AppLocker - Security Problems

Security
Published Aug 7, 2012 Updated Aug 6, 2012

This article is part of my small series about AppLocker, a technology built into Windows that enables administrators to audit and optionally block application execution.

AppLocker Security

There is no perfect security, every product has its vulnerabilities and AppLocker is no exception. These are the problems I am aware of.

Windows\Temp

AppLocker’s default rules allow the execution of all code from the Windows directory. This is generally considered safe, since standard users do not have permissions to write to C:\Windows and its subdirectories. However, there is one exception: users have write and execute permissions in C:\Windows\Temp by default as the following screenshot from SetACL Studio shows:

Permissions on C-Windows-Temp

To close this loophole modify the default AppLocker rule so that it contains an exception for C:\Windows\Temp.

VBA and SANDBOX_INERT

A non-blocked process can start arbitrary executables circumventing AppLocker’s rules by calling the API function CreateRestrictedToken with the parameter SANDBOX_INERT. This is a problem because Microsoft Office will not be blocked in most if not all enterprises, and Office’s scripting language Visual Basic for Applications is well capable of calling API functions.

More information and a test program is available in Didier Steven’s blog.

Comments

Comments are powered by Giscus. Please enable JavaScript to view them, or view discussions directly on GitHub.

Related Posts

Top 10 IT Security Tips for Individual Users

Top 10 IT Security Tips for Individual Users

This is a list of simple things that will protect you from nearly all the real-world IT security issues affecting individuals and SOHO users. 1. Install All the Updates What Should You Do? Enable automatic updates wherever possible Don’t use obsolete software versions Why Is It Important? Older software versions often have known security issues for which exploits are readily available. This means that even script kiddies can easily attack large numbers of users.

Checking Windows Hello Key Storage: TPM or Software?

Checking Windows Hello Key Storage: TPM or Software?

Windows Hello for Business (WHfB) stores a cryptographic key on the device. The preferred storage location is a hardware TPM module. However, if a TPM is not available, the key may be stored in the filesystem instead. It’s surprisingly hard to determine the storage location for existing Windows Hello for Business keys. This article presents a simple solution.

Windows OS, Services & Apps: Network Connection Target Hosts

Windows OS, Services & Apps: Network Connection Target Hosts

This post lists the internet communication targets of the Microsoft Windows operating system, including its various services and UWP apps. This post is a part of my application network connection monitoring series, a group of articles that explain how to analyze the network traffic of any Windows or macOS app.

DNS Exfiltration & Tunneling: How it Works & DNSteal Demo Setup

DNS Exfiltration & Tunneling: How it Works & DNSteal Demo Setup

DNS is a protocol that lends itself to abuse because it’s largely unmonitored and unrestricted. This article explains how data exfiltration from a corporate network via DNS works and shows how to set up a working exfiltration demo with DNSteal.

Latest Posts

Changing the Location of PowerShell Profile Scripts

A PowerShell profile is an init script that is executed when the shell starts. PowerShell searches for profile scripts in hard-coded locations. This article explains how to move profile scripts to any directory of your choice.

Changing the Location of the Windows Terminal Settings Files

Changing the Location of the Windows Terminal Settings Files

Windows Terminal stores its settings in configuration files that resides in the Windows user profile. This article explains how to move them to any directory of your choice. Where are the Settings Files Located? The location of the Windows Terminal settings file is hard-coded. The exact path depends on the app variant you installed, but it’s always in the user profile:

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.