Daniel Drubin Access Control Suite Reference User Manual

This manual describes Daniel Drubin Access Control Suite (ACS).

This document relates to release version 1.0

Product Features

Daniel Drubin Access Control Suite (DDACS) is a security product comprised of several technologies intended to protect your PC. The main areas of protection are network and files access. Based on pattern matching filters it provides unique protection level and flexible yet easy to access use cases.

Daniel Drubin Access Control Suite is suitable for both personal computers and servers. It can protect any Windows computer starting from Windows XP.

Features

Rules-based firewall
Inbound and outbound network traffic filtering
Protection of all wired and wireless networks
Web sites blocker
Payload filter
File access filter
Programs blocker
Administrator is subject to access control checks
No time and resources consuming periodic operations
Very little resources use
Add, delete and remove rules at any time
Graphical control panel and corresponding command-line tools to use in scripts
Aggregate and specific rules

Understanding DDACS

In order to use Daniel Drubin Access Control Suite effectively and safely it is important to understand how it works.

DDACS operations are based around network and files filters. The filters are software components that run in Windows kernel in position designed for filtering. All relevant traffic for all networks and file systems pass through the filters.

Network Filter

Network filter applies rules specific to certain protocols. Network protocols are standard conventions established for communication between computers and devices over network. All network data are sent and received in packets, which are units of data with variable length and fixed maximum size. A packet consists of header (part that contain addressing and control information) and payload, which is actual data transmitted in a packet.

Some protocols, such as IP and UDP are stateless, dealing only with sending and receiving individual packets with data. Such protocols are said to operate on datagrams, every packet includes a datagram (data unit). A datagram may be only received or dropped entirely. Other protocols, such as TCP, are stateful, dealing with connections. Besides data they send also control information between the two computers in order to establish connection, maintain it, close connection, acknowledge received data and retransmit lost packets. Such protocols include specific procedures in order to establish, control and terminate connections.

Internet connections are based on TCP/IP protocol suite. TCP/IP protocols are layered (more properly would be said "nested") in a way similar to "matryoshka" nested dolls. A packet of protocol from higher layer is nested (encapsulated) in payload part of a protocol from lower layer. A protocol of the lower layer is called transport for a protocol from the higher layer. Hardware network data transmission level is called layer 1 or physical layer. Level of packets (called frames) prepared by software and understood and sent by the Network Interface Card (NIC) is called layer 2 or data link layer. IP and other purely software protocols encapsulated in layer-2 frames are called layer 3 or network layer. Protocols that are encapsulated in IP payload, such as TCP and UDP are called layer 4 or transport layer. Layer 5 or session layer is intended to control connections and states; however it is part of layer-4 protocols (TCP). Layer 6 or presentation layer is intended for transforming data from application-acceptable format into format that is intended to be sent over network. Encryption or compression takes place on this layer. Finally, layer 7 or application layer is used by applications that provide users access to internet. Examples of application-layer protocols are HTTP, FTP, and TELNET.

TCP and UDP transport protocols add port number to IP address in order to determine application-layer protocol. This allows different application-layer protocols to run between the same pair of IP addresses. However, even if it's not the same pair of computers that run multiple application-layer protocols, most application-layer protocols always use the same port numbers. E.g. HTTP servers use port 80 in order to accept connections; FTP servers use port 21, TELNET servers use port 23 etc. Some (mostly video and audio streaming) protocols negotiate different ports for different sessions, but they still use the same port in order to initiate a session and conduct negotiation. This is done so that client applications (the ones that must send initial packets when establishing a connection) could "know" on which port to look for the server. Sometimes servers may be configured to use non-standard port (e.g. HTTP to use port 15342), but then this information about using non-standard port must be communicated to all potential clients - otherwise the clients simply "will not know" that they should try to connect to server especially on 15342. Only server-side ports are the same for the same protocols – since they have to be known to clients that initiate connections. Client programs (the ones that initiate sessions by connecting to servers) have dynamically assigned ports. It is important to remember, since when you are creating a rule for client-server connection you will have to specify server’s address and port, but on the client side the most appropriate is any port number.

DDACS operates on layer 2, in a framework designed and intended in Windows for filter drivers. This placement allows filtering the complete data assembled by Windows protocols drivers on its way to NIC. Based on current set of rules the DDACS Network Filter decides whether to allow a network packet pass for transmission or drop it. Another part of Network Filter tests incoming packets for rules and makes a decision whether to allow a network packet enter Windows protocol drivers or drop it.

As of version 1.0 DDACS Network Filter recognizes and checks against rules only Ethernet packets.

Please refer to Network Filter Rules for specification on how to create rules, how they are checked, ordered and how permissions are applied.

Files Access Filter

Files Access Filter provides an additional layer of access permission checks based on accessor program's name and resource (file) name. The protectable resource may be any file system object - a regular file, a program, a directory or a symbolic link. For any accessed file read, write, create, delete and execute permissions may be set.

