Vista Tutorial - Software Restriction Policy (SRS) problems

Sorry for my bad english.

I think I have found a serious bug in software restriction policies.

Can someone test this issue?:

If you have two volumes or partitions, like C:\ and E:\, and if you setup
SRS
with default settings and you DO NOT ALLOW E:\ path in SRS you cannot open
..txt files (as an example) or whatever.
And things get A LOT WORSE when you use folder redirection of user's folders
to E:\ drive, especially if you redirect the "desktop" folder. Internet
Explorer WILL NOT OPEN!!!

Someone has similar issues? Any idea?

Some months ago did some tests with SRS on Windows XP and found multiple
issues with path rules, especially using registry values or wildcards in
path values.
I think that the parser (or whatever) in SRS should be highly improved.

Is this a place for reporting bugs to Microsoft?

Sorry for my bad english.

David, why do you believe this is a bug? Am I understanding you right that
you set up an SRP (Software Restriction Policy) that blocks
E:\

If so, I would say that SRP is doing _exactly_ what you told it to do if it
blocks you opening something on E:\. Can you explain a little more, with
steps, what is happening?
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"David Calzada" wrote:

> Sorry for my bad english.
>
> I think I have found a serious bug in software restriction policies.
>
> Can someone test this issue?:
>
> If you have two volumes or partitions, like C:\ and E:\, and if you setup
> SRS
> with default settings and you DO NOT ALLOW E:\ path in SRS you cannot open
> ..txt files (as an example) or whatever.
> And things get A LOT WORSE when you use folder redirection of user's folders
> to E:\ drive, especially if you redirect the "desktop" folder. Internet
> Explorer WILL NOT OPEN!!!
>
> Someone has similar issues? Any idea?
>
> Some months ago did some tests with SRS on Windows XP and found multiple
> issues with path rules, especially using registry values or wildcards in
> path values.
> I think that the parser (or whatever) in SRS should be highly improved.
>
> Is this a place for reporting bugs to Microsoft?
>
> Sorry for my bad english.
>
>
>

Sorry, I did not explained it very well due to my poor english.
I think that someone should report this to microsoft if you can reproduce
it.

First I will explain what I did, then what happens.

- Installed Windows Vista Enterprise (english) in a test machine withouth
activating it.
- Installed spanish language pack, just for testing it.
- I have two partitions in same hard disk: C:\ and E:\
- I setup two users: Admin1(admin rights) and User1(user limited account).
- I opened Local Group Policy Editor to setup SRP Policies (inside computer
policies):

- Inside "Designates File Types":
- Just remove .LNK file type

- Inside "Enforcement":
- All software files
- All users except local adminstrators.
- Ignore certifcate rules.

- Inside "Trusted Publishers":
- DO NOT define these policy settings

- Inside "Additional Rules" (default settings):
- Unrestricted
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
- Unrestricted
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

- Inside"Security Levels":
- Disallowed MUST BE set as default setting.

- Very important: setup this registry key value for advanced SRP logging,
you will understand what happens with this enabled:

- Go to:
"HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers"
- Create New Value inside CodeIdentifiers:
- Type: REG_SZ
- Name: LogFileName
- Value: E:\#saferlog.txt (or whatever)

- Execute "gpupdate /force" and restart computer (needed the first time you
enable SRP)


OK, with this settings any user without admin rights cannot EXECUTE any
program or any excutable code of ANY FILE TYPE (included .dll, .tmp, .etc.)
IF IT IS OUTSIDE "Program files" and "Windows Folders". This includes things
that could be launched with rundll32.exe. This settings combined with folder
rights inside program files and windows folder will prevent users to
introduce or execute external programs not allowed by administrators. Great,
eh?

I think that all of this works great IF YOU ONLY HAVE ONE PARTITION, but now
test this:

- Create a text document in you desktop and open it (no problem)
- Create a text document in E:\ or any subfoder. ¿What happens?:
- Notepad opens very slowly.
- Notepad is opened without any theme applyed to it, it
looks like old windows theme.
- LOOK at the LOG FILE (e:\#saferlog.txt),
you will see lots of lines that says some .dll files are
RESTRICTED,
but they should not be restricted because they are
inside "windows\system32" folder.

Sample line in #saferlog.txt:
---------
notepad.exe (PID = 2796) identified
\??\C:\Windows\system32\uxtheme.dll as Disallowed using path rule, Guid =
{..... some guid value .....}
--------

¡¡¡¡¡THIS SHOULD NOT HAPPEN NEVER!!!!!!.

Of course this is just one example with notepad, but I guess that this
situation will affect any program


- Now, put a new path rule in SRP allowing E:\ (unrestricted). Now it
works, but I do not want this path rule.



But then, things get even more funny if you redirect user's folders to E:\
drive,
specially if it's "Desktop" folder. Remember that path rule E:\ is not
allowed.

Right click "Desktop folder" inside user profile and change its location to
E:\Users\<username>\desktop

Now try to open Internet Explorer, ¿what happens?. ¿Can you open it?

Now take back Desktop folder to the original location. ¿Can open Internet
Explorer now?.


The last thing is funny too:
Try to setup path rules with wildcards, or path rules with registry values
combined.
I had this problems with path rules in Windows XP, I have not tested it in
Vista for the moment.

Examples of problematic path rules:

%userprofile%\temp\~01*.tmp (similar thing was needed for Autcad
2006 but it did not work with wildcards)
%userprofile%\temp\~01???ABC.tmp
"%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot%\SomeFolder\*.exe"


THANKS FOR READING IT.


