Help ATS with a contribution via PayPal:
learn more

Problems with software restriction Policies in windows 7

page: 1
2
<<   2 >>

log in

join

posted on Aug, 23 2012 @ 05:56 PM
link   
This is a long shot but there are some expert IT people on ATS so heres my problem...I cant seem to make any sense of the 'Basic User' security level in Group Policy > Software Restriction Policies on Windows 7. I know how it SHOULD work in theory but in practice its just not working out.

In practice if i set an additional rule in Software restriction policies (thats an exception to the default rules) , point it at an application and set the security level to 'basic user' , instead of only allowing the program to run if it does not require Administrative permissions it just blocks access.

While researching the problem ive found posts saying that the security level 'Basic User' in Software Restriction Policies used to work in Vista but in windows 7 all it does is 'denies access'. There's nothing i can find in official Microsoft literature about there being a problem with the 'Basic user' security level for Software Restriction Policies in Windows 7 ultimate or enterprise.

Ive tested this on my test rig over and over and all the 'basic user' security level seems to do is restrict access to whatever it is applied to, even if what it is applied to does not require administrative permissions to run.

Im not looking for any "you should try Apple / Linux type of answers" as i really need to resolve the problem on Windows 7


Is there a bug with the security levels in Software Restriction Policies that Microsoft is not owning up to or am i missing something here?

edit on 23-8-2012 by PhoenixOD because: (no reason given)




posted on Aug, 23 2012 @ 06:05 PM
link   
I tried win7 and stopped using it mainly because of the problem your having. It also tells me that the programs I write for my own use are from an untrusted source, even though they're written on it.

Be interesting to hear what the experts have to say.



posted on Aug, 23 2012 @ 06:15 PM
link   
reply to post by PhoenixOD
 


Sometimes I am blocked out of random programs.. I just right click "run as administrator" on the program or folder icon..

Is that related?

edit on 8/23/2012 by Dustytoad because: (no reason given)



posted on Aug, 23 2012 @ 06:17 PM
link   

Originally posted by Dustytoad
reply to post by PhoenixOD
 


Sometimes I am blocked out of random programs.. I just right click "run as administrator" on the program or folder icon..

Is that related?


Not really, but thanks for the reply



posted on Aug, 23 2012 @ 07:21 PM
link   
reply to post by PhoenixOD
 


This is a stab in the dark as the info supplied is a little vague but it sounds like there could be a module/application dependency that is not authorised.

For example application "A" has dependencies "b", "c" & "d" which it requires to operate. Whilst application "A" may be authorised for use by "user x", the dependent modules/applications/dll's may only be permitted to run by "user y".

You could try running the application in question as root/admin and paste a list of the dependencies into a text file. Then just check them one by one until you find the offending code. Once you know what is causing the grief, you can set a rule for the user to allow the app/module and voila.


Good luck.

OA



posted on Aug, 23 2012 @ 07:54 PM
link   

Originally posted by OccamAssassin
reply to post by PhoenixOD
 


This is a stab in the dark as the info supplied is a little vague but it sounds like there could be a module/application dependency that is not authorised.

For example application "A" has dependencies "b", "c" & "d" which it requires to operate. Whilst application "A" may be authorised for use by "user x", the dependent modules/applications/dll's may only be permitted to run by "user y".

You could try running the application in question as root/admin and paste a list of the dependencies into a text file. Then just check them one by one until you find the offending code. Once you know what is causing the grief, you can set a rule for the user to allow the app/module and voila.


Good luck.

OA



Thanks for the reply.

That's some good thinking , i know exactly what you mean as that was the answer to a problem i was having while testing out Application Restriction Policies in Windows 7 (AKA App locker) earlier on today. I had set up a folder and used app locker to restrict access to the executables inside. That went ok , every time i tried to run then i would get a dialogue box that says "this program is blocked by group policy, please contact you system admin..etc". Then when i tried to set an exception to the rule and let one of the programs in the folder run nothing was happening. After clicked the program i didn't get the "this program is blocked" message but nothing happened when i clicked program. After a while of swearing at it i came to the conclusion App locker must have been blocking something that it needed to run


The problem im having with the Software Restriction policy 'Basic User' security level is once i set it on a folder full of programs i get the "this program is blocked by group policy" warning on anything i try to run. Even if the programs are very simple programs that do no require admin rights. So effectively all that setting is doing is 'deny execute'

Like i said ive found a few people mentioning it in posts on a couple of forums but no official info on the problem anywhere.


edit on 23-8-2012 by PhoenixOD because: (no reason given)
edit on 23-8-2012 by PhoenixOD because: (no reason given)



posted on Aug, 23 2012 @ 09:22 PM
link   
reply to post by PhoenixOD
 


Check step # 15 here (it's about 3/4 down the page) ...

