rhuhman1 Absent Member.
Absent Member.
2199 views

Software Restriction Policies?

I have had several SysAdmin's around me state that the CryptoLocker malware has hit them hard. I have been looking into better ways to keep my systems protected and had a few implementation policy questions for those of you running a non-Active Directory environment.

The first question is regarding Software Restriction Policies. Anyone using this through the GPO inside ZENworks? Any recommendations on how best to deploy this to prevent disasters like Crypto?

The second question is regarding other areas, security wise, I should be working with? Recommendations on GPO settings that I should be posting? Other security settings outside of a GPO I should be working on?

I have been rather lucky so far with my Virus issues not being to large but I want to ensure I am doing all I can to ensure I keep the risk to a minimum.

Thanks.

Richard
Labels (2)
0 Likes
8 Replies
rhuhman1 Absent Member.
Absent Member.

Re: Software Restriction Policies?

I have a new issue/question regarding policies and how ZENworks functions. I set Software Restrictions on my main Computer GPO so that it doesn't allow EXE execution from AppData, LocalAppData, Temp, and tmp directories. I have one of the staff members show me an error stating the bundle for a website couldn't be executed due to a Group Policy enforcement.

I guess I am lost now on how ZENworks launches bundles. I always thought it was downloaded into the cache location and launched from that location. (C:\Program Files\Novell\ZEnworks\cache\zmd)

Which location do I need to worry about or is this unrelated to the GPO preventing exe execution.

Thanks for the guidance.

Richard
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Software Restriction Policies?

No, it does not download it to Cache and run from there.
It runs it from where-ever the app runs it.

Most Browswers will run from from AppData and TEMP.

One of the Key item's for Crypto is making sure JAVA is updated and has
proper security settings.

You could also have a process that runs on user logon that wipes your
the HKCU RUN registry key.

These type of apps always pop themselves there, since they won't have
rights to write to any system keys.

Perhaps even have something that revokes the user's write rights to the key.

On 11/7/2013 12:46 PM, rhuhman wrote:
>
> I have a new issue/question regarding policies and how ZENworks
> functions. I set Software Restrictions on my main Computer GPO so that
> it doesn't allow EXE execution from AppData, LocalAppData, Temp, and tmp
> directories. I have one of the staff members show me an error stating
> the bundle for a website couldn't be executed due to a Group Policy
> enforcement.
>
> I guess I am lost now on how ZENworks launches bundles. I always thought
> it was downloaded into the cache location and launched from that
> location. (C:\Program Files\Novell\ZEnworks\cache\zmd)
>
> Which location do I need to worry about or is this unrelated to the GPO
> preventing exe execution.
>
> Thanks for the guidance.
>
> Richard
>
>


0 Likes
rhuhman1 Absent Member.
Absent Member.

Re: Software Restriction Policies?

Craig,

Thanks for the additional information. The wipe Run in the Registry as part of the login script is something I will add to my setup. I might look at doing it as part of my shutdown process as well.

A quick follow up on the JAVA security settings. Do you have a template or process on these items? I do try to keep my Java versions on the latest and greates and have a few Java setup changes to try and get the best security to functionality as I can but seeing what others also do is a big help.

I did find that I messed up by killing the Temp location in AppData and then I have a script that I run (ZAA deployment is the big one) that I download directly there and then have the policy that kills the function out right.... Oh well, At least I know that is working.

Thanks for the assistance.

Richard
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Software Restriction Policies?

Checkout this.......

http://www.darkoperator.com/blog/2013/1/12/pushing-security-configuration-for-java-7-update-10-via-gpo.html/

Should not be hard to tweak this for ZCM.

On 11/7/2013 4:26 PM, rhuhman wrote:
>
> Craig,
>
> Thanks for the additional information. The wipe Run in the Registry as
> part of the login script is something I will add to my setup. I might
> look at doing it as part of my shutdown process as well.
>
> A quick follow up on the JAVA security settings. Do you have a template
> or process on these items? I do try to keep my Java versions on the
> latest and greates and have a few Java setup changes to try and get the
> best security to functionality as I can but seeing what others also do
> is a big help.
>
> I did find that I messed up by killing the Temp location in AppData and
> then I have a script that I run (ZAA deployment is the big one) that I
> download directly there and then have the policy that kills the function
> out right.... Oh well, At least I know that is working.
>
> Thanks for the assistance.
>
> Richard
>
>


0 Likes
rhuhman1 Absent Member.
Absent Member.

Re: Software Restriction Policies?

Sweet! Thanks

Richard
0 Likes
kjannasz Absent Member.
Absent Member.

Re: Software Restriction Policies?

Is there any possibility to implement Software Restriction Policies in zenworks environment now?
This topic is old but, still it will be nice to have such ability. After one hour testing I found problem with actions/runing scripts as logged in user. It uses %userprofile%\AppData\Locol\Temp\*\*bat. Of course this path is random and is blocked. In Software Restriction Policies is allowed c:\program files, c:\windows and one more folder to dropping and running zenworks bundle. I have no problem with installing some bundle and using browsers and office. I didn't tested zenworks updating and installation.
Is there any tip for logged in user actions?

Thank,
Krzysztof
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Software Restriction Policies?

kjannasz;2441045 wrote:
Is there any possibility to implement Software Restriction Policies in zenworks environment now?
This topic is old but, still it will be nice to have such ability. After one hour testing I found problem with actions/runing scripts as logged in user. It uses %userprofile%\AppData\Locol\Temp\*\*bat. Of course this path is random and is blocked. In Software Restriction Policies is allowed c:\program files, c:\windows and one more folder to dropping and running zenworks bundle. I have no problem with installing some bundle and using browsers and office. I didn't tested zenworks updating and installation.
Is there any tip for logged in user actions?

Thank,
Krzysztof



There is nothing in ZCM preventing you now or ever from using SRP.
You can configure ZCM Scripts to run from other places specifying a specific script vs having ZCM dynamically create it on the fly in TEMP.
Keep in mind, MANY software installs and other items will also run from %TEMP%.
Since the installers are written by 3rd parties, ZCM cannot change how they work.

ZCM cannot bypass Windows Security, so it is just a matter of being mindful of understanding how Windows Works.
For Example - You could configure "SYSTEM" to have a TEMP directory in a location not locked down and then configure bundle actions to run as SYSTEM.
But enabling tight SRP is a major project.
0 Likes
kjannasz Absent Member.
Absent Member.

Re: Software Restriction Policies?

CRAIGDWILSON;2441072 wrote:
There is nothing in ZCM preventing you now or ever from using SRP.
You can configure ZCM Scripts to run from other places specifying a specific script vs having ZCM dynamically create it on the fly in TEMP.
Keep in mind, MANY software installs and other items will also run from %TEMP%.
Since the installers are written by 3rd parties, ZCM cannot change how they work.

ZCM cannot bypass Windows Security, so it is just a matter of being mindful of understanding how Windows Works.
For Example - You could configure "SYSTEM" to have a TEMP directory in a location not locked down and then configure bundle actions to run as SYSTEM.
But enabling tight SRP is a major project.


I know that enabling SRP is major project. Testing and rebuilding bundle - especially installing third party application is hard, sometimes impossible in tight SRP, of course not depended on ZCM but on application developer. Thank you for tip with location for action scripts. This problem has been resolved in our environment.

Thank you for answer,

Krzysiek
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.