Privilege Guard v3.8 introduces Drive Rule
The Drive Rule is a new validation rule that lets you match applications being executed from particular types of drive. Not too dissimilar in concept to the file path rule (where applications are matched based on their directory location), the drive rule lets you target the drive itself.
So what do we mean by drive?
Basically, anything which shows up under My Computer with a drive letter.
Why is that important?
As you know, storage comes in many forms and all modern PC's and laptops allow extra storage, or peripherals, to be plugged into external ports. Any storage peripheral that is plugged in, or loaded in the case of a CD-Rom, will then register itself with Windows as a drive, and pop up in Explorer ready for the user to access.
Below is a summary of the different categories a drive would fall under:
- Fixed Disk - Any drive identified as an internal Hard Disk
- Network - Any drive mapped to a network share
- RAM Disk - Any drive identified as a RAM disk
- Removable Media - Any drive identified as generic Removable Media
- USB - Any drive detected as a USB connected device
- CD/DVD - Any drive identified as a CD or DVD optical drive
- eSATA Drive - Any drive detected as an eSATA connected device
OK, so why should I be concerned?
There are a number of reasons why a drive type is cause for security concerns, specifically any drive that allows the user to transport code onto their computer. Below are some example scenarios which highlight just some of the issues:
Untrustworthy file systems
Non-standard media, such as homemade CD/DVD Rom's and USB sticks have an unreliable file system format. In many cases it will be FAT, which does not include any security information. So robust policies designed to match on properties such as Trusted Owner may not be available.
Executing unknown code from personal media and devices should always be blocked by default.
TIP: The device rule, when used in combination with the Trusted Owner rule creates a robust layer of protection to prevent users executing code from untrusted devices, and also prevents users from attempting to bypass this by copying it to a trusted drive. NTFS security ensures that the user who introduces code becomes the owner, and in the case of a standard user, an untrusted owner, which will result in an automatic block by Avecto software.
Many USB devices as well as CD/DVD's include auto-run capabilities, where a specific application on the media will execute automatically once connected or inserted. This is a common attack vector used by cybercriminals against unsuspecting users to gain control of a computer. For example, a malicious auto-run executable that installs a trojan or keylogger is presented on a CD to a target through social engineering, or on a USB stick dropped by an office entrance. Simply plugging in the media to your desktop is all that it takes to seize control of the computer and open a backdoor for further exploitation.
Auto-run executables pose a significant security risk to any organization, and should be blocked by default.
Portable app installs
Portable apps offer users a convenient way of transporting their favorite application, web browser or game, from computer to computer. They do not need to be installed (that's what makes them portable), and they are generally designed to run without admin rights (many apps only need admin rights because they require access to protected areas of the registry and filesystem.
Because of the lightweight nature of portable apps, they can very easily slip past application control mechanisms; you only need to take a look at the range of available portable apps to realize this can pose significant problems from both a security and license compliance perspective.
Portable apps allow users to run untrusted and unauthorized code, and should be blocked by default.
To block or not to block?
Applying a blanket stop on all of the above may be a great idea from a security perspective, but there are cases where users genuinely need to run code from CD/DVD's (for example a vendor installation disk). Likewise many IT departments have genuine use cases for using portable debugging tools. So a flexible, granular and policy based level of control is required.
Privilege Guard 3.8 Drive Rule
The new drive rule can be used in combination with any other of the 18+ validation rules that Avecto offers, giving you a diverse set of criteria to target applications individually or by classification.
Firewall style rules means you can easily build a robust security model for dealing with unauthorized code introduced through unknown drive types, and strong validation rules enable allow allow listing of trusted and authorized applications.
Edit: Privilege Guard has now evolved into the brand new security suite, Defendpoint, which encompasses Privilege Management, Application Control and Sandboxing. For more information, please visit www.avecto.com/defendpoint.
Kris Zentek, Senior Product Manager
Kris Zentek is a Senior Product Manager at BeyondTrust, focusing on Endpoint Privilege Management solutions. Based in the UK, he has over 20 years of experience working in the cybersecurity industry.