3

I've a GPO setup to try and prevent Cryptolocker from infecting systems in our environment. The below software restrictions are in place:

%AppData%\*.exe
%AppData%\*\*.exe
%LocalAppData%\Temp\*.zip\*.exe
%LocalAppData%\Temp\7z*\*.exe
%LocalAppData%\Temp\Rar*\*.exe
%LocalAppData%\Temp\wz*\*.exe
%UserProfile%\Local Settings\Temp\*.7z\*.exe
%UserProfile%\Local Settings\Temp\*.rar\*.exe
%UserProfile%\Local Settings\Temp\*.wz\*.exe
%UserProfile%\Local Settings\Temp\*.zip\*.exe

When trying to install Firefox I get the below error:

Access to C:\Users\jdoe\AppData\Local\Temp\7zSA1FB.tmp\setup-stub.exe has been restricted by your Administrator by location with policy rule {0cbe13527-3132-4e4c-5df1-c48de858c993} placed on path C:\Users\jdoe\AppData\Local\Temp\7z*\*.exe.

I've added the below rule to the GPO and set to unrestricted but it does not work:

%LocalAppData%\Temp\7z*.tmp\setup-stub.exe

Can somebody please tell me what I'm doing wrong? I can't use the exact folder name (7zS189F.tmp in this case) as every time it installs the folder name is slightly different so I need to be able to use the wildcard.

Thanks in advance for your assistance.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Windows Ninja
  • 2,586
  • 19
  • 46
  • 70

3 Answers3

3

With SRP the more conservative rule takes precedence. That is, disallow takes precedence over allow.
Your allow rule %LocalAppData%\Temp\7z*.tmp\setup-stub.exe is functionally equivalent to your disallow rule of %LocalAppData%\Temp\7z*\*.exe. Two Path Rules, containing wildcards as you've used, are treated as the same in precedence evaluation.

From How Software Restriction Policies Work:

Path rule precedence

When there are multiple matching path rules, the most specific matching rule takes precedence.

The following is a set of paths, from highest precedence (more specific match) to lowest precedence (more general match):

  • Drive:\Folder1\Folder2\FileName.Extension
  • Drive:\Folder1\Folder2*.Extension
  • *.Extension
  • Drive:\Folder1\Folder2\
  • Drive:\Folder1\

Your conflicting rules match the second example and are considered of equivalent precedence. Because of this the disallow rule "wins".

Community
  • 1
jscott
  • 24,484
  • 8
  • 79
  • 100
  • So then how can I restrict Temp\7z*\*.exe while allowing Firefox to be installed? I don't want to remove the restriction as that will defeat the point. – Windows Ninja Feb 28 '14 at 14:05
  • If you have two equivalent wildcard path rules, it won't work as you want it to. We install Firefox per-computer, not per-user, using a service account to which the SRP GPO does not apply. You may also want to look at [FrontMotion's free MSI](http://www.frontmotion.com/Firefox/download_firefox.htm). – jscott Feb 28 '14 at 14:15
  • Not a perfect solution but I suppose there isn't a perfect solution. I was hoping it was more similar to firewall policies where it'd follow the rules in order of listing so if an allow rule was above block all, it'd allow the program to be installed. Thank you for your help. – Windows Ninja Feb 28 '14 at 14:29
  • Ah, your edit helps. Thank you for that. If only Firefox used the same path for installations this wouldn't be an issue... – Windows Ninja Feb 28 '14 at 14:34
  • I would test with the MSI see if you can perform the install in a per-user context. You may need to specify [ALLUSERS](http://msdn.microsoft.com/en-us/library/aa367559(v=vs.85).aspx) in `msiexec`. – jscott Feb 28 '14 at 14:39
1

Had the same problem, same cause (GPOs designed to block ransomware installations). I have my GPOs assigned to separate OUs so this was fairly easy to cirumvent on a temporary basis:

  • Open Group Policy Management,
  • Check which OUs your Ransomware blcoking GPO applies to
  • Confirm the target machine is in one of these OUs
  • Move the target machine to a an OU where the policy doesn't apply
  • Run gpupdate /force on the target machine in an admin command prompt
  • Run firefox install,
  • Return target machine to the original OU
  • Run gpudate /force on the target machine again to re-apply the policy and protect your machine

Although it doesn't win any awards for elegance, it is a temporary workaround.

FrankR
  • 11
  • 1
0

I ran into the same problem this morning, I have the group policy to prevent crypto-locker and I needed to install FF on a single machine.

Here is the process:

  1. Download "firefox setup stub.exe"
  2. Move it somewhere other than downloads. I used c:\temp.
  3. Open a command window (with admin privileges).

  4. Type these commands: (c:\temp is used for this example)

    set temp = c:\temp
    set tmp = c:\temp
    cd \temp

  5. Run your firefox setup.

Worked like a charm for me.

GregL
  • 9,370
  • 2
  • 25
  • 36
user299564
  • 1