Hi, Trevor Prokop here with Critical Design Associates and today I’d like to demonstrate how you can leverage Ivanti Application Control to improve your endpoint security. Application Control is the security product within Ivanti User Workspace Manager Suite or UWM for short.
Application Control has many key features but today I’d like to focus on trusted ownership which is based on the core of Microsoft NTFS security permissions. Simply stated trusted ownership is a feature that prohibits software from launching if it was not placed on the workstation by a trusted owner by default if the NTFS file owner is not one of four trusted owners as seen in the screenshot to the right the application cannot run.
This list can also be populated with a service account for software delivery via Ivanti Endpoint Manager or Microsoft SCCM. Application Control uses secure filter drivers and Microsoft NTFS security policies to intercept all execution requests.
Execution requests go through the App Control, hook and any unwanted applications, and are blocked as you can see in the screenshot. Administrators install this application and therefore users will be permitted to execute it.
In addition to executable files, Application Control also manages entitlement to PowerShell batch, vbscript, registry files, a number of other items as well. So you can see here in this screenshot of the configuration validated PowerShell scripts here which will deny PowerShell.XE or PowerShell_ise.EXE or if a ps1 file is executed by a user. If the file is not owned by a trusted owner then it won’t be permitted to run.
Business cases around this I’d like to demonstrate are prohibiting users from installing and executing portable or third party applications. Prohibit malware execution from malicious attachments and also to prohibit file-less malware execution via PowerShell. These are a few business cases I’d like to demonstrate and also how to be protected using Ivanti Application Control.
So let’s get into the demo. What we have here I have two VMs. Both are Windows 10 64 bit, one has Application Control installed and one does not. Here is no Application Control just the normal environment that people would access.
So what I’d like to show is a user trying to download the uTorrent portable application to see if they can click it and install the application. As you see I already completed the installation. I can execute this UTorrent as a non-administrative as well.
So we have uTorrent running and switch over to an App Control managed system, you can see that uTorrent was downloaded and when I go to execute it is denied. This user is not authorized and when trusted ownership comes into play look at the properties and view the security tab. The Advanced tab you inform you that the owner is a user. This particular user was not one of the four trusted owners therefore will be unable to execute the application.
In our demo of how trusted ownership permits applications to run, we can launch Word and the user has no problem. The reason being is if we look at the office folder and look at windward and view the security tab and then view the advanced tab, you notice Word was placed there by the system account. This verifies the owner and therefore it’s able to run.
Another example to take a look at here is file-less malware a lot of times nowadays that PowerShell is used to download code from the internet and execute it on the workstations.
So you can see here in this instance I’m able to launch PowerShell. I have a PowerShell window waiting here it’s going to execute this line of code. This is a one-liner to invoke mimikatz. If we had App Control loaded, the user would not able to execute PowerShell. What also comes into play here is running the actual ps1 file since that file itself is not a trusted owner.
These are two examples. The last one I’d like to execute is a Word document we download that we received via Outlook. We want to execute it and we just enable macros.
We’re just waiting a few minutes there you notice the file name has changed. While we are waiting for that we could potentially have more payloads being downloaded. As you see we now have cryptolocker loaded our files are encrypted.
What I’d like to do is demonstrate what it would look like on a workstation with Application Control enabled. We can launch that same document and we will also enable content just the same and you see the file name did change. This user is not authorized to execute cryptolocker so there you can see how we can just close out of that document. Application Control protected us. If we switch over here these files here are encrypted.
Thank you that concludes my demo. Thank you for your time.
Architect & Director of Professional Services