"Jesper" <Jesper@discussions.microsoft.com> wrote in message
news:E9102097-E6BC-43D2-82A2-9C45E403F910@microsoft.com...
> David, why do you believe this is a bug? Am I understanding you right that
> you set up an SRP (Software Restriction Policy) that blocks
> E:\
>
> If so, I would say that SRP is doing _exactly_ what you told it to do if
> it
> blocks you opening something on E:\. Can you explain a little more, with
> steps, what is happening?
> ---
> Your question may already be answered in Windows Vista Security:
> http://www.amazon.com/gp/product/047...otectyourwi-20
>
>
> "David Calzada" wrote:
>
>> Sorry for my bad english.
>>
>> I think I have found a serious bug in software restriction policies.
>>
>> Can someone test this issue?:
>>
>> If you have two volumes or partitions, like C:\ and E:\, and if you setup
>> SRS
>> with default settings and you DO NOT ALLOW E:\ path in SRS you cannot
>> open
>> ..txt files (as an example) or whatever.
>> And things get A LOT WORSE when you use folder redirection of user's
>> folders
>> to E:\ drive, especially if you redirect the "desktop" folder. Internet
>> Explorer WILL NOT OPEN!!!
>>
>> Someone has similar issues? Any idea?
>>
>> Some months ago did some tests with SRS on Windows XP and found multiple
>> issues with path rules, especially using registry values or wildcards in
>> path values.
>> I think that the parser (or whatever) in SRS should be highly improved.
>>
>> Is this a place for reporting bugs to Microsoft?
>>
>> Sorry for my bad english.
>>
>>
>>

> Sorry, I did not explained it very well due to my poor english.

I think your English is admirable. Don't worry about that.

> I think that someone should report this to microsoft if you can reproduce
> it.

Do you have any support incidents? If so, you can report it.

> - Create a text document in you desktop and open it (no problem)
> - Create a text document in E:\ or any subfoder. ¿What happens?:
> - Notepad opens very slowly.
> - Notepad is opened without any theme applyed to it, it
> looks like old windows theme.
> - LOOK at the LOG FILE (e:\#saferlog.txt),
> you will see lots of lines that says some .dll files are
> RESTRICTED,
> but they should not be restricted because they are
> inside "windows\system32" folder.
>
> Sample line in #saferlog.txt:
> ---------
> notepad.exe (PID = 2796) identified
> \??\C:\Windows\system32\uxtheme.dll as Disallowed using path rule, Guid =
> {..... some guid value .....}
> --------
> ¡¡¡¡¡THIS SHOULD NOT HAPPEN NEVER!!!!!!.

Agreed. I see this too. It is very strange. In fact, I think it is a pretty
serious bug in SRP. I tried with RTF files as well, and get very similar
results:
wordpad.exe (PID = 1936) identified \??\C:\Windows\system32\IMM32.DLL as
Disallowed using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
wordpad.exe (PID = 1936) identified \??\C:\Windows\system32\odbcint.dll as
Disallowed using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}

The only difference is that Wordpad just crashes. It works fine on the C:\
but not on the E:\.

I'm going to forward this to someone I know at MS that may know who would be
responsible for this. We'll see.

Very nice repro steps BTW. Others should take heed. That's exactly what we
need to see to repro a problem.

Thanks for dedicate your time to reproduce this problem, I was getting crazy
with it.

I do not have any support incident with microsoft.
To be honest, I do not know how to contact with microsoft tech support, I am
too lazy ,
and I am pretty sure that tech support in spain would not help much. That's
why I post the problem here .

> I'm going to forward this to someone I know at MS that may know who would
> be
> responsible for this. We'll see.
Let me know if you get any help or post it here, please.


"Jesper" <Jesper@discussions.microsoft.com> wrote in message
news:F6217626-7968-464A-A548-B399A3653DFC@microsoft.com...
>> Sorry, I did not explained it very well due to my poor english.
>
> I think your English is admirable. Don't worry about that.
>
>> I think that someone should report this to microsoft if you can reproduce
>> it.
>
> Do you have any support incidents? If so, you can report it.
>
>> - Create a text document in you desktop and open it (no problem)
>> - Create a text document in E:\ or any subfoder. ¿What happens?:
>> - Notepad opens very slowly.
>> - Notepad is opened without any theme applyed to it, it
>> looks like old windows theme.
>> - LOOK at the LOG FILE (e:\#saferlog.txt),
>> you will see lots of lines that says some .dll files
>> are
>> RESTRICTED,
>> but they should not be restricted because they are
>> inside "windows\system32" folder.
>>
>> Sample line in #saferlog.txt:
>> ---------
>> notepad.exe (PID = 2796) identified
>> \??\C:\Windows\system32\uxtheme.dll as Disallowed using path rule, Guid =
>> {..... some guid value .....}
>> --------
>> ¡¡¡¡¡THIS SHOULD NOT HAPPEN NEVER!!!!!!.
>
> Agreed. I see this too. It is very strange. In fact, I think it is a
> pretty
> serious bug in SRP. I tried with RTF files as well, and get very similar
> results:
> wordpad.exe (PID = 1936) identified \??\C:\Windows\system32\IMM32.DLL as
> Disallowed using default rule, Guid =
> {11015445-d282-4f86-96a2-9e485f593302}
> wordpad.exe (PID = 1936) identified \??\C:\Windows\system32\odbcint.dll as
> Disallowed using default rule, Guid =
> {11015445-d282-4f86-96a2-9e485f593302}
>
> The only difference is that Wordpad just crashes. It works fine on the C:\
> but not on the E:\.
>
> I'm going to forward this to someone I know at MS that may know who would
> be
> responsible for this. We'll see.
>
> Very nice repro steps BTW. Others should take heed. That's exactly what we
> need to see to repro a problem.
>