Please refer to File Filter Rules for specification on how to create rules, how they are checked, ordered and how permissions are applied.

Licensing

Daniel Drubin ACS 1.0 is licensed as freeware, meaning that you can use it without charge for unlimited time. You may distribute it freely, if you provide the entire original package. A registration is available that grants support and all fixes, updates and feature releases for 1 year. No other permission or obligation regarding future versions of DDACS is granted. Please see the full license terms [license].

Installing DDACS

Installation of DDACS is easy. Download a self-extracting installer package suitable for your operating system, run it and follow the installation instructions. The installation asks only three questions:

About installation directory (default is "c:\Program Files\Daniel Drubin ACS")
If you want to install default rules set
If you want to start DDACS automatically

If you install on Windows XP, you will see several times a Windows warning box popping up and saying that "DDACS Miniport Driver is not signed", then warn you about risks of using unsigned drivers. DDACS doesn't include a real hardware driver, but in order to filter network traffic it installs an NDIS intermediate driver. Its outbound part is recognized by XP as hardware driver (which is incorrect), causing it to display this prompt. There is no such warning on later versions of Windows.

If you install on Windows Vista and later, you will receive a prompt telling that the installer requests administrator privileges and if you agree to grant it. Since DDACS installs and operates system-level components, it has to be installed with administration privileges; otherwise the suite will not function.

If you ever want to uninstall DDACS, simply run "uninstall.exe" from DDACS start menu or use Windows Control Panel "Add/Remove Programs" to uninstall.

Using DDACS

This chapter describes DDACS essentials and configuration tools and files.

DDACS Control Panel (GUI)

DDACS Control Panel is the most convenient way to create and manipulate rules. It has four tabs: "File System AC", "General Firewall", "WWW Blocker" and "Program Blocker". Use the tabs to get access to relevant filters.

There are five rules operating buttons: "Add", "Delete", "Edit", "Save" and "Load" and "Exit" button. It's easy to distinguish them by their icons; besides that all bottons display a tooltip when you stop a mouse over them.

In order to add a new rule, click on "Add" button (green "+") and fill parameters relevant to the filter.

In order to delete a rule, select it and click on "Delete" button (red "X"). The rule is selected by clicking on its first parameter (here in "File System AC" it's "Program" column).

In order to edit a rule, select it and click on "Edit" button (pen with notepad). Fill or change parameters relevant to the filter.

"Save" (diskette icon) and "Load" (green arrow going out of a folder) buttons save and load rules for the current filter to/from rules file on disk. Each filter has its own rules file (see "Command-line Tools" below).

Command-line Tools (CUI)

Command-line tools provide an alternative CUI interfaces and automatic load functionality. In most aspects they duplicate functionality of relevant control panel filters, with summary of differences appearing below.

The control panel is the most convenient tool to add, remove and manipulate rules. Command-line tools are mostly intended to be used in start-up or installation scripts.

There are two command-line programs: "nf.exe" (Network Filter) and "ff.exe" (Files Filter). "nf" has the following command-line usage:

nf

{-s|-S rule_number|-r|-R
rule_number|-l|-c command_file}
[-m "pattern"] [-panel_id
id]

   
-s:    set a rule (you will be asked
for all parameters)

   
-S:    set a rule with specified number
(all following rules shift)

   
-r:    remove a rule (you will be asked
for all parameters; only a rule that is exactly equal will be removed)

   
-R:    remove a rule by number (use
"-l" in order to get rules numbers)

   
-l:    list all rules (with order
numbers)

   
-m:    specify pattern to match
(assumes "-s")

   
-c:    specify command file to read
rules

    -panel_id:
specify panel (CP
tab) ID to associate with the rule

-l may be used with -s or -r or separately

"-s" and "-r" are interactive commands, they will ask you for all relevant parameters. You may input "any" instead of actual parameter (where applicable: source and destination address, source and destination port, protocol). For source and destination addresses you may put "default" for default your computer's address. Please refer to Website Blocker and General Firewall for details.

For protocol type "ip", "icmp", "tcp", "udp" or "any".

"-c" option is used to load rules from a file. In order to be consistent with the control panel, use "firewall.rul" for general firewall rules and "web-block.rul" for WWW Blocker rules. Note that rules in "web-block.rul" must follow very special convention; refer to Website Blocker for details.

"-panel_id" option lets you specify panel (CP tab) ID. CP tabs manipulate only rules designated to them. Use "-panel_id 2" for rules designated for general firewall and "-panel_id 7" for rules designated for WWW Blocker.

