6

I’m working for a large organization which is using some Windows products that require python to work.

Python is used to execute built in utility scripts and the user never recognizes that python is involved, Since the security requirements of the system are quite strict we are trying to lock down python as much as possible. We normally don’t allow normal users to use compilers or interpreters since it’s not allowed to add applications or functionality to the system. So we are looking for tips about how to restrict python so that only some scripts are allowed to run while the interactive prompt/interpreter is not available.

Is that even possible?

Our first approach was looking into restricting python with group policies, but that is not easily done since Python is not “GPO aware”. Using software restriction policies are basically a block Python for all or allow Python for all.

Since python scripts are run through the interpreter (python.exe), the GPO software restriction settings for executable locations only checks the python.exe and not the script location itself (the GPO system only sees the python script as a generic argument to the python.exe executable).

So my question is: if anyone has have any experience in tightening the security concerning python? One again, our goal is that only some scripts are allowed to run while the interactive prompt/interpreter is not available, Is that even possible?

Lighty
  • 2,368
  • 1
  • 23
  • 36
andpou
  • 61
  • 2
  • I don't know of an easy way to do this. You could modify the Python interpreter itself to only execute certain authorised scripts. – paj28 Jan 13 '15 at 14:34

2 Answers2

3

You could turn your python scripts into windows executables using py2exe. That way it would be treated the same way you restrict other system binary. Be aware that it is possible to reverse-engineer by "uncompiling" it, showing the script functions and all. But as your question in only about enforcing execution authorization, i think that it will fulfill your need.

DarkLighting
  • 1,523
  • 11
  • 16
  • 1
    Its a very good idea and we have used that for some python scripts. Unfortunately we are using a big products that relies heavily on python scripts (ArcGis) and it's a very timely process to convert all scripts as well as the mechanism ArcGis uses to call scripts via python. – andpou Jan 09 '15 at 09:58
2

How about the use of PyPy with its sandboxing mode?

I'm afraid I'm not that familiar so I'm uncertain that it would be fully secure but certainly worth a look.

As far as I can see, your only options are:

  • PyPy sandboxing
  • A Python to executable compiler
  • Giving users a Virtual Machine which allows Python
  • Using a PC sandboxing solution to isolate Python and the file system.
Julian Knight
  • 7,092
  • 17
  • 23