One of the things I do all day at work is administer and maintain our servers. From time to time, that means bolstering security to protect our users and the network they operate on. Like any office drone, I like to listen to music at a reasonable volume from nine to eleven. And I told, I told Bill that if Sandra is going to listen to her headphones while she’s, while she’s filing then I should be able to listen to the radio while I’m collating so I don’t see why I should have to turn down the music because I enjoy listening at a reasonable volume between nine and eleven.
Anyway, yeah. Music.
Most of the people where I work like to use Spotify for their listening pleasure. The problem with Spotify is their installer is bullshit. There’s no ability to change the target installation directory and in a truly archaic fashion they’ve decided the best place is the AppData folder. You know what else likes to run out of your AppData folder? CryptoLocker.
Many (most?) admins, maybe a year-and-a-half ago, took action to prevent things like CryptoLocker and CryptoWall and their progeny from infecting our systems by enabling group policy objects (GPOs) which stopped executables running from any of the AppData directories. A common GPO for this might look something like this:
And guess what? It was fine. Out of all the oddball software a place like this might use, not a single application had a problem with this security measure… except for one: Spotify. Despite being a modern and frequently-updated app, the developers have so far refused to provide a method by which their product can be installed to, oh I don’t know, the Program Files directory. They do provide a web player similar to the way Pandora had traditionally operated, but it sucks. It provides low-quality stream, it has trouble keeping users logged in, and frequently stops responding (requiring the page be refreshed and the user navigate back to the playlist or album or radio station they were at – yuck).
I have a work-around for this. I won’t call it a solution, because there is only one acceptable solution: for Spotify to let users choose where to install the application, like literally every other piece of software on the planet! In the meantime, I believe there’s a way to get this working without compromising security. You would start by creating another GPO like the one shown here:
You would apply this GPO only to users you know are using Spotify. I can hear you asking, “why just those users? Why not just add these exceptions to the domain policy or the existing CryptoBlocker GPO?”. The answer is reasonably simple… if you were anything like me, when you were in high school, you liked to run apps you maybe weren’t supposed to on your school computers. We all know the easiest way to do that was to rename your application (usually a NES emulator, in my case) to “winword.exe”. Of course an executable called “winword” was whitelisted, so you could launch pretty much whatever you wanted if you did that. Same concept applies here: if I want my malware to work on your system, I could just rename it “spotify.exe” and drop it in your Spotify directory. If you restrict the Spotify GPO to users you know are using Spotify, that hole in the dyke is effectively plugged since an overwrite would have to occur for it to work.
The only complication I can think of is if your CryptoBlocking GPO is enforced. You could disable enforcement so this new GPO could be effective, or add these entries to that GPO temporarily, just long enough to install or update the software, and then move the run executable to another folder. Either way works, one is just a bit more effort than the other.
So there you have it, that’s how to run Spotify through whitelisting. I’d like to point out nobody should have to do this. Spotify is a service people pay almost $100/yr for, you’d better believe they expect to be able to use it while they’re at work. And this would be such a simple fix for Spotify, it absolutely boggles the mind why this is even a thing. Anyway… this is tested, it works, it’s a decent work-around, but I sincerely hope Spotify devs sort themselves out sometime soon.