Didier Stevens

Tuesday 20 July 2010

Mitigating .LNK Exploitation With SRP

Filed under: Vulnerabilities — Didier Stevens @ 7:13

As I’ve used Software Restriction Policies (SRP) on several occasions in my blogposts, and several people have suggested using SRP to protect against .LNK exploitation as an alternative to Ariad, I’ll describe how to configure SRP for the first time on a workstation that is not a member of a domain. For domain members, you have to configure SRP in the GPO on the domain controller.

Start the Local Security Policy manager from Control Panel / Administrative Tools:

Software Restriction Policies need to be defined the first time:

We exclude our system drive (C:) from being restricted (add other drives if you have more):

To protect against .LNK exploitation, we need to restrict DLLs too, not only EXEs:

And finally, switch from blacklisting to whitelisting:

After configuring SRP, execute a logoff/logon to apply them immediately.

From now on, only executables on your C: drive will be allowed to run.

.LNK exploitation from removable media is blocked:

Blog at WordPress.com.