www.grouppolicy.biz...



posted on Aug, 23 2012 @ 11:40 PM
link   
arent group policies controlled from a server?

are you working inside a domain? get your user profile elevated to a local admin



posted on Aug, 24 2012 @ 06:51 AM
link   
reply to post by OccamAssassin
 


Thanks but thats for app locker , the problem i have is with software restriction policies.



posted on Aug, 24 2012 @ 06:55 AM
link   

Originally posted by okamitengu
arent group policies controlled from a server?

are you working inside a domain? get your user profile elevated to a local admin


If you are part of an active directory domain then some group policy is controlled from the server. But there is also Local group policy for controlling local groups. Either way The problem seems to be with the way a policy is applying itself and not my user rights while using the policy.



posted on Aug, 24 2012 @ 01:15 PM
link   
I'm not entirely clear on exactly what you want the end result to be. So I'm going to try and present a few pieces of information and hope that it helps solve the issue.
Lets say you have a log in that is only for a non-administrative user. This person would be un-able to elevate an application by using "Run as Administrator." However, you want a specific program to be able to run with elevated privileges for a basic user. Now for the purposes of understanding think of the User Access Control (UAC) and permissions as two separate entities. Some programs are written that require elevation to Admin. Even if you are logged into an account with administrative privileges you still have to use UAC to run as an administrator unless you turn UAC off. This means that even if an account has the right permissions to run an application, it doesn't mean that they will be able to by pass the UAC. To test to see if this is the problem. You will need to give the basic user temporary admin rights, log into the user, turn off UAC. Log back out and change the permission level back. If it's UAC that's causing the issue, then you should now be able to execute the program. There is also a program that I found (although I don't use and don't know much about it) that can help with UAC and may solve your issue. It can be found at www.loginventory.com.... You can also create a "group" and assign that group all the permissions that you want a user to have and then assign that user to the group as well as set exceptions for the group instead of just the user essentially creating a modified "basic user" group. Then make sure the user is a member of that group and no others. I hope this helps.



posted on Aug, 24 2012 @ 02:15 PM
link   
reply to post by Myth024
 


Thanks for the reply Myth024. But what im trying to do is work out why the 'basic user' setting in Software Restriction Policy in Group Policy just blocks all access to whatever its applied to rather than force it to run in basic user mode like its supposed to.



posted on Aug, 24 2012 @ 02:49 PM
link   

Originally posted by PhoenixOD
reply to post by Myth024
 


Thanks for the reply Myth024. But what im trying to do is work out why the 'basic user' setting in Software Restriction Policy in Group Policy just blocks all access to whatever its applied to rather than force it to run in basic user mode like its supposed to.


Ahh.. I see now. This is not an area I'm intimately familiar with but I thought that a few observations might help in the troubleshooting process, so I took a look on my own machine and a few things occurred to me.
Basic User:

Allows programs to execute as a user that does not have Administrator access rights, but can still access resources accessible by normal users.


So if you set a rule to for a piece of software (that needs admin privileges) to run as if a basic user was running it and the basic user can't run programs as an Admin, then the program would refuse to run because a basic user can't run the program with admin rights. This also means that you have to check to make sure the permissions of normal users are set that they can execute the program in question. I infer that if you pointed the program to unrestricted, then any basic user should be able to run it without an issue. This also means that you might want to check the AppLocker to make sure there are not any rules that prevent a piece of software from running for a basic user.



posted on Aug, 24 2012 @ 03:11 PM
link   
Heres an update on the problem.

I tried using software restriction polices on another computer using windows 7 ultimate.

- I opened Local Group Policy Editor > computer settings > Windows settings > Security settings > software restriction policy.
- Set the Security Levels (default security level) to 'basic user'
- Tested it out by running an executable off my desktop pass

And it didnt block access to the program.

- I then tried to run a program that would require admin rights to run (and was outside the windows folder and program files folder which is set to unrestricted by default rules)

and that would not run. So the 'Basic User' Setting was working as it should.

- I then rebooted the computer and ran the same tests.

This time all the executables where blocked! So it stopped working correctly
So it seems once group policy refreshes the 'basic user' setting just reverts to blocking all access!!

Ive checked in applocker and there's no rules set.

edit on 24-8-2012 by PhoenixOD because: (no reason given)



posted on Aug, 24 2012 @ 03:26 PM
link   
reply to post by Myth024
 




So if you set a rule to for a piece of software (that needs admin privileges) to run as if a basic user was running it and the basic user can't run programs as an Admin, then the program would refuse to run because a basic user can't run the program with admin rights. This also means that you have to check to make sure the permissions of normal users are set that they can execute the program in question. I infer that if you pointed the program to unrestricted, then any basic user should be able to run it without an issue.


