Running UwAMP from a Network Drive

UwAmp is an excellent solution for providing users with a management interface that allows them to start and stop the web server with a single click. This is why WJEC chose it as their WJEC GCE Digital Technology Unit 4. Yet, some schools may not have the means or access to run UwAmp from a USB stick, allowing their students to work on their assignments both at school and at home.
So, James (@MrJJonesCS) has asked me to assist him by demonstrating to schools and third-party ICT support how to configure a Group Policy Object to allow this to run from within each learner’s documents. This is to go along with his guide Mastering WJEC GCE Digital Technology – Unit 4: Web Development Project while still adhering to the school’s network security policies and stopping them from running other applications.

Application Setup

I won’t bore you with each method for getting the UwAmp folder into each learner’s documents, but for the purposes of this guide, I copied the UwAmp folder into the documents of my test user. The folder structure is as follows:

We will come back to this later to make sure all our security permissions for the folders/files are setup correctly.

Group Policy Object

To begin, we must create or modify an existing GPO to allow the applications to run within the learners’ document settings. Obviously, each school will have a different setup, but the principle is the same; it’s just the path that is different.

First you need to navigate to the Additional Rules section of the GPO:

User Configuration > Policies > Windows Settings > Security Settings > Software Restrictions Policies > Additional Rules.

We now need to add the list of applications from within the UwAmp folder. The path list of all the applications are as follows:


        UwAmp\UwAmp.exe
        UwAmp\UwAmpUAC.exe
        UwAmp\bin\php\php-7.0.3\phpdbg.exe
        UwAmp\bin\php\php-7.0.3\php.exe
        UwAmp\bin\php\php-7.0.3\php-win.exe
        UwAmp\bin\php\php-7.0.3\php-cgi.exe
        UwAmp\bin\php\php-7.0.3\deplister.exe
        UwAmp\bin\php\php-5.6.18\phpdbg.exe
        UwAmp\bin\php\php-5.6.18\php.exe
        UwAmp\bin\php\php-5.6.18\php-win.exe
        UwAmp\bin\php\php-5.6.18\php-cgi.exe
        UwAmp\bin\php\php-5.6.18\deplister.exe
        UwAmp\bin\database\mysql-5.7.11\bin\mysqld.exe
        UwAmp\bin\database\mysql-5.7.11\bin\mysqlimport.exe
        UwAmp\bin\database\mysql-5.7.11\bin\mysqldump.exe
        UwAmp\bin\database\mysql-5.7.11\bin\mysql_upgrade.exe
        UwAmp\bin\database\mysql-5.7.11\bin\mysqladmin.exe
        UwAmp\bin\database\mysql-5.7.11\bin\mysql.exe
        UwAmp\bin\database\mysql-5.7.11\bin\echo.exe
        UwAmp\bin\apache\bin\ApacheMonitor.exe
        UwAmp\bin\apache\bin\rotatelogs.exe
        UwAmp\bin\apache\bin\wintty.exe
        UwAmp\bin\apache\bin\htpasswd.exe
        UwAmp\bin\apache\bin\httxt2dbm.exe
        UwAmp\bin\apache\bin\logresolve.exe
        UwAmp\bin\apache\bin\htcacheclean.exe
        UwAmp\bin\apache\bin\htdbm.exe
        UwAmp\bin\apache\bin\htdigest.exe
        UwAmp\bin\apache\bin\ab.exe
        UwAmp\bin\apache\bin\abs.exe
        UwAmp\bin\apache\bin\httpd.exe
        UwAmp\bin\apache\bin\openssl.exe
        UwAmp\bin\apache\bin\sqlite3.exe
        UwAmp\utils\Tcpview.exe
        UwAmp\utils\XDebugClient\xdc.exe
        UwAmp\utils\SQLiteBrowser\SQLiteBrowser.exe

Each one of these needs to be added to the Additional Rules and they need to be set as “Unrestricted”.

As you can see from the full path, I have used \\%USERFILESERVER%\\%USERNAME%$\

These are environment variables which can be setup in the GPO itself. If you are unsure of how to setup environmental variables please see my guide here. I’ve done this so the path will work for all users that are assigned this GPO.

