RE: services running in windows domain (winXP clients)

From: Starks, Brad (booteyebirdhand_at_co.marin.ca.us)
Date: 12/28/04

  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #221" 
    Date: Tue, 28 Dec 2004 10:04:39 -0800
To: "Frank Knobbe" <frank@knobbe.us>, "Mike Lyman" <mikelyman-security@comcast.net>

    The way I understand it, software restriction policies only work for
    applications that are called by the Windows explorer process. If they
    are called by any other process, then the restriction policy does not
    work.

    -----Original Message-----
    From: Frank Knobbe [mailto:frank@knobbe.us]
    Sent: Monday, December 27, 2004 10:35 AM
    To: Mike Lyman
    Cc: focus-ms@securityfocus.com
    Subject: Re: services running in windows domain (winXP clients)

    On Wed, 2004-12-22 at 14:12 -0600, Mike Lyman wrote:
    > Software restriction policies work both in the "allow all but..." and
    > "allow none but..." The allow all should be the easier to test and
    > configure but the other approach should work since only those things
    you
    > allowed will run.

    Are these restrictions limited to "applications" you run from Explorer,
    or does it include any ".exe/.com/.dll" or otherwise executable files?
    If enabled, do all required/desired services (like W32Time) have to be
    explicitly listed as "allowed to execute" or is there some assumption
    Windows makes about services and runs them by default? In that case,
    software restrictions wouldn't be of help.

    I agree with Christos that a Policy setting that says "All Services,
    except the list below, are to be stopped/disabled" would be very useful
    (just from a logic point of view).

    Regards,
    Frank

    Email Disclaimer: http://www.co.marin.ca.us/nav/misc/EmailDisclaimer.cfm

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #221"

    Relevant Pages

    • RE: Restricting Programs using AD ??
      ... Software restriction policies are a new feature in Microsoft® ... you do not have to upgrade your Windows ... object and configure your software restriction policy. ...
      (microsoft.public.win2000.active_directory)
    • Re: 2000 Server Policy on XP Client
      ... While Windows 2000 had some basic features to block execution of programs ... Windows XP and higher have Software Restriction ... Policies, which base the restrictions on the hash of the file. ...
      (microsoft.public.win2000.group_policy)
    • Re: GP-based Application Ban-list via Hash/Fingerprint
      ... If your computers are running Windows XP, you can use Software Restriction ... Policy to disallow everything by default, then create rules specifying what ... Windows Group Policy ...
      (microsoft.public.windowsxp.security_admin)
    • Re: run only allowed windows applications
      ... Your advice is right on but unless you know something I don't about Windows ... > You can still use software restriction policies to do this on Windows ... > -Make sure drives are formatted NTFS ...
      (microsoft.public.win2000.group_policy)