Sorry, I did not explained it very well due to my poor english.
I think that someone should report this to microsoft if you can reproduce
it.
First I will explain what I did, then what happens.
- Installed Windows Vista Enterprise (english) in a test machine withouth
activating it.
- Installed spanish language pack, just for testing it.
- I have two partitions in same hard disk: C:\ and E:\
- I setup two users: Admin1(admin rights) and User1(user limited account).
- I opened Local Group Policy Editor to setup SRP Policies (inside computer
policies):
- Inside "Designates File Types":
- Just remove .LNK file type
- Inside "Enforcement":
- All software files
- All users except local adminstrators.
- Ignore certifcate rules.
- Inside "Trusted Publishers":
- DO NOT define these policy settings
- Inside "Additional Rules" (default settings):
- Unrestricted
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
- Unrestricted
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\ProgramFilesDir%
- Inside"Security Levels":
- Disallowed MUST BE set as default setting.
- Very important: setup this registry key value for advanced SRP logging,
you will understand what happens with this enabled:
- Go to:
"HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\Co deIdentifiers"
- Create New Value inside CodeIdentifiers:
- Type: REG_SZ
- Name: LogFileName
- Value: E:\#saferlog.txt (or whatever)
- Execute "gpupdate /force" and restart computer (needed the first time you
enable SRP)
OK, with this settings any user without admin rights cannot EXECUTE any
program or any excutable code of ANY FILE TYPE (included .dll, .tmp, .etc.)
IF IT IS OUTSIDE "Program files" and "Windows Folders". This includes things
that could be launched with rundll32.exe. This settings combined with folder
rights inside program files and windows folder will prevent users to
introduce or execute external programs not allowed by administrators. Great,
eh?
I think that all of this works great IF YOU ONLY HAVE ONE PARTITION, but now
test this:
- Create a text document in you desktop and open it (no problem)
- Create a text document in E:\ or any subfoder. ¿What happens?:
- Notepad opens very slowly.
- Notepad is opened without any theme applyed to it, it
looks like old windows theme.
- LOOK at the LOG FILE (e:\#saferlog.txt),
you will see lots of lines that says some .dll files are
RESTRICTED,
but they should not be restricted because they are
inside "windows\system32" folder.
Sample line in #saferlog.txt:
---------
notepad.exe (PID = 2796) identified
\??\C:\Windows\system32\uxtheme.dll as Disallowed using path rule, Guid =
{..... some guid value .....}
--------
¡¡¡¡¡THIS SHOULD NOT HAPPEN NEVER!!!!!!.
Of course this is just one example with notepad, but I guess that this
situation will affect any program
- Now, put a new path rule in SRP allowing E:\ (unrestricted). Now it
works, but I do not want this path rule.
But then, things get even more funny if you redirect user's folders to E:\
drive,
specially if it's "Desktop" folder. Remember that path rule E:\ is not
allowed.
Right click "Desktop folder" inside user profile and change its location to
E:\Users\<username>\desktop
Now try to open Internet Explorer, ¿what happens?. ¿Can you open it?
Now take back Desktop folder to the original location. ¿Can open Internet
Explorer now?.
The last thing is funny too:
Try to setup path rules with wildcards, or path rules with registry values
combined.
I had this problems with path rules in Windows XP, I have not tested it in
Vista for the moment.
Examples of problematic path rules:
%userprofile%\temp\~01*.tmp (similar thing was needed for Autcad
2006 but it did not work with wildcards)
%userprofile%\temp\~01???ABC.tmp
"%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window s
NT\CurrentVersion\SystemRoot%\SomeFolder\*.exe"
THANKS FOR READING IT.
"Jesper" <Jesper@discussions.microsoft.com> wrote in message
news:E9102097-E6BC-43D2-82A2-9C45E403F910@microsoft.com...
> David, why do you believe this is a bug? Am I understanding you right that
> you set up an SRP (Software Restriction Policy) that blocks
> E:\
>
> If so, I would say that SRP is doing _exactly_ what you told it to do if
> it
> blocks you opening something on E:\. Can you explain a little more, with
> steps, what is happening?
> ---
> Your question may already be answered in Windows Vista Security:
> http://www.amazon.com/gp/product/047...otectyourwi-20
>
>
> "David Calzada" wrote:
>
>> Sorry for my bad english.
>>
>> I think I have found a serious bug in software restriction policies.
>>
>> Can someone test this issue?:
>>
>> If you have two volumes or partitions, like C:\ and E:\, and if you setup
>> SRS
>> with default settings and you DO NOT ALLOW E:\ path in SRS you cannot
>> open
>> ..txt files (as an example) or whatever.
>> And things get A LOT WORSE when you use folder redirection of user's
>> folders
>> to E:\ drive, especially if you redirect the "desktop" folder. Internet
>> Explorer WILL NOT OPEN!!!
>>
>> Someone has similar issues? Any idea?
>>
>> Some months ago did some tests with SRS on Windows XP and found multiple
>> issues with path rules, especially using registry values or wildcards in
>> path values.
>> I think that the parser (or whatever) in SRS should be highly improved.
>>
>> Is this a place for reporting bugs to Microsoft?
>>
>> Sorry for my bad english.
>>
>>
>>
,
Linear Mode
