New to SRP

[balloonshark]

I'm running Windows 8 Pro 64 bit and I'm trying SRP and standard user account for the first time. I've completed steps 1 - 6 in this guide. http://www.mechbgon.com/srp/

I have a few questions before I continue.

1. In Windows 8 when I'm looking at the enforcement properties It also has this option. Should I leave it to ignore?

When applying sofware restriction policies:
* Enforce certificate rules
* Ignore certificate rules (checked by default)

2. If I browse I can't find the file "C:\Program Files\WindowsApps". I added the rule anyways. Is this ok or has something changed? I haven't bought any apps from their app store and I'm using "local" accounts if that matters.

3. I did all of the above in my standard user account. I did run gpedit.msc as an admin. Was that ok?

4. At the beggining of step 6 it says the following. Does this apply to Windows 8 64 bit?

Step 6: find and close loopholes
If you're using Windows 7, begin by obtaining and installing a Hotfix from Microsoft here: Microsoft Article ID: 2532445 Credit to security researcher Didier Stevens for his blogs on this subject.

5. Have you tried MSI "Run as Administrator"? http://www.symantec.com/connect/downloads/msi-run-administrator-context-menu-vista Would you recommended that everyone use it for MSI files?

It was suggested here. http://www.wilderssecurity.com/showpost.php?p=2253352&postcount=11

 

[mechBgon]

1. if you wanted to use Certificate Rules, then you'd enable that capability. I believe they turn it off by default because it would have a performance impact and might not do anything for you. An example of Certificate Rules would be, let's say you want anything signed by Citrix to run despite SRP, like GoToMeeting or whatnot.

2. That's a hidden system folder so it wouldn't show by default. I ran into that gotcha after my Solitaire app kept getting blocked.

3. yeah, elevating gpedit.msc from within your standard-user account will work fine, it's the same effect as if you did it from within your admin account.

4. I don't think Win8 has that loophole, so you can skip that one.

5. that looks interesting, but when I tried it just now, SRP still blocks .MSI files. I just heave them into C:\Program Files first (which requires a UAC elevation), and then I can run them as intended.

 

[balloonshark]

Thank you very much for your reply mech .

Do I need to add a C:\Program Files rule or does the default registry key take care of that location?

This is getting blocked when I look in the event viewer.

Access to C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe has been restricted by your Administrator by the default software restriction policy level.

 

[mechBgon]

I've run into those situations occasionally and I don't know why the blanket Program Files rule doesn't get the job done there. But you can add an Unrestricted rule specifically for that subfolder and it should (famous last words) get it handled. As long as the rule's not for a subfolder that your unelevated account can write to, it's not a security loophole.

 

[balloonshark]

Thanks. So if I make a rule for C:\Programs Files\Intel\ I should be ok according to this pic?



At this point the auditing seems a bit intimidating since I have apps on a 2nd HDD including Steam. I'll get there eventually.