You may notice that there are more rules listed by "nf" than by CP. This is because:

"nf" lists all the rules for both general firewall and website blocker
When you specify domain name as either source or destination address, the rule must match all IP addresses that this host is translated to. Since the Network Filter operates on packet level, it needs to have a rule per each IP address. When "nf" or control panel upload a rule, they upload a rule for each IP address

Consequently, there is an additional difference: when you delete rules for a domain with "nf -R" or "nf -r" you have to remove every IP rule that belongs to it. DDACS Control Panel does it automatically.
"ff" has the following command-line usage:

ff {-s|-r|-R rule_number|-l|-c
command_file}
[-m "pattern"] [-panel_id
id]

   
-s:    set a rule

   
-r:    remove a rule

   
-R:    remove a rule by number

   
-l:    list all rules

   
-p:    get list of processes and upload
them to driver

   
-c:    specify command file to read
rules\n"

    -panel_id:
specify panel (CP
tab) ID to associate with the rule

-l may be used with -s or -r

As it immediately appears, the options are very similar to those of "nf" and they have the same meaning. Please refer to Files Access Filter and Programs Blocker for details.

"-c" option is used to load rules from a file. In order to be consistent with the control panel, use "ff.rul" for general files access rules and "prog-block.rul" for Program Blocker rules. Note that rules in "prog-block.rul" must follow very special convention; refer to Programs Blocker for details.

"-panel_id" option lets you specify panel (CP tab) ID. CP tabs manipulate only rules designated to them. Use "-panel_id 1" for rules designated for general files access control and "-panel_id 8" for rules designated for Program Blocker.

Rules Files Formats

Rule files formats simply contain lines of parameters, one line per rule. The order of parameters is nearly the same as they appear in interactive session in command-line tools. If you want to place comments, start them with a semicolon (‘;’). Note however that if you later modify the rules in Control Panel and save them, the comments will be removed.

Network Filter rules format:

protocol
source_address
[source_mask] destination_address
[destination_mask] [source_port]
[destination_port]
action [pattern]

(Square brackets denote optional parameters)

protocol is one of the following: “IP”, “ICMP” “TCP”, “UDP” or “any”
source_address is IP address, domain name, “default” or “any”
source_mask is mask for significant part of the address. It’s omitted if source_address is “any”
destination_address is IP address, domain name, “default” or “any”
destination_mask is mask for significant part of the address. It’s omitted if destination_address is “any”
source_port and destination_port are source and destination port numbers or “any” for TCP and UDP. They are omitted if protocol is “IP”, “ICMP” or “any” actionis “allow” or “block”
pattern is optional pattern to search in packets.

Some parameters prepended with “!” in order to specify “any but this” option. This is applicable for protocol, source_address, destination_address, source_port, destination_port and pattern.

All parameters except for pattern are case-insensitive. Parameters may be enclosed in quotes (“”) or not (but this is important to quote pattern if it includes spaces).

If you are editing “web-block.rul” file (intended for WWW Blocker), edit only destination_address and destination_port.

Files Access Filter rules format:

accessor_program
file access_type action

accessor_program is program, which accesses you want to control. Program name is case-insensitive.
file is a file object, access to which you want to control
access_type is one or more of "read”, “write”, ”creat”, “exec” and “delete". If you need more than one, separate them with any printable symbol, like the following: "read|write|creat|exec|delete"
action is “allow” or “block”.

Some parameters prepended with “!” in order to specify “any but this” option. This is applicable for accessor_program and file name.

Parameters may be enclosed in quotes (“”) or not (but this is important to quote protected file name if it includes spaces). If you are editing “prog-block.rul” file (intended for Program Blocker), edit only file name.

Network Filter

This chapter describes user interface and functionality of the Network Filter (firewall).

Purpose

The purpose of the Network Filter (firewall) is to extend built-in Windows networking security with packets-bound rules-based firewall. Flexible rules structure allow implementation of efficient security strategies.

Rules

The Network Filter rules are specified with the following parameters

Source IP address and mask
Destination IP address and mask
Protocol
Source and destination ports for TCP and UDP protocols
Pattern to match in packets (optional)
Aggregate and decision inversion options
Action

Source (destination) IP address may be a regular dotted IPv4 address (in form of xx.xx.xx.xx), a host name or an option "any" meaning that any source (destination) IP address will match the rule. A special hostname "default" may be used instead of real IP address or host name, which will translate into default local computer address used for internet connection. Please note that this is not the same as localhost address (127.0.0.1), which cannot be used to connect to internet. An additional decision inversion ("any but this") option may be applied, which means that the rule matches all packets that don't match the rule's source (destination) IP address.

If host name is specified as source/destination address, then distinct rules will be created for all IP addresses that match the host name in DNS records.

Protocol specification lets you choose a protocol that the rule will match. It may be IP, ICMP, TCP or UDP. Please note that since TCP and UDP are nested in IP payload, a rule specified for IP protocol will match TCP and UDP tool. Additionally there are options "any" (meaning any protocol in packet will match the rule) and "any but this" - meaning that the rule matches all packets that don't match this protocol.

Source (destination) mask is a regular dotted IPv4 network mask. It has the same meaning for the Network Filter as network mask has for packets reception and sending: while matching a rule only masked-in (1's) bits are considered. This allows using a single rule in order to create access policy for a whole network. Please note that the mask is effective only for DDACS IP address matching. It doesn't affect real network settings, doesn't have to match them and doesn't have to conform to standard classful IP addressing.

