Cyber Essentials Plus – Setting up Software Restriction Policies
One of the main areas that I’ve seen when performing Cyber Essentials Plus assessments over the years is when people fail the downloading and execution of applications test which can be controlled by setting up Software Restriction Policies. With Cyber Essentials Plus, you are asked to download (or save) some different file types to see if your computers can execute the file with less than three actions (for example download file, double click on file for execution).
For Windows machines, there is a quick win for getting around this issue and block file types for specific locations. By default Windows default any browser saving to the ‘%userprofile%\Downloads’ folder, for this article we’ll use this default location, however, if you change it to another location, you should add that location as well.
Before Windows 10 #1803 there was a feature that you could use called ‘Software Restriction Policies’ or SRP, this is only available on the Professional and Enterprise editions and could be configured locally on your own machine or via Group Policy when logged in as a local administrator. Now, however, from version #1903 onwards, it’s recommended that you use AppLocker to perform these same types of changes.
One area that has been hard to try and find a good solution for, was for people who use Windows 10 Home, Microsoft doesn’t support these types of features in that edition, so you have to rely on third parties. After many searches and tests, the one third party application I recommend is AskAdmin, it is a freemium application, which means, that the majority of the features are free and you only need to pay for the more advanced features. Disclaimer: This is a third-party application, always pay caution and check for viruses and legitimate downloads before continuing. You can check the download against VirusTotal here: https://www.virustotal.com/gui/file/40c806447669ec59447be4825774c5cc35b2f3be7d05953831e103113b2de9fb/detection
AppLocker (After #1803 and Windows 10 Pro/Enterprise)
AppLocker is a more advanced and feature-rich solution to protecting computers from unnecessary actions, such as blocking executables from specific directories, like in our case.
Note: Before AppLocker will work, you will need to ensure that the Windows Service ‘AppIDSvc’, which is named ‘Application Identification’ is set to automatic and running on all machines, otherwise all AppLocker settings will not be applied.
To get started, click on the Start menu and type in ‘gpedit’ and click on ‘Edit group policy.
Once the application has opened up, expand Computer Configuration -> Windows Settings -> Security Setting -> Application Control Policies -> AppLocker
Right-click on AppLocker and select Properties, click on the ‘Configured’ check box under the ‘Executable Rules’ and then click OK
Now, double click on AppLocker again and this will open up additional options
Right-click on ‘Executable Rules’ and select ‘Create New Rule’, this will open up a new window, click Next on the first page, the next page will take you to the permissions page for what you want to action. Click on ‘deny’ and leave ‘Everybody’ and then click next, this will configure the configure to deny access for everyone on the rule.
In the next screen click on the ‘Path’ option and click next
Click on the ‘Browse Folders’ button and click on Downloads and click OK. Note: If you’re doing this in Group Policy, you will need to type enter ‘%userprofile%downloads\*’
Click Next for the Exceptions page, then Name the rule and click Create. This will generate a warning about creating rules, click Yes
You will now have to reboot your computer for the changes to occur, then when you run an executable from your downloads folder you will be blocked by Windows.
Software Restriction Policies (Before #1803 and Windows 10 Professional / Enterprise)
Click on the Start menu, type in ‘gpedit’ and click on ‘Edit group policy.
Once the application has opened up, expand Computer Configuration -> Windows Settings -> Security Setting -> Software Restriction Policies.
Right-click on ‘Software Restriction Policies and select ‘New Software Restriction Policies’
For Cyber Essentials Plus, we’re going to use the Path Rules which tell Windows what file paths to block, expand Software Restriction Policies and then right-click on Additional Rules and select ‘New Path Rule…’ This will open up the ‘New Path Rule screen.
At this stage, we’re going to add in multiple paths to ensure that any executable files are executed and are instead blocked by Windows.
Note: If you want to run the application, you will have to copy/paste the file to another location that isn’t blocked like the Desktop.
- %USERPROFILE%\Downloads\*.exe
- C:\Windows\Temp\*.exe
- C:\Windows\Temp\*\*.exe
- %USERPROFILE%\AppData\Local\*.exe
- %USERPROFILE%\AppData\Roaming\*.exe
For each path location list above perform the following actions, fill in the path with the path location, and make sure the security level is set to Disallowed and click on OK
Once you have completed the above action for each file path, reboot your computer.
Once the computer has booted up again, go into your downloads area and try and execute a file and see if you get blocked.
AskAdmin (Third-Party)
Download the AskAdmin application from Sordum’s website and then open up the Zip file and extract all the files to a location that you want them. Once extracted go to that folder and run AskAdmin, you’ll be prompted with the main application window.
To block the Download’s folder, click on the green ‘+’ button (second button from the left), this will open up a new window, select the downloads folder and click ok.
Right-click on the new entry and click Block. This will turn it Red. Try and run an executable file in the Downloads folder and you should be blocked straight away.