Yes thats totally correct


Theres three levels for software restriction policies



Disallowed : Software will not run, regardless of the access rights of the user.

Basic User : Allows programs to execute as a user that does not have Administrator access rights, but can still access resources accessible by normal users.

Unrestricted : Software access rights are determined by the access rights of the user.


Disallowed and unrestricted seem to work fine but 'Basic User' just blocks access to everything once the computer has rebooted.

edit on 24-8-2012 by PhoenixOD because: (no reason given)



posted on Aug, 24 2012 @ 06:58 PM
link   
reply to post by PhoenixOD
 


Ok, here is a possibility that is a bit out there....
I noted that one time I was logged into my Admin account and I was installing lots of software so I turned off UAC. I then installed the software, then when I was done I turned it back on. When I logged into a non admin account, none of the software would execute and it would just give me an access denied. Didn't even prompt me for alternative credentials. I fixed it by converting the account to an Admin account, then logging in to it. Turning off the UAC for that account. Applying that. Reboot, back into the account. Turned UAC back on. Logged out. Changed it back to non-admin. Logged into the account and it started working correctly. Some programs require elevated access to function and I'm not sure there is a way to get around it without giving the person admin access.... You could try adding the user to the Power Users group and see if that changes anything. I also found that for some reason some changes only work if done in the actual Admin account and not just one that has admin privlidges. As an entirely different way of looking at it, I found this....
www.sevenforums.com...
Please let me know if you find a solution as now I want ta know lol.



posted on Aug, 24 2012 @ 07:46 PM
link   
reply to post by Myth024
 


Thats an interesting link


Ive been getting on to Technet about this problem now as i want an official answer so ill wait and see if they respond. It could be that the 'basic user' level just doesn't work.

As for using power user group thats a no no in Windows 7 , its considered bad practice. Its only there as a legacy option from the XP days. Im only really interested in working out why thing are not working as they are documented to work.

I found this from Windows7library



In Vista I used UAC and software restriction Policy (SRP) basic user to limit elevation. In UAC I only allowed signed programs from safe placed to elevate. This still left me with some internet facing software like Outlook and IE9 (which are signed and installed in Program Files). When I added a SRP to IE9 and Outlook of basic user, this prevented those malware entrypoints to elevate. In Windows7 the SRP basic user acts as deny execute. An updated blogpost on how to use basic user Software Policy Restrictions in Windows would be appreciated.


Which would seem to confirm the problem i am having but if this is the case why do all the microsoft books on the subject no mention that 'basic user' level is broken?

edit on 24-8-2012 by PhoenixOD because: (no reason given)



posted on Aug, 25 2012 @ 10:33 AM
link   
reply to post by PhoenixOD
 

Well, when Win7 was released I know that microsquishy changed the way UAC works and the idea behind basic user was to make a workstation that only allowed an employee to have what they need to do a job and nothing else. Windows systems have always been designed to only allow applications to run that an administrator wants to run. (even as far back as windows for workgroups and yea, I'm THAT old lol) With Win7 microsoft began treating viruses and malware as a "user" and I believe they changed the way UAC works specifically to prevent those programs from executing as a basic user. Typically in a work environment, at least from what I've seen. UAC is simply turned off and the permissions are set to "mimic" UAC functionality by essentially only allowing a basic user to use what is already installed on a machine. The fact that some programs now require elevated privileges to run is just bad programming and in theory, only admins should be installing new software on a machine.
This, however, doesn't really solve a problem which is one of the reasons I began approaching your problem from different angels. I've always felt that if you want to accomplish something and they way your using isn't working, then there is always another way to have the same end result by doing it differently. Good luck and I look forward to finding the answer.



posted on Oct, 6 2012 @ 08:59 AM
link   
Finally i got an answer from Microsoft about this problem. Its seems i was right and the 'Basic user' setting does not work as it should. In other words its 'broken'. Only block and allows settings work with software restriction policies.

It seems its been this way since Vista.



posted on Dec, 24 2012 @ 03:32 AM
link   
reply to post by PhoenixOD
 

I was actually curious if anyone knew if the "basic user" was till broken in windows 8. I've already talked to a few people that hate it as an operating system. I also realized that there is an "enterprise" version of windows 7 that is supposed to only be available to companies that use site licenses and I wondered if that might be an element in that version that actually worked correctly. So yea, I was running through all my posts and saw this one and suddenly these thoughts popped into my head and so I decided to go ahead and post em. lol.





new topics

top topics



 
2
<<   2 >>

log in

join