Operating System with Default-Deny as policy

[The_Librarian]

Currently most OS'es allow you to install software when you want it, when you need it, and to make things easier for everybody.

Unfortunately, in some cases, this can be abused, as is proved by the recent WannaCrypt outbreak (see this thread).

A long, long time ago somebody wrote an article about an OS that implements a default-deny policy, which means that if something want to run (or execute, or start up another program) it will not be able to do so unless authorized by the administrator/user of that machine. (I cannot find the original article anymore by now )

Put in a nutshell, the policy will prohibit anything from spawning its own processes unless duly authorized.

Now I am wondering, how feasible is it to code an OS with a default-deny policy. Of course, it will also have a policy to allow you to install software (like wordprocessors, spreadsheets, web browsers, Java, or anything else that is required by the end-user).

After a successful installation, the default-deny policy is activated. Currently installed programs will be allowed to run, but if some nasty comes along and tries to spawn its own process (even through a legitimate pre-installed app), it is denied from doing its dirty tricks.

Or is it just a pipe dream?

 

[gkm]

Maybe: https://en.wikipedia.org/wiki/Security-Enhanced_Linux

 

[Johnatan56]

Are you looking for:

Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run. You use software restriction policies to create a highly restricted configuration for computers, in which you allow only specifically identified applications to run.

https://technet.microsoft.com/en-us/library/hh994606(v=ws.11).aspx

Windows has this. I am sure that linux probably has the same (gkm linked something).

 

[zippy]

"Duly authorised" is the key phrase here. An OS is as locked down as the human who has the key allows it to be.

 

[w1z4rd]

Microsoft Firewall with group policy

Though, if your network does not have a good firewall/proxy/gateway then your admin is the problem (no, I dont think pfsense with clamav is good enough). I use SophosXG (this way my entire network is shielded, even if someone on my network is infected.]

By default you should be blocking all outgoing traffic and forcing it through your proxy (which can then scan and enforce browsing restrictions). If you are not, then go back and admin

I prefer XG because of "Sandstorm". A cloudbased system that checks every file coming in.

Saying that, I have two windows machines on my network for gaming or editing. But its more phones and IoT devices that have issues on my network as all my computers (bar those two windows desktops) are linux. Why on earth would I run windows on them? No ransomware for me

 

[w1z4rd]

Should also be pointed out, wanna cry can also do smb piviot which means that if an infected machine comes onto your network, it can infect.
[video=youtube;uasL8otBuPA]https://www.youtube.com/watch?v=uasL8otBuPA[/video]

 

[Thor]

Isn't this what UAC is for?

 

[SilverNodashi]

Maybe: https://en.wikipedia.org/wiki/Security-Enhanced_Linux

Thought it works very well, it's sometimes too restricting so most sysadmins disable it.

Windows had something a while ago, I think it was pre-windows 7 which prompted users to accept any process trying to run. I guess it was to annoying for the average end-user?

 

[Chevron]

Isn't this what UAC is for?

Came to say this.

 

[Johnatan56]

Came to say this.

Yeah, but even without admin privileges the user can run ransomware that encrypts their own documents.