Windows Software Restriction Policy for Cyber Essentials
Passing Cyber Essentials and CE Plus is fairly easy but only if you know how to implement each of the technical controls. One of the more difficult aspects of passing a Cyber Essentials Plus audit is being able to block the malware and malicious test files. Here is a simple Windows Software Restriction Policy for Cyber Essentials.
During a Cyber Essentials Plus audit the auditor will attempt to run a variety of script, compressed and executable files to see if the system is susceptible to malicious code being run. To pass this you need to block several common file types from running within the users profile space.
One easy method to achieving this is to use a software restriction policy built into Windows (Sorry Mac users, your on your own!).
What I demonstrate here is the manual configuration method. You may want to investigate implementing these policy settings using domain based group policy or via a PowerShell script.
Click on the start menu and type gpedit then click on ‘Edit group policy’.
Expand Computer Configuration -> Windows settings -> Security Settings -> Software Restriction Policies.
Right click ‘Software Restriction Policies’ and click ‘New Software Restriction Policies’.
First lets edit the ‘Designated File Types’. These are file types that are considered executable code and here we need to add a few items to the list.
Here is a good sample list to add: .7z .gz .rar .zip .gz .ps1 .pif .py .sh
Next locate Lnk and remove it. We still want users to be able to run programs from shortcuts on their desktops.
Next click on ‘Additional Rules’, right click in the white space and select ‘New Path Rule’.
Here we are going to add multiple paths within %userprofile% which specifies the users desktop, downloads and documents folder paths on the computer.
Add the following paths:
the temp path will block zipped and other compressed file contents from running. If you experience issues installing applications you may need to temporarily remove this restriction.
If you are using OneDrive’s backup feature to sync the users Desktop and Documents folders to the cloud to protect against hardware failure then add the following:
Set the Security Level to Disallowed which means block any of the file types specified earlier from running.
Next its a good idea to add any other locations which a user may commonly try and run files from which includes any USB drives which get attached. On this system if I insert a USB drive it shows up as E: so I added it to the list.
Reboot the PC and next we will see what happens.
Here are a selection of Cyber Essentials Plus test files. Our aim is to block the user from running any of them within three mouse clicks.
Success! clicking on any of these files results in the following message.
This is a very easy and free way to pass the malicious files test within the Cyber Essentials Plus audit. You will still have to verify that these file types cant be opened from within the users email client. Some email clients may save attachments outside of the users profile space before opening them. In practice it’s also a good idea to block all of these file types at the email server and stop them reaching the users mailbox.