UwAmp folder Permissions

We need to prevent the user from replacing the application with their own now that the UwAmp is in the user’s documents and the user has access to run all applications inside the UwAmp folder. I’ve written a quick script that will replace the incorrect permissions on the folders and files. What this script does is listed below:

Disables ACL inheritance on the root folder the files resides but copies all ACLs as inherited before removing them.
Changes the permissions for the user to Modify on the Root folder.
Changes the permissions for the user to Modify on all Sub-Folders.
Changes the permissions for the user to Modify on all Files.
Clears any existing permission for the user on all the .exe’s and adds the permissions to be able to execute but not delete or rename the exe.

Permissions Script

@ECHO OFF

SET username=<DOMANIN\USERNAME>

SET path=<PATH>



::: Disables ACL inheritence on the folder the exe file resides but copies all ACLs as inherited before removing

icacls %path%\UwAmp\ /inheritancelevel:d /t



::: Changes the permissions for the user to Modify on the Root folder

icacls %path%\UwAmp /grant:r %username%:(oi)(ci)M



::: Changes the permissions for the user to Modify on all Sub-Folders

icacls %path%\UwAmp\* /grant:r %username%:(oi)(ci)M /t



::: Changes the permissions for the user to Modify on all Files

icacls %path%\UwAmp\* /grant:r %username%:M /t



::: Clears any existing permission for the user on all the .exe's and adds the permissions to be able to execute but not delete or rename the exe

icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\mysql_upgrade.exe /remove %username%

icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\mysql_upgrade.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\mysql_upgrade.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\mysqladmin.exe /remove %username%

icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\mysqladmin.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\mysqladmin.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\mysql.exe /remove %username%

icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\mysql.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\mysql.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\echo.exe /remove %username%

icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\echo.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\echo.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\apache\bin\ApacheMonitor.exe /remove %username%

icacls %path%\UwAmp\bin\apache\bin\ApacheMonitor.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\apache\bin\ApacheMonitor.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\apache\bin\rotatelogs.exe /remove %username%

icacls %path%\UwAmp\bin\apache\bin\rotatelogs.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\apache\bin\rotatelogs.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\apache\bin\wintty.exe /remove %username%

icacls %path%\UwAmp\bin\apache\bin\wintty.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\apache\bin\wintty.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\apache\bin\htpasswd.exe /remove %username%

icacls %path%\UwAmp\bin\apache\bin\htpasswd.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\apache\bin\htpasswd.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\apache\bin\httxt2dbm.exe /remove %username%

icacls %path%\UwAmp\bin\apache\bin\httxt2dbm.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\apache\bin\httxt2dbm.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\apache\bin\logresolve.exe /remove %username%

icacls %path%\UwAmp\bin\apache\bin\logresolve.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\apache\bin\logresolve.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\apache\bin\htcacheclean.exe /remove %username%

icacls %path%\UwAmp\bin\apache\bin\htcacheclean.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\apache\bin\htcacheclean.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\apache\bin\htdbm.exe /remove %username%

icacls %path%\UwAmp\bin\apache\bin\htdbm.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\apache\bin\htdbm.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\apache\bin\htdigest.exe /remove %username%

icacls %path%\UwAmp\bin\apache\bin\htdigest.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\apache\bin\htdigest.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\apache\bin\ab.exe /remove %username%

icacls %path%\UwAmp\bin\apache\bin\ab.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\apache\bin\ab.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\apache\bin\abs.exe /remove %username%

icacls %path%\UwAmp\bin\apache\bin\abs.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\apache\bin\abs.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\apache\bin\httpd.exe /remove %username%

icacls %path%\UwAmp\bin\apache\bin\httpd.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\apache\bin\httpd.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\apache\bin\openssl.exe /remove %username%

icacls %path%\UwAmp\bin\apache\bin\openssl.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\apache\bin\openssl.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\apache\bin\sqlite3.exe /remove %username%

