Software patching has long been considered a core capability within an enterprise, though the focus of software patching is almost always limited to software provided by the enterprise. Unfortunately, many enterprises today struggle with reducing user rights due to application compatibility issues or support costs. In addition, many users have discovered that they are able to download applications which do not require administrative permissions to install (such as portable apps). These applications usually remain unpatched and vulnerable to exploitation.
In this post, I will cover two ways to protect your enterprise from portable apps and commodity malware using free technologies. These simple efforts can significantly improve the security of your enterprise, reduce support costs that stem from malware infection, and improve user experience.
Microsoft EMET (Enhanced Mitigation Experience Toolkit)
For many years, Microsoft has been improving the Windows platform to make it more difficult to perform attacks against it, or any of the applications running on it. These improvements prevent an attacker from exploiting the software through techniques such as randomized address space layout (ASLR), preventing return-oriented programming (ROP) attacks, and preventing execution of code from memory designated for storing data (DEP).
Unfortunately, it is impossible to implement security protections on existing software without concern for application compatibility issues; therefore, the developer must enable many of these protections when the code is compiled. Additionally, it can be difficult to incentivize a developer or company to invest in rewriting their code solely for the purpose of security. As such, many of these available protections may not be implemented in the application, even though in many cases they may not require any code changes to implement.
This is where Microsoft EMET comes in. EMET (download link) is a free tool which allows you to force-enroll applications into these protections, even when they do not enroll themselves. In addition, EMET provides protection against SSL man-in-the-middle attacks by using certificate pinning (checking the SSL certificate against a list of known certificates for major sites which are likely targets).
At this point, you are probably concerned with the very real possibility of an application compatibility issue taking down a business critical application. The good news: EMET has an audit mode which can log every event that would cause EMET to react, as well as which attack signature was triggered. Using this information, you can tailor your configuration for EMET to prevent to your environment.
Implementing EMET is most important for applications which directly access the internet, or those that consume content that is commonly sourced from the internet (such as office documents). To help begin your tuning, I would recommend starting by rolling out the default policy. The default configuration protects some of the most commonly attacked applications and is quite stable.
Handling portable applications can be a difficult task. These applications are difficult to detect and impossible to patch. In addition, a significant portion of malware runs without needing administrative permissions and can hide in any user-writable location (such as removable media, the user’s profile, or the ProgramData directory). Tackling this challenge was difficult before Windows 7, but on a modern operating system it can be as easy as configuring a group policy.
Applocker is a feature that can be used to prevent applications from running based on their file path, hash, or signer. These protections can be customized per user or group to enable support professionals or administrators to bypass its protections for legitimate use. In addition, Applocker has an audit mode (like EMET) which allows you to review applications whose execution would have been blocked had your policy been enforced.
Ideally, Applocker should be configured to prevent execution of any application located in a user-writable portion of the disk. To simplify this task, Microsoft provides a default configuration which white-lists the “Program Files” directories and the “Windows” directory, thereby preventing execution of applications stored in user-writeable directories. This default policy can be tuned to allow authorized applications to execute based on your organizational needs.
These two technologies, EMET and Applocker, can go a long way towards protecting your enterprise from potentially vulnerable unmanageable applications. In addition, a properly configured Applocker policy will prevent attacks such as Cryptolocker and Z-Bot (as of today, known variants of this malware execute from the user’s profile).
As a side note, these protections are not designed to replace reduction of user access. A user having local administrator access to their computer poses significant risk to the enterprise. As such, it is always recommended that user access be reduced to prevent severe attacks.