6

To illustrate the benefits of digitally signing certificates, I wrote an .NET executable "demo.exe" which calls a function in "demo.core.dll". I digitally signed both executables. When executed, it prints a message "Hello. How are you doing?".

The message in "demo.core.dll" was modified to "You've been hacked" with a hex editor. Verification of the digital certificate on "demo.core.dll" fails. Run "demo.exe" which displays "You've been hacked".

I expect that Windows will fail to execute the DLL.

This negates the value of a digital certificate. How do I configure Windows not to load tampered binaries with invalid certificates?

bloudraak
  • 462
  • 2
  • 5
  • 14

1 Answers1

9

Edit: I forgot AppLocker!

Before performing the following procedure, ensure that you created the default rules for the rule collection that is described in Preventing Standard Users from Running Per-user Applications.

To allow only signed applications to run


1.To open the Local Security Policy MMC snap-in, click Start, type secpol.msc, and then press ENTER.

2.In the console tree, double-click Application Control Policies, and then double-click AppLocker.

3.Right-click Executable Rules, and then click Create New Rule.

CautionCaution

This rule prevents unsigned applications from running. Before implementing this rule, ensure that all of the files that you want to run in your organization are digitally signed. If any applications are not signed, consider implementing an internal signing process to sign unsigned applications with an internal signing key.

4.On the Before You Begin page, click Next.

5.On the Permissions page, click Next to accept the default settings.

6.On the Conditions page, click Next.

7.On the Publisher page, note that the default setting is to allow any signed file to run, and then click Next.

8.On the Exceptions page, click Next.

9.On the Name and Description page, accept the default name or enter a custom name and description, and then click Create.

AminM
  • 185
  • 2
  • 13
Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • I've done exactly as that instructs but I'm still able to run unsigned EXEs as a standard user on Windows 10 Enterprise v1803. Any ideas? – mythofechelon Aug 15 '18 at 12:01
  • Apparently, the Windows service `Application Identity` (display name) / `AppIDSvc` (service name) needs to be running which it isn't by default. Elevated command `sc.exe config appidsvc start= auto` must be used to do this. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service – mythofechelon Mar 13 '20 at 10:00