Didier Stevens

Monday 28 September 2009

Quickpost: SAFER and Malicious Documents

Filed under: My Software,Quickpost — Didier Stevens @ 17:50

I wasn’t going to mention SAFER to restrict the rights of an application, because Software Restriction Policies can be bypassed. But a Tweet by Edi Strosar made me review my viewpoint. In this particular case, bypassing SRP is a non-issue, because the user is already local admin!

Software Restriction Policies allow you to force specific applications to run with a restricted token. As Michael explained it with AD GPOs, I’ll show it with local policies.

Enable SAFER policies for SRPs by adding DWORD registry key Levels (value 0x31000) to HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers:


Start the Local Security Policy administration tool and go to the Software Restriction Policies. You’ll have to create new policies if this is the first time you configure SRPs.


Create a new rule in Additional Rules. We’ll identify the application to restrict by its path and name, so create a Path Rule:


For the security level, select Basic User:


If you have no Basic User option, you forgot to update the registry before launching the administration tool:


Select the application to restrict:


This rule will force Adobe Reader to run with a restricted token:


Writing to SYSTEM32 is denied:


Quickpost info

Blog at WordPress.com.