Source (destination) port is applicable only for TCP and UDP protocols. It identifies port that will be matched in network packets in order to apply the rule. "Any" port and "any but this" options are available.

Pattern is optional to match the network packets. If specified, only packets that match the pattern are applied the rule. "Any but this" option is available, meaning that only packets that do not match the pattern are applied the rule. Please refer to Pattern Matching for description of patterns and how they are specified.

Action instructs the Network Filter what to do with the packet when a rule is applied. It's either “allow” or “block”. If no rule is applied to a packet, it is allowed.

The rules have priority rules recognized by the Network Filter. In general for every parameter specific rule takes precedence over aggregate rules (i.e. containing "any" and "decision inversion" options). A specific rule that specifies all parameters (protocol, source and destination addresses, ports if applicable and possibly pattern) has the highest priority. Every aggregate rule specification ("any" or "any but this") decreases priority by one level. This priority scheme is intended to allow specifications of general ("aggregate") rules and specific exceptions that will always apply. (Note that rules with the same number of aggregate options have the same priority level; their priority relative to each other is unspecified. Please take care not to have multiple aggregate rules of the same level match the same packets).

Specification of both "any" and "any but this" options is possible, but senseless: both options will apply, effectively nullifying each other - the rule will not match any possible packet.

Network Filter rules may be added and removed at any time using DDACS Control Panel or command-line nf utility. Please refer to DDACS Control Panel (GUI) and Command-line tools (CUI) for details. Additionally, current set of rules may be saved to files file and content of rules file may be loaded at any time (including start-up).

Website Blocker

Website blocker is a simplified interface to Network Filter designed to easily block access to unwanted websites. It allows you to specify IP address or name of a site and applies the following parameters:

Any source address
Destination address is set to the specified website.
Source port is any
Destination port is set to 80 (http) unless you specified non-standard port. Then your specification will take effect.
Source and destination masks are set to 255.255.255.255, specifying application of the rule to individual IP addresses that correspond to the website.
Pattern is not used

In order to specify website to block, open "WWW Blocker" tab and click on "Add Rule" button, which will open "Add WWW Blocker Rule" dialog. Enter site to block in "Site" edit box. If you are blocking access to server that accepts connections on a nonstandard port or a non-HTTP server, click on "Non-standard Port" and enter port number in its edit box.

[ddacs_cp_add_www.png]

Note that you would need to block connections to non-standard port only if you know that the server accepts them on that port. You may know that by looking on the address line that you are using to access website:

http://www.microsoft.com - uses standard port 80
http://www.microsoft.com:8080 uses non-standard port 8080.

When using non-standard ports, do not place port specification in the sebsite address specification (like ":8080" part of the address above). Other than that you may copy-paste from browser's address bar to "Add WWW Blocker Rule" edit box in order to block sites that you found to be unwanted while browsing.

You may block tunneled web access (like HTTPS) or different protocols specified with protocol scheme in web address (e.g. "rtsp://" or "ftp://"). If you need to block such protocols, use their website address with non-standard port appropriate to the protocol. You may copy address line from browser's address bar, similar to the described above. Suppose that you want to block FTP site like "ftp://3dftp.com". Select "WWW Blocker" tab on DDACS Control Panel, click on "Add Rule" button, then enter "3dftp.com" or "ftp://3dftp.com" in "Add WWW Blocker Rule" dialog's "Site" edit box, check "Non-standard Port" and enter "21", which is FTP control port. Click OK to add the rule. That's all, FTP access to site "3dftp.com" is blocked.

WWW blocker may be easily and effectively used to block any TCP client on your computer. Below you may find a table with some frequently used protocols that you can block with "non-standard port" option and ports to use:

Protocol	Port
HTTPS	443
FTP	21
RTSP	554
SIP	5060 (or 5061)
MMS	1755
TELNET	23
SSH	22

Alternatively, you may specify general firewall rule as described below.

General Firewall

The simplest rules are blocking specific application-layer protocols or, alternatively, enabling them when by default they are disabled. Let's suppose that we want to block FTP access to ftp://3dftp.com, similar to example above. Select "General Firewall" tab, click on "Add Rule" button, then in the "Add General Firewall Rule" dialog:

[ddacs_cp_add_genfw.png]

Select "TCP" in "Protocol" combo box
Check "Any Source Address"
Enter "3dftp.com" in "Destination address" edit box, "255.255.255.255" in "Destination Mask" field
Select "21 (ftp") in "Destination port" combo box
Select "Block" in "Action" group radio buttons
Click "Add"

That's it, access to "ftp://3dftp.com" is blocked

As described in "Website Blocker" chapter Website Blocker, all TCP clients are easier blocked with "Website blocker". Suppose now that we want to allow reception of MMS stream data (via UDP port 1755) while entire UDP protocol is disabled by default. Select "General Firewall" tab, click on "Add Rule" button, then in the "Add General Firewall Rule" dialog:

Select "UDP" in "Protocol" combo box
Check "Any Source Address"
Enter "default" in "Destination address" edit box, "255.255.255.255" in "Destination Mask" field, or alternatively check "Any Destination Address"
Select 1755 (ms-streaming) in "Destination port" combo box
Select "Allow" in "Action" group radio buttons
Click "Add"

That's it, UDP port 1755 (MMS) is allowed as an exception to general UDP blocking rule.

