Many are aware that RES Workspace Manager has managed application security, the ability to block non-approved applications. While this is a great feature, what happens if you need to block something other than an application? As we showed in our recent blog on the Zero-Day security flaw in Internet Explorer, there are numerous safeguard options with RES Workspace Manager. In this blog, let us explore how to execute those options. Fortunately for this flaw, Microsoft has released a patch for all operating systems, including XP; however that may not happen the next time so it’s much better to be safe than sorry.
Blocking an Application
The most obvious workaround is to prevent Internet Explorer from running. While this was a recommendation by the U.S. Department of Homeland Security’s Computer Emergency Readiness Team, it would not work in most environments as Internet Explorer is sometimes considered a mission critical application. If you do decide to go this route, you could easily accomplish it with installed RES Workspace Manager by simply removing Internet Explorer from the authorized files list or disabling the application. This would block the application from starting and could inform the user to use a different application instead.
Blocking an Internet Explorer Plugin
The next option suggested was to remove or disable the Adobe Flash plugin. While this is a valid option, most users will try to re-install the plugin once arriving at a web page that required Flash. Fortunately, RES Workspace Manager has the ability to not only block executables, but also block access to files and folders! The screenshot below is from a computer running Windows 7 with Internet Explorer and Adobe Flash installed. Without file and folder security enabled, Adobe Flash runs just fine as shown by the tree animation in the screenshot.
If I then enable security-> files and folders security, and add two different entries as shown below, Flash will not be able to be run by Internet Explorer! As you can see, I am using “folder” security and specifying two partial files – Flash* and NPSWF*. It is a little known fact that folder security can be used to block specific or partial filenames from being accessed as long as the file entry ends with an asterisk (*).
If I then log back into the same system and try to verify that flash is installed (by visiting the same website as before), I no longer see the tree animation (see below); thus verifying that Adobe Flash cannot be started from Internet Explorer.
I can even go back into RES Workspace Manager and verify that files were actually blocked as shown in the screenshot below. With this information I may be able make the stricter rules.
Unregister the DLL
The other solution that Microsoft proposed for the Internet Explorer vulnerability is to block unregister VGX.DLL which can also be done by RES Workspace Manger (in conjunction with RES Automation Manager). We can either:
- Use the same solution that we used to block Adobe Flash (file and folder security)
- Unregister the DLL every time that the user logs on
- Unregister the DLL every time the user starts Internet Explorer
In order to do this, we would need to create an execute command. This would usually run as the logged on user, however RES Workspace Manager has the ability to run commands on an elevated level!
The following screenshot (1) shows two unregister commands, one for 32/64 bit version of Windows operating systems and one specific to 64-bit operating systems. They are both set with dynamic privileges and set to run at logon. To verify that this command works correctly, I have taken a screenshot of the location where VGX.DLL is registered before I logged into the system (2).
After logging into the same system, you can see that the VGX.DLL is no longer registered. This was very simple to accomplish and can been done on launch of Internet Explorer.
So there you have it. Three step by step guides on how to implement zero-day security measures with RES Software. To learn more about this subject, check out the blog Zero Day Vulnerability – 5 Proven Methods to Protect Federal Organizations or visit us online at www.ressoftware.com.