How to find out how many PCs in your domain are SRP-compliant?

During Application Whitelisting (AWL) implementation throughout an Enterprise, it is essential to easily find an answer for questions like «how far we have come?» Running a fairly complex Active Directory (AD) structure, you can never guess for sure. Instead, you may choose to implement some objective monitoring tool, let’s call it «AWL Compliance Report«. You don’t have SCCM? Not a problem, we will make it happen using built-in Group Policy (GP) mechanism.

For example, it’s quite easy to figure out the presence (or absence) of Software Restriction Policies (SRP) by querying particular values in HKLM\Software\Policy\Microsoft\Windows\Safer\CodeIdentifiers Registry key:

• REG_DWORD DefaultLevel
  • The value of 0x00000000 shows that whitelist mode is in use;
  • The value of 0x00040000 shows that blacklist mode is in use;
  • The abcence of this value shows that policy is not configured at all;
• REG_DWORD TransparentEnabled
  • The value of 0x00000002 shows that dynamic libraries (DLLs) are also subject to software restriction checks;
  • The value of 0x00000001 shows that DLLs are not checked against the policy;
• REG_DWORD PolicyScope
  • The value of 0x00000000 shows that all users, including administrators, are subject to software restriction checks;
  • The value of 0x00000001 shows that members of a local Administrators group are not protected with SRP;

In a relatively big company, you may have several systems administrators and IT Support staff members. I’m quite sure some of them are not going to follow the AWL rules, and some may even find any limitations not to be appropriate for them. Being strictly limited by a whitelist, one may try to find a way to cirvumvent it, or even sabotage the work. To make it easier for IT staff, I have decided to implement AWL in a gentle way: on a typical Workstation, policy only applies to standard users, but administrators are not restricted. At the same time, Servers run full-scaled AWL solution, which protects users as well as administrators. Thus, I have defined three types of AWL compliance:

• Full Compliance. Software Restriction Policies work in a whitelist mode, covering all executables and dynamic libraries; all users, including administrators, are protected;
• Partial Compliance. Software Restriction Policies work in a whitelist mode, covering all executables and dynamic libraries; but only standard users are subject to limitations;
• Non-compliance. Any parameter combinations that fall out of the scope of the first two compliance types.

You may choose to upload AWL evaluation reports to a fileserver. To make it happen, I have created the folder named \\FileServer\Data\Reports\SRP, accessible for writing for Domain Computers and Domain Controllers group members:

It is quite common to use Group Policy Preferences (GPP) mechanism to perform particular actions upon reaching some specific conditions. I have created a policy that creates an empty file which is named according to the compliance code and the computer name:

The «Company Compliance Reports» policy is linked to the top of AD hierarchy to be sure to cover all domain member accounts. Computers will update their reports during normal GP refresh cycles (every 90-+30 minutes by default):

There still one important question unanswered: how we gonna see if some computer has changed it’s compliance state? Well, we need to add few commands to the policy.

• In case computer is SRP-compliant:
  • Create file Fully_Compliant_%ComputerName%.txt
  • Delete file Partially_Compliant_%ComputerName%.txt
  • Delete file Non-Compliant_%ComputerName%.txt
• In case computer is partially SRP-compliant:
  • Create file Partially_Compliant_%ComputerName%.txt
  • Delete file Fully_Compliant_%ComputerName%.txt
  • Delete file Non-Compliant_%ComputerName%.txt
• In case computer is not SRP-compliant:
  • Create file Non-Compliant_%ComputerName%.txt
  • Delete file Fully_Compliant_%ComputerName%.txt
  • Delete file Partially-Compliant_%ComputerName%.txt

As you probably have noticed already on the screenshot above, you can use this method not only to report AWL compliance, but also to detect software presence on target systems .)