Patterns Matching

Pattern matching is a unique feature of Daniel Drubin Access Control Suite. Network Filter searches inbound and outbound traffic for patterns.

Patterns are loosely based on regular expressions syntax, however they don't implement all regex functions. One visible difference is that in DDACS patterns repetition specifiers (*, +, ?) are prefix to argument, while in classical regular expressions they are suffix. There are also several limitations on DDACS patterns compared to classical regular expressions:

sets can't be nested
alternations and multi-character sub-expressions are not supported

Basically patterns are strings of data to match with some characters having special meaning: they specify instructions to matching implementation embedded in data. A table below specifies syntactic elements of DDACS patterns.

Element	Meaning
.	Any single character matches
[xyz]	Any of the characters embraced in square brackets matches a single character. Any character not in set doesn't match
^x	Any character except x matches ("x" here is some single character)
[^xyz]	Any character except any character belonging to set matches ("x" here is some single character)
?x	"x" appearing 0 or 1 times matches ("x" here is some single character). The meaning of this construct is in matching "x" if it appears, so that the next character in search set is compared to a character after "x"; if "x" doesn't appear in search set in this positions then it is considered as appeared 0 times and that character is compared to the next character in argument string.
*x	"x" appearing 0 or more times matches ("x" here is some single character). The meaning of this construct is in matching "x" if it appears, so that the next character in search set is compared to a character after "x"; if "x" doesn't appear in search set in this positions then it is considered as appeared 0 times and that character is compared to the next character in argument string. "*x" matches any number of repeated "x" characters
+x	"x" appearing 1 or more times matches ("x" here is some single character). The meaning of this construct is in matching "x" if it appears, so that the next character in search set is compared to a character after "x"; if "x" doesn't appear in search set in this positions then the matching fails. "*+" matches any number of repeated "x" characters, but no less tha 1.
\	Backslash has a special meaning. It is an escape character, which allows specification of characters that are non-printable or otherwise hard to specify. "'\\" means a single backslash character "\r" is "carriage return (ASCII 13) "\n" is "new line" (ASCII 10) "\t" is "tabulation" (ASCII 8) "\xHH" is a character specified by its ASCII code in hexadecimal ("\" ad "x" are literally backslash and "x", and "HH" are two hexademal digits (their ASCII codes). "\" followed by any other character means matching a single appearance of that character (the same effect as if "\" did not appear). This is important in order to type symbols that are used for control when not escaped: '.', '[', ']', '^', '*', '+', '?'

Patterns are matched as general purpose, they don't have any special semantics in a network packet. If an option to match a pattern was specified in a rule, the pattern will be searched for in the entire packet. If matched and other rule specifications match input too, then the action will be applied. It is possible to use patterns to specify for example domain names (so that a certain domain name will be blocked if appeared in any protocol; it is also possible to specify pure binary data, such as piece of virus or malicious program code.

Patterns allow creation of very flexible rules, but you should remember that they assume heavier processing on the Network Filter. Use them carefully and remember not to overload the Network Filter with too many patterns. If having doubts, test suggested set of rules on real system for some time and pay attention on regular performance.

Patterns are more effective in blocking TCP connections with unwanted content than UDP. While in UDP traffic only compromised datagrams will be dropped and the rest of traffic will arrive, when a TCP segment with compromised data arrives, it will be dropped no matter how many times it comes. As it will appear for both connection sides, a TCP segment with unwanted data will always be lost. Since TCP can't tolerate lost segments in connection, after reaching maximum number of retransmissions on the side that sends unwanted data, the entire session will be terminated.

Files Access Filter

This chapter describes user interface and functionality of the Files Access Filter.

Purpose

The purpose of File Access Filter is to enhance built-in Windows user-bound access rules with programs-bound access rules. Also Windows files access control is effective only on NTFS; FAT32 and other file systems don't have native access control. Daniel Drubin Access Control Suite provides access control based on file names and is not bound to any specific file system.

Rules

The Files Access Control rules are specified with the following parameters

Accessor program name
Accessed file name (pattern)
Type of access: read, write, create, delete, execute. May be any combination of these
Action: allow or block

Accessor program name is not a pattern. It's program's name, which will be compared to names of programs that actually try to access a file. Rules of comparison ignore path to the program, so the program with specified name started from any path will apply to this rule. You may specify "any program" to apply this rule to or "any but this" to apply this rule to all programs except the specified.