icacls %path%\UwAmp\bin\apache\bin\sqlite3.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\apache\bin\sqlite3.exe /deny %username%:(DE)



icacls %path%\UwAmp\utils\Tcpview.exe /remove %username%

icacls %path%\UwAmp\utils\Tcpview.exe /grant %username%:(M)

icacls %path%\UwAmp\utils\Tcpview.exe /deny %username%:(DE)



icacls %path%\UwAmp\utils\XDebugClient\xdc.exe /remove %username%

icacls %path%\UwAmp\utils\XDebugClient\xdc.exe /grant %username%:(M)

icacls %path%\UwAmp\utils\XDebugClient\xdc.exe /deny %username%:(DE)



icacls %path%\UwAmp\utils\SQLiteBrowser\SQLiteBrowser.exe /remove %username%

icacls %path%\UwAmp\utils\SQLiteBrowser\SQLiteBrowser.exe /grant %username%:(M)

icacls %path%\UwAmp\utils\SQLiteBrowser\SQLiteBrowser.exe /deny %username%:(DE)



icacls %path%\UwAmp\UwAmp.exe /remove %username%

icacls %path%\UwAmp\UwAmp.exe /grant %username%:(M)

icacls %path%\UwAmp\UwAmp.exe /deny %username%:(DE)



icacls %path%\UwAmp\UwAmpUAC.exe /remove %username%

icacls %path%\UwAmp\UwAmpUAC.exe /grant %username%:M

icacls %path%\UwAmp\UwAmpUAC.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\php\php-7.0.3\phpdbg.exe /remove %username%

icacls %path%\UwAmp\bin\php\php-7.0.3\phpdbg.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\php\php-7.0.3\phpdbg.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\php\php-7.0.3\php.exe /remove %username%

icacls %path%\UwAmp\bin\php\php-7.0.3\php.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\php\php-7.0.3\php.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\php\php-7.0.3\php-win.exe /remove %username%

icacls %path%\UwAmp\bin\php\php-7.0.3\php-win.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\php\php-7.0.3\php-win.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\php\php-7.0.3\php-cgi.exe /remove %username%

icacls %path%\UwAmp\bin\php\php-7.0.3\php-cgi.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\php\php-7.0.3\php-cgi.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\php\php-7.0.3\deplister.exe /remove %username%

icacls %path%\UwAmp\bin\php\php-7.0.3\deplister.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\php\php-7.0.3\deplister.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\php\php-5.6.18\phpdbg.exe /remove %username%

icacls %path%\UwAmp\bin\php\php-5.6.18\phpdbg.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\php\php-5.6.18\phpdbg.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\php\php-5.6.18\php.exe /remove %username%

icacls %path%\UwAmp\bin\php\php-5.6.18\php.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\php\php-5.6.18\php.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\php\php-5.6.18\php-win.exe /remove %username%

icacls %path%\UwAmp\bin\php\php-5.6.18\php-win.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\php\php-5.6.18\php-win.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\php\php-5.6.18\php-cgi.exe /remove %username%

icacls %path%\UwAmp\bin\php\php-5.6.18\php-cgi.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\php\php-5.6.18\php-cgi.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\php\php-5.6.18\deplister.exe /remove %username%

icacls %path%\UwAmp\bin\php\php-5.6.18\deplister.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\php\php-5.6.18\deplister.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\mysqld.exe /remove %username%

icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\mysqld.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\mysqld.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\mysqlimport.exe /remove %username%

icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\mysqlimport.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\mysqlimport.exe /deny %username%:(DE)



icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\mysqldump.exe /remove %username%

icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\mysqldump.exe /grant %username%:(M)

icacls %path%\UwAmp\bin\database\mysql-5.7.11\bin\mysqldump.exe /deny %username%:(DE)

The script is available to download here.

Now the user should have full access to the UwAmp software but unable to delete or rename the application and replace it with their own malicious application. The learners can then take home their www folder to carry on doing their work at home.

Application Setup

Group Policy Object

UwAmp folder Permissions

Permissions Script

Leave a Comment Cancel reply

Search

Categories

Resigtation Our
New Courses

Recent Posts