1
00:00:02,110 --> 00:00:07,480
Let's not discuss the methods in which the mechanism can be bypassed.

2
00:00:07,720 --> 00:00:10,380
We mentioned before what can happen if you use a path rule

3
00:00:13,710 --> 00:00:18,870
if you're using a file hash rule you need to make sure a hash rule don't match your code to bypass it.

4
00:00:20,260 --> 00:00:25,740
You can open a file in a hex editor and change a bit hoping it won't affect the operation of the program.

5
00:00:28,240 --> 00:00:34,210
There are quite a lot of safe bits behind the file header so users shouldn't hit the bit.

6
00:00:34,330 --> 00:00:37,350
This can serve to bypass existing security solutions

7
00:00:40,220 --> 00:00:45,620
Internet and zone rules are generally not very secure since they apply only to Internet Explorer.

8
00:00:45,620 --> 00:00:48,840
If you're using a different web browser they don't work at all.

9
00:00:52,220 --> 00:00:57,990
To bypass certificat rule you need to sign the file with a different certificate.

10
00:00:57,990 --> 00:01:03,060
This might seem difficult but in fact there are visual studio tools that can generate a certificate

11
00:01:03,060 --> 00:01:09,760
that can be used to sign a file this doesn't change the trustworthiness of a file in its issuer.

12
00:01:09,760 --> 00:01:17,140
But this might be used to bypass the software restriction policy.

13
00:01:17,140 --> 00:01:21,370
What's important is that all these solutions will only work if you've implemented a model that shouldn't

14
00:01:21,370 --> 00:01:24,410
be used in the first place.

15
00:01:24,410 --> 00:01:28,040
This is the everything is allowed except for what is explicitly disallowed.

16
00:01:28,040 --> 00:01:31,890
Model.

17
00:01:32,030 --> 00:01:38,170
Now everyone is trying to think of ways to make their favorite instant messaging software slip in.

18
00:01:38,320 --> 00:01:44,360
If you're working in the opposite model all such attempts are doomed to fail.

19
00:01:44,390 --> 00:01:49,700
This doesn't mean however that if a user has local administrative permissions they will not have control

20
00:01:49,700 --> 00:01:50,790
over this mechanism.

21
00:01:50,810 --> 00:01:58,500
Over other security solutions it's true that central policies policies that are set by a domain administrator

22
00:01:58,920 --> 00:02:02,970
override any local administrator permissions.

23
00:02:03,060 --> 00:02:10,460
But before this happens a computer needs to be made aware of the central policies during startup before

24
00:02:10,460 --> 00:02:11,620
you log on.

25
00:02:11,810 --> 00:02:16,960
A computer connects to a domain controller and downloads a security policy.

26
00:02:17,050 --> 00:02:20,610
It's safe to a registry.

27
00:02:20,620 --> 00:02:25,840
This means that a user who has a local administrator might erase data in the registry key and revoke

28
00:02:25,840 --> 00:02:30,390
permissions of a system account to what is left to an empty key.

29
00:02:31,910 --> 00:02:35,890
The rules will not appear after another restart.

30
00:02:35,890 --> 00:02:40,150
This is a simple mechanism that you need to remember is available to local administrators

31
00:02:44,150 --> 00:02:46,100
application control rules.

32
00:02:46,100 --> 00:02:50,810
The latest version of the mechanism we're discussing have been significantly streamlined.

33
00:02:52,720 --> 00:02:59,860
There are only three rules a path rule a file hash rule and a publisher rule.

34
00:03:00,130 --> 00:03:06,990
As we mentioned the Internet zone rule was controversial from the start.

35
00:03:07,140 --> 00:03:08,110
Just like before.

36
00:03:08,130 --> 00:03:16,380
You might specify program types to which the rules will apply you can select from executable files the

37
00:03:16,380 --> 00:03:24,070
MSIE installer files scripts N-deal Elle's.

38
00:03:24,300 --> 00:03:30,190
Your role is to create a list of software that will be allowed to run.

39
00:03:30,430 --> 00:03:36,870
The previous solution did not require running any additional system services setting up application

40
00:03:36,870 --> 00:03:44,380
control rules on the other hand will not have an effect unless you run an additional service this service

41
00:03:44,430 --> 00:03:47,340
is designed to audit and oversee their operation.

42
00:03:48,450 --> 00:03:50,660
It is by default in manual startup mode

43
00:03:55,040 --> 00:03:57,260
as part of a configuration procedure.

44
00:03:57,260 --> 00:04:03,400
You need to switch to automatic mode to make implementation of this solution simpler.

45
00:04:03,570 --> 00:04:07,300
You can create default rules.

46
00:04:07,390 --> 00:04:10,340
There are three default rules.

47
00:04:10,460 --> 00:04:15,050
The first default rule is meant to allow users to run all programs that are installed in the program's

48
00:04:15,050 --> 00:04:20,370
file folder or sub folders which aren't appropriate locations for any programs.

49
00:04:22,790 --> 00:04:27,380
The second rule allows users to run components of an operating system that need to be trusted.

50
00:04:29,350 --> 00:04:37,260
The third rule allows an administrator group to do anything to run all files and programs.

51
00:04:37,290 --> 00:04:40,620
The rules are designed to smooth the process of protecting your system.

52
00:04:41,990 --> 00:04:44,700
Don't shrink from creating the rules and everything is blocked.

53
00:04:44,700 --> 00:04:50,270
Mode default rule will cause some files and programs to be accessible.

54
00:04:50,430 --> 00:04:52,290
Some files and programs won't run

55
00:04:56,640 --> 00:05:01,130
the ability to generalize rules is an interesting feature that will look into in a moment.

56
00:05:03,480 --> 00:05:09,510
You can indicate a digitally signed file and say for example make a rule that is not applicable to this

57
00:05:09,510 --> 00:05:13,730
file but a more general one.

58
00:05:13,840 --> 00:05:19,120
This will apply to specified versions of a piece of software or to all programs from the issuer of a

59
00:05:19,120 --> 00:05:19,790
certificate

60
00:05:24,730 --> 00:05:28,110
to fault rules aren't perfect.

61
00:05:28,160 --> 00:05:34,170
There are two general a general security solution will most of the times be inefficient.

62
00:05:34,500 --> 00:05:36,540
But this problem has been solved as well.

63
00:05:38,340 --> 00:05:43,920
There's a rule generator instead of creating rules manually and not your own.

64
00:05:43,940 --> 00:05:48,980
You can indicate a folder and instruct the tool to generate rules applying to all files in a specified

65
00:05:48,980 --> 00:05:49,560
folder.