:06:14,650 --> 00:06:21,580
This protection applies to a Windows API function known as create process this mechanism is used to

69
00:06:21,580 --> 00:06:28,270
run new programs software restriction policies are usually applied to this function.

70
00:06:30,780 --> 00:06:37,420
Other elements that are controlled include NTD cello libraries the kernel loader in this case there's

71
00:06:37,440 --> 00:06:40,830
a possibility to block the running of a part of an operating system.

72
00:06:41,800 --> 00:06:44,820
This can produce adverse byproducts that we mentioned before

73
00:06:48,600 --> 00:06:51,480
a command line interface environment is also controlled.

74
00:06:52,630 --> 00:06:54,220
This is the S.M. de-program

75
00:06:57,550 --> 00:07:02,710
control is also applied to all scripts orthis shell scripts in power shell scripts

76
00:07:05,400 --> 00:07:09,210
an operating system will check the data contained in a registry key you can see

77
00:07:12,560 --> 00:07:19,410
it contains information on policies set on a given computer before a code is run is checked if one of

78
00:07:19,410 --> 00:07:21,460
the rules applies to the program.

79
00:07:22,710 --> 00:07:28,960
If there's a match in action for a given rule will be used if there there's no match or default action

80
00:07:28,960 --> 00:07:30,690
for all rules will be used.