Accessed file name is a pattern. You may specify a complete file name with path, only a file name or a pattern to match many names. Remember that DDACS pattern syntax is different from OS file naming wildcards. E.g. in order to specify "readme*" put down "readme*." Complete file names with extensions may be used as is, e.g. you may write "readme.txt" in order to specify this file instead of "readme\.txt" - since '.' matches any character, it will match dot too (but take into account that readme_txt will also match). You may specify "any but this" to apply this rule to all files except those that match specified name. If you would like the rule to apply to any file, specify "*." as file name.

Programs Blocker

Program blocker is a simplified interface to Files Access Filter designed to easily block unwanted programs. It allows you to specify program name or full path, then creates a Files Access Control rule with the following parameters:

Any accessor program
Read and execute request
File resource is the program you requested to block

In order to add a program to block, activate "Program Blocker" tab. click "Add rule" and enter program to block

[ddacs_cp_add_prog.png]

The effect of this rule is that no program or another entity in the system may access the blocked program for read and execute, so the program can't be loaded into memory and run. This feature is designed to stop malicious or otherwise unwanted program that already slipped through your computer's security and registered itself to run at startup, or infected another program that runs at startup. Blocking the program from running allows you to take time to delete it from disk or cure it with anti-virus.

Having patters specify program name allows flexibility when defining a single rule:

you may specify full path, so that only the version of a program installed there will be blocked
you may specify only program name, so that any version of the program that has the same program name will be blocked
you may specify a pattern, so that entire group of programs matching it and starting from any path will be blocked
you may specify full path with a more generic pattern, so that only versions of a program starting from the same sub-path are blocker

Note that the pattern syntax is different from file system wildcards. E.g. if you want to prevent any cmd-file from being executed, the correct file name specification will be "*.\.cmd". Also note that DDACS pattern matching is always case-sensitive, while Windows matches file names case-insensitive (although the file names themselves are case-sensitive). In order to specify complete blocking of "cmd" files, the file name specification should be "*.\.[Cc][Mm][Dd]". Particularly, specification of "*.cmd" will work for files like "batchfile.cmd", but it will also match files such as "mycmd" (without dot).

General Files Access Filter

Files Access Blocker is an interface to Files Access Filter that allows you to specify all available options. In order to define a rule for File Access Blocker the following parameters should be submitted:

Accessor program name or "any program" checked (note that accessor program name is not a pattern - it's a string that is searched in path of accessor program during file operation filtering. You may specify a full path, a program name or a program name with sub-path, but not pattern with repetitions, inversions etc)
Protected resource file name, which is a pattern. You may specify full path, only file name, file name with partial path, part of a name etc. Note that if you want to prevent a specific program from accessing any file, the correct file name specification will be "*." (zero or more repetitions or any character), and not "*" or "*.*" as in file system wildcards. Also note that patterns in DDACS are case-sensitive, while Windows matches file names case-insensitive (although the file names themselves are case-sensitive). Please refer to Program Blocker examples to see how to specify case-insensitive names
Access to guard: create, delete, read, write, execute
Action to take when guarded access is detected: block or allow

Note that File Access Blocker always guards opening or creation of files (except for delete). Create, read, write, execute is type of access that the accessor program specifies when opening/creating a file. An attempt to open protected resource with unwanted access will result in "Access denied" error reported to accessor program; and if the accessor program attempts to make an access not requested when the program was opened, then it will receive the same error "Access denied" from Windows.

Defining Your Protection Strategy

This chapter discusses security threats that you may address with DDACS and optimal strategy to achieve your goals.

Objectives

Objectives of good protection strategy are maximizing system's security while minimizing extra processing assumed on it for security checks. In order to achieve that, you need to understand potential threats, define security policies, realize how policy enforcement affects system performance and implement the policy using the minimal performance toll.

User Access Strategy

Despite that Daniel Drubin Access Control Suite 1.0 doesn't provide user-bound access control, defining user access properly is important. Take into account the following considerations:

Are there other users besides you that will be using the protected computer? If the answer is "yes", then you should set their privileges in such a way that they can't run DDACS Control Panel and command-line tools, alter and remove rules. You should also protect other files in DDACS directory (rules files, uninstall program) so that other users will not be able to alter them or uininstall DDACS. The easiest way is to install DDACS with administrator privileges and have other users will less privileges
If for some reasons it is not possible to separate user permissions (e.g. your system is running on FAT32 partition), then you may carefully move the entire DDACS installation directory to backup storage and remove it, so that control programs are not accessible when you are not on controls. Later when you need to update/view/change rules, place the directory back.

Programs Access Strategy

It is important to understand what kind of programs you intend to run and what kind of threats they project.

Since you are computer's administrator, the highest risk bear programs that you run yourself and that may have functionality not known to you. Those include first of all programs that you just downloaded from the internet (or received from another unreliable source) after reading their information and want to try.

