You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.

07: Using Least Privilege Manager’s SecureRun Feature

Quick question: Do you want to pay the bad guys and/or clean up for three weeks, or click ONE button and say goodbye to all unknown Ransomware threats. Blacklisting is impossible. There are thousands of new evil applications created per day. And Whitelisting is no cakewalk either. You have to constantly stay on top of everything you deploy and install. There’s a BETTER way, a THIRD way, using PolicyPak SecureRun. With SecureRun, you’re only letting applications run if they were “properly installed” or otherwise sanctioned by you. Check out this video, and block all unknown Malware and zero-day threats.

PolicyPak MDM: Using Least Privilege Managers SecureRun Feature

Hi, this is Whitney with PolicyPak Software. In the last video, we saw how to handle elevation problems where you needed to elevate an application or an installer or a Control Panel applet even if your user is a standard user. However, we still have some problems that we need to solve here.

I can run “CamPlay” as a standard user. That’s just a video player, and it’s innocuous. So is “NotepadP,” but it’s a portable app and who knows where it came from or what it does. Here I have this “Ransomware Simulator.” As a standard user, oh, my God! It’s eating all of my documents. It could be doing who knows what. That’s clearly a problem.

We need to rectify this with the SecureRun portion of PolicyPak Least Privilege Manager. We’re going to do like we did before. We’re going to create the policy, export it as XML, wrap it up in an MSI and then deploy it using an MDM service. In my case, I’m using AirWatch, but you can use whatever you like that works for you like MobileIron or Intune.

Let’s go over to my management station here, and let’s open up that same GPO that we created earlier to elevate the applications that we wanted to. We did this on the computer side, so let’s just keep doing that. We’re going to go inside this “Collection 1” here like we did before. I’m going to “ADD NEW SECURE RUN POLICY.”

What SecureRun does is it only allows applications to run if they are owned by someone on the “SecureRun Members” list here. If it’s an application that is installed or owned by the standard user, then it won’t run. Which means that Ransomware Simulator, CamPlay, NotepadP, none of that is going to run.

So we’ll go ahead and do that. Let’s tell it “OK.” Like we did before, let’s go ahead and “Export Collection as XML.” I’m actually just going to overwrite what I had before, so I’ll say “Yes.”

Now we need to wrap that XML up in an MSI. We’re not going to create a new MSI like we did before. We’re actually going to edit the existing MSI, and then we can redeploy that. I’m going to go find my “PolicyPak Exporter Tool” down in my “PolicyPak” folder here.

In this case, we’re actually going to “Open an existing MSI installer previously generated by this tool for editing” rather than creating a new one. We’ll click “Next.” It wants to know which one we want to open. It’s that Least Privilege Manager one.

Right now, I’m going to go ahead and get rid of that old XML and I’m going to add back in the XML we just created. We’re going to leave it at “Install For” “Computer.” We’re still going to “Target” “All Users.” We’re going to say “Next” and give it a “Product Name.” Notice that there’s a “New Product Version” now, so we version that as we go. I will click “Next” again. We’re going to “Save” it just like we did before. We’ve replaced that, and we’ve done it.

All right, now I just need to deploy this using my MDM service. I’m going to pause the video, make sure that it gets uploaded and then deployed to my machine, and then we’ll see the end result. We’ll be right back.

And we’re back. Just as before, if I go to the Control Panel, I can see that my “LPM PolicyPak Settings” are indeed installed on here. But it’s deployed with that new MSI, so it’s going to contain that extra information that says smack down stuff that’s not owned by a person on the SecureRun list. So now when I go to “CamPlay,” it has been blocked, and “NotepadP” is also blocked, and as expected “Ransomware Simulator” is also blocked.

Now just to put a fine point on it, these will open just fine. These were installed as an admin. It’s by someone that’s on the SecureRun list. So if I open “WinZip,” “Firefox,” etc., there’s no problem there. Also, “iTunes” will open just fine because it is installed as an admin when we installed it because we installed it elevated. So that opens up all just fine.

But now we realize, whoops! We like “CamPlay.” That’s a good program. We want to let that one through. So we’re going to go back to our management station and make a few changes. We’ll do all those same export and deploy and all of that.

Let’s “Edit” this. Let’s go back over to our computer side here. I want to elevate CamPlay, or not even elevate it, just allow it through. I’m going to “Use simple rule.” I’m going to use the “Hash” again. I’ll go “Next,” and I’m going to “Select reference file.” I’m going to scroll down here and grab “CamPlay.”

We don’t actually need to “Run with elevated privileges.” We just want to run it at all, so we’re going to “Allow and log.” I’m going to “Let CamPlay Run.” So we’ll “Finish” that. Whoops! I didn’t put it in “Collection 1.” I’ll just drag it into that collection there. There we go.

Now we can go back to “Collection 1” and “Export Collection as XML” once again. We’re just going to throw it right back there on the “Desktop.” We’ll overwrite that same file there. We’re going to renew that MSI and deploy it, and we’ll see CamPlay run from there.

Let’s go grab this. We’ll do that “Open an existing MSI installer previously generated by this tool for editing,” just like we did before. We will get rid of the old XML. We’ll add back in the new stuff. We’ll go “Next.” Once again, we versioned it one more time, as you can see. We’ll “Save” it just as we did before. There we go.

Now I just need to redeploy that, and we will have CamPlay let through that SecureRun door. We’ll pause and come right back.

And we’re back. We got everything redeployed. Now when I go click on “CamPlay,” there it is. We’ve let it right through. We can’t open “NotepadP” still. We also still can’t open “Ransomware Simulator.” We specifically said to allow “CamPlay” only, and we’ve done it.

That’s how you’re going to deal with unknown-ware or possibly ransomware or malware. Who knows? But that’s how you’re going to smack that right down but then maybe allow something through that you know to be good.

Thanks for watching, and we’ll see you in the next video.

  • 781
  • 11-Oct-2021