Critical System Protection

 View Only

  • 1.  Configure CSP to not interfere with standard Windows operation

    Posted Jul 07, 2013 12:01 PM

    Is there anyway to configure CSP to not interfere with standard Windows operation while also enabling us to choose what we want to run i.e., a whitelist?

    I get what CSP does, but it shouldn't come at the cost of proper OS operation.

    I've just setup the CSP agent on a 2012 machine and with the limited execution policy its blocks a lot of legitimate stuff, stuff we're going to have to add to enable Windows to actually work properly.

    Is there anyway to make it act more like AppLocker in this sense where it will just blocks applications from running rather than blocking legitimate Windows processes from needing to do what they need to do?



  • 2.  RE: Configure CSP to not interfere with standard Windows operation

    Posted Jul 07, 2013 07:17 PM

    Can you tell which Windows processes are being blocked?  Can you tell us why you choose the limited execution policy?  It is the most restrictive and as such is sort of limited in it's use.  It's most appropriate for endpoints running a single application such as POS or ATM terminals.  You might find you'll have a lot of fine-tuning to do or move to a more relaxed policy such as the Strict Policy.



  • 3.  RE: Configure CSP to not interfere with standard Windows operation

    Posted Jul 07, 2013 07:51 PM

    I would like to use a less restrictive policy but also need the functionality to whitelist applications. The limited execution policy appears to be the only policy that does this. Can whitelisting be turned on in say the core or strict policies similar to applocker?



  • 4.  RE: Configure CSP to not interfere with standard Windows operation

    Posted Jul 08, 2013 03:58 AM

    Limited Execution is one of the more restrictive policies.  I suggest you start with the Core policy, which is the less restrictive of the default policies, I think you will find a lot more success with using Core



  • 5.  RE: Configure CSP to not interfere with standard Windows operation

    Posted Jul 08, 2013 01:28 PM

    John,

    To get closest to what you are looking for, you will likely want to utilize the "Strict" policy. This policy has been created to mostly allow for normal Windows operations. Any applications that fall outside of the normal, pre-defined operations of Windows will fall to a standard privilege process set, which is highly restricted in the "Strict" policy. The "Core" policy is considerably less restrictive to this standard privilege process set. The "Core" is easier to implement as it requires less tuning to function properly with 3rd party apps.

    Understand that when I indicate normal Windows operations will be allowed to function, I am strictly talking Windows related activities. Any 3rd party applications, and even many non-core Windows options will be restricted pending your tuning. Also, custom monitoring, maintenance scripts which you run will likely all need to be tuned as well. This is not an insignificant undertaking, but the security achieved from a properly tuned policy is far greater than what can be obtained from other trust-based security products. Please feel free to reach out again if you need/want further assistance!

    Chris Tyrrell

    Compliance Practice Lead

    Conventus Corp

    ctyrrell@conventus-sei.com



  • 6.  RE: Configure CSP to not interfere with standard Windows operation

    Posted Jul 09, 2013 10:25 PM

    Thanks for the replies.

     

    Trust me when I say I don't want to run the LE policy but it seems to be the only policy that actually stops people from running applications e.g., applicatio whitelisting

    Is there something I can turn on in the CORE or STRICT policies that will stop interactive applications from running a la the LE policy?