Software Restriction Policies with Office XP Failing

From: Graham Turner (graham@nospam.ideadata.co.uk)
Date: 07/19/02

• Next message: EvilPetRock: "Event Viewer remote admin"
• Previous message: John: "Re: System Intrusion"
• Next in thread: Chris Weber: "Re: Software Restriction Policies with Office XP Failing"
• Reply: Chris Weber: "Re: Software Restriction Policies with Office XP Failing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Graham Turner <graham@nospam.ideadata.co.uk>
Date: Fri, 19 Jul 2002 16:47:03 GMT

Hi,

I am trying to implement software restriction policies via group policy
to enable individual applications dependant upon group membership. This
has worked successfully for me during testing for various applications
until I tried Office XP. All Group Policies are assigned to the Computer
Configuration.

If I set a file hash on Winword.exe then Word will still not load.
If I set a file path to c:\Program Files\Microsoft
Office\Office10\winword.exe then Word will load correctly.

As a side note I also have the following restrictions set so that the
operating system will work correctly :-)

File Path c:\windows
File Path c:\program files\common Files

The following Designated File Types have been set :-
.Com, .Cmd, .Exe, .Scr

When Winword.exe fails to load there is no entry in the Event log as you
would expect. Even enabling advanced logging
(Hkey_local