A good policy would be to understand what files the program needs to access and allow only them, forbidding access to the rest of the system. Typically the programs access files that reside in their installation directory and that they prompt user to lead, save or otherwise use. You may enable files as the program asks you for them or when it reports that a certain file that it needs is denied access to
In order to load and execute the programs need read access to DLLs, both in Windows system directory and its own. In order to allow programs load, allow it read and execute access to all DLL files and forbit it write, create and delete access to any DLL file. This will allow the program run, but not allow it, for example, copy system DLL to its installation directory, modify it and use that modified system DLL in order to compromise system security. (This assumes that creating DLLs is not the program's documented functionality, e.g. the program is not a development environment
Unless the program's documented functionality includes running other programs, you may want to forbit it execute access to ".exe", ".cmd", ".bat", ".com" and possibly all files. Note that programs may run other programs if they intentionally open files formats for which there is a registered viewer/editor (e.g. a program may open "BMP" file for editing by running Paintbrush on it or show text file in Notepad). In most cases the well-behaved program will report failure of opening the file and possibly the program that it tried to use for open. It's then safe to add exception rule for that program that will allow it run default viewer ("pbrush.exe" or "notepad.exe" in example above)
If a program unexpectedly fails after you applied the rules and possibly the operating system reports its attempted access to some file it shouldn't access then it's a good indication that the specific program is not safe to run. You may block it completely from running with Programs Blocker and uninstall it (with provided uninstaller, Windows Control Panel or simply remove it from disk)
Sometimes malware distributes via e-mail attachments, using door opened by not attentive users who set e-mail program's options "Automatically Run Attachments" to "On". Even if you don't have this option "on", you may occasionally want to run attachments. If the attachment you want to run is an executable, create file access rules for it similar to example above on a program downloaded from internet. Otherwise, if the attachment is a script, create a rule for e-mail client and/or for default viewer registered for this kind of scripts
Similarly to e-mail programs you may want to limit access of scripts run by web browser. Many browsers boast versatile and sophisticated security policies, but there are always exploits found and used in them. This is the case where an additional access control will only help. If setting rules for scripts, specify browser program name (e.g. "iexplore.exe") as accessor program

For programs that come from trusted source, but include known exploits you may implement strategy similar to non-trusted programs.

You may want to block from running programs that are infected or are already temporary executables created by malware, using Program Blocker. Once the program is blocked, you may run anti-virus to cure it, uninstall or delete its executable file.

Network Access Strategy

Compared to files access, network access doesn't present so immediate and strong threat to your system. At least if files access control is used effectively, your important files can't be overwritten or deleted and sensitive data will have any access disabled, with exception of some trusted programs. However, network attacks may be very annoying; additionally some sites you may find inappropriate for you or for other users of your computer.

Block inappropriate sites with Website Blocker
Block UDP inbound and/or outbound traffic completely, then allow specific ports on which your trusted programs communicate
You may want to block all TCP client access to your computer (meaning that servers are running on your computer), then allow ports for specific servers if you run them. TELNET, FTP server ports are the first candidates for blocking. Allow NetBIOS ports if you use Windows sharing
You may want to block all outbound ICMP traffic (ICMP is used to communicate errors). If it is blocked, your computer will not respond to erroneous packets and may be considered offline by other parties. If you want to ping a remote server, temporarily allow ICMP exception to that specific address, ping it then delete the exception rule
You may want to block all outbound connection requests except for well known to you programs. This will prevent unwanted programs, that may have passed security walls until they are able to run, from sending your data over internet
If you are trying a program that came from a non-trusted source and its functionality known to you doesn't include network communication, you may want to temporarily disable any network access via any protocol. If the program unexpectedly fails or reports failing a access to network access it was not supposed to attempt then it's a good indication that the specific program is not safe to run
Use patterns in order to filter received and sent contents. E.g. if you don't want to run annoying Javascript from a specific site, specify "text/javascript" as a pattern. You may also block specific pages within a site by specifying their names as pattern for inbound or even outbound traffic (e.g. "index\.html") Use patterns in order to drop specific attachments (pattern variation on its name), prevent download of specific files (block outbound packets with pattern "[Gg][Ee][Tt]*. specific-file-name").

System Performance Considerations

Security filters add processing to your system in order to match patterns, compare rules etc. Naturally, the more rules there are the more processing is added. Some security suites are so overloaded with monitoring, informational and other services that they become main performance killers. It should be understood that the more sophisticated and complex features are provided, the more CPU time and memory resources they take. Daniel Drubin Access Control Suite pays special attention to minimizing system extra load. During normal operation there are no user-mode services or background applications running - only two kernel filters. DDACS control panel and command-line tools are started when you need them and when you close them, they don't stay. A single rule uploaded to kernel filter takes only a few hundreds of bytes, with reasonable rules load their affect on memory use is not noticeable.

