Adjusting trusted programs - Whitelist and Blacklist Security for file extensions

Introduction

One of the main features of Fabasoft products is the management of many documents of different types. This assumes that the applications which are required for viewing and editing of documents may be used by the Fabasoft Folio Plug-in and that these applications are installed on the client workstations.

The Fabasoft Folio Plug-in identifies the type of content and uses mechanisms of the client operating system to map a tool to the identified type. The Fabasoft Folio Plug-in honors security policies of the client operating system and adds Fabasoft-specific security structures on top of the operating system. This document describes these security structures.

Security Settings

When performing operations like viewing, editing or playing content the Fabasoft Folio Plug-in runs tools installed on the client workstation. Which tool has to perform a given operation on a given type of content is determined by mechanisms defined by the Microsoft Windows Shell. These mechanisms are described in http://msdn2.microsoft.com/en-us/library/bb762764.aspx.

Furthermore, the execution of programs by the Microsoft Windows Shell is controlled by security policies, as described in the following documents:

• http://technet2.microsoft.com/WindowsServer/en/Library/9044c404-c9ab-40a2-b804-06703c54ee421033.mspx
• http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93497.mspx

In addition, the Fabasoft Folio Plug-in defines restriction points applying to Fabasoft products only. These are part of the broader customization mechanisms for running tools, defined by the registry sub tree HKEY_CURRENT_USER > Software > Fabasoft > Process Parameters.

In the root of this tree one of two policies can be declared:

• If a named value of type String with the name Security and the value “Black” is present, the so called “Blacklist Security” policy applies.
• Otherwise, the mode of operation is “Whitelist Security”.

Blacklist Security

This security policy is the less secure tool restriction mode. It is therefore switched off by default. Any program not restricted by operating system policies and not explicitly disallowed by the Fabasoft Folio Plug-in is allowed to run. To explicitly disallow the execution of a tool, there must be a registry key HKEY_CURRENT_USER > Software > Fabasoft > Process Parameters > <base name of the tool executable> holding a named value of type DWORD with the name DisallowRun and the value “1”.

Example:

The setting in this example does not allow loading any executable from a file with the base name “notepad”. The base name comparison is case-insensitive.

Default Blacklist

If the Fabasoft Folio Plug-in security is set to “Black”, the following executables are disallowed by default:

• Standard script engine hosts
  • wscript
  • cscript
• Elevated browsers
  • mshta
• Standard registry editors
  • regedit
  • regedt32

For any of these executables, no registry entry is needed to disallow its execution. If there is an explicit entry, execution can be allowed by setting the named value DisallowRun to the value “0”.

Whitelist Security

This is the default Fabasoft Folio Plug-in security mode. Tool execution is restricted to an explicit list of executables. Only executables defined by that list can be executed within a Fabasoft product if not restricted by operating system policies.

To explicitly allow the execution of a tool, there must be a registry key HKEY_CURRENT_USER > Software > Fabasoft > Process Parameters > <base name of the tool executable> holding a named value of type DWORD with the name AllowRun and the value “1”.

Example:

The setting in this example allows loading an executable from a file with the base name “tracer”. The base name comparison is case-insensitive.

Default Whitelist

If the Fabasoft Folio Plug-in security is set to any value other than “Black“, the following executables are allowed by default:

• Standard text editors/viewers
  • notepad
  • wordpad
• Standard image editors/viewers
  • mspaint
  • rundll32 (shimgvw)
  • rundll32 (photoviewer)
• Standard final format editors/viewers
  • acrord32
  • acrobat
  • xpsviewer
• Supported package editors/viewers
  • winzip32
  • rundll32 (zipfldr)
• Supported signature editors/viewers
  • siqscc
• Supported help viewers
  • hh
• Supported browsers
  • firefox
  • iexplore
• Supported mail clients
  • thunderbird
  • outlook
  • msimn
• OpenOffice.org
  • soffice
  • swriter
  • scalc
  • simpress
  • sdraw
  • smath
• Microsoft Office
  • winword
  • excel
  • powerpnt
  • visio
  • msaccess
  • mspub
  • frontpg
  • fpeditor
  • winproj
  • wordview
  • xlview
  • pptview
  • ois
• Windows Media Player
  • wmplayer
• Apple Quicktime Player
  • quicktimeplayer

For any of these executables, no registry entry is needed to allow its execution. If there is an explicit entry, execution can be disallowed by setting the named value AllowRun to the value “0”.

Learn more:

• Required web browser settings
• How to view and edit documents - installation of Fabasoft Folio Plug-in