It should be understood that the biggest effect on performance have patterns specified for matching for Network Filter. The reason is that it must scan all relevant packets payloads. Relevant packets are the once that match the rule's source and destination addresses and ports. Apparently, it's preferable to always define patterns into more specific rules - then on-matching addresses will not do pattern matching. In traffic that consists of relevant packets exactly healthy packets (the ones that don't contain the pattern) take the most to process - the entire packet must be checked for relatively small pattern. Use patterns for Network Filter cleverly and carefully.

Files Access Control patterns present far less "performance threat". The reason is that opening a file is normally a less frequent operation than receiving a network packet. However, you should remember that all file names are patterns that are sought in actual accessor's path name. We can only suggest using Files Access Control cleverly and carefully,

Default Configuration

Default configuration is stored in Rules files and may be loaded at system start-up or reloaded from disk at any time. DDACS comes with default rules set that may be modified at any time later.

Default rules are:

WWW Blocker, Files Access Control and Program Blocker empty
General Firewal:

All UDP traffic blocker
UDP exceptions:

outbound from default:any port to any address:53 and inbound from any address:53 to default:any port (DNS)
outbound from default:any port to any address:5355 and inbound from any address:5355 to default:any port (DNS extensions on newer Windows versions starting from Vista)
outbound from default:137 to any address:137 and inbound from any address:137 to default:137 port (NetBIOS)
outbound from default:138 to any address:138 and inbound from any address:138 to default:138 port (NetBIOS)
outbound from default:139 to any address:139 and inbound from any address:139 to default:139 port (NetBIOS)

All TCP inbound connections are blocked (packets with TCP SYN)
All outbound TCP connecitons are blocked
TCP exceptions:

outbound from default:any port to any address:25 and inbound from any address:25 to default:any port (SMTP)
outbound from default:any port to any address:80 and inbound from any address:80 to default:any port (WWW)
outbound from default:any port to any address:110 and inbound from any address:110 to default:any port (POP3)
outbound from default:any port to any address:143 and inbound from any address:143 to default:any port (IMAP)
outbound from default:any port to any address:443 and inbound from any address:443 to default:any port (HTTPS)
outbound from default:any port to any address:445 and inbound from any address:445 to default:any port (Microsoft DS)

Recommendations

Access control rules are so different that it's hard to offer specific recommendations. We will attempt however, to provide general recommendation without claiming that we know the user's needs better.

In most cases a simple strategy "block everything" / "allow specific exceptions" is suitable. DDACS filters provide aggregate rules where almost all paramters may be specified as any. This includes "any protocol", "any destination port" in Network Filter and "any accessor program" in Files Access Filter
A general rule may be created along with a single exception, with the help of decision inversion options. Decision inversion is applied to any specific rule and the meaning is turned to "any BUT this parameter will match". E.g. Network Filter rule: "Protocol:TCP" with option "any but this" checked, "any" source and destination address and action "block" will actually block any non-TCP traffic. Decision inversion rules are used on specific rules; don't use them with aggregate rules. E.g. despite specification of "any" protocol and "any but this" is legal, it creates a senseless rule that matches no possible packet.
Use patterns moderately and think well relevant policies and affect on system performance and communications
It is generally recommended to start DDACS at system startup and apply automatic rules at startup. It is convenient, since use of the same computer will not change frequently, the basic rules set needs not to also. Automatic rules upload offers protection from that point on.
If you don't find it easy to find optimal rules set, you may change rules and save them frequently at first. In this case it is also beneficial to start rules at startup, that will give to the best picture on how they protect and how they affect performance.

Interoperability

Platforms Support

Daniel Drubin Access Control System 1.0 supports 32-bit versions of Windows XP, Windows Vista and Windows 7. There are no special system requirements, any system that can run the OS can run the ACS. 64-bit OS versions are not supported in version 1.0

Only IPv4 is supported in version 1.0

Only ethernet communication is supported in version 1.0

System Requirements

There are no specific requirements other than running Windows XP or newer Windows operating system.

Interoperability with Other Security Software

DDACS is based on its kernel-mode filters, and their rules-based policy enforcement. It doesn't register within the OS as security solution, so it doesn't have any interoperability issues with other software, including security packages.

You should remember however, that rules enforcement actually adds a tiny bit of additional processing on every file or network access. Other security packages in many aspects do the same, some adding more heavy processing, some less. Consequently, every security package adds toll on system performance, depending on its functionality and optimization. In order to get the best performance on a protected system you should design protection schemes from different packages so that you don't run the same task several times.

References

Daniel Drubin Access Control Suite Getting Started Guide

Future Directions

The currently planned features for development and enhancement include:

Support for ADSL frame formats
Process-bound network rules (in addition to protocol-bound)
User-bound network and file access rules
Support for 64-bit Windows versions
Extending pattern syntax and functions to basic regular expressions
Pattern matching fine-tuning (such as matching patterns in headers only, in payload only or both)
Total blocking of traffic from site based on contents (specific site is blocked completely since pattern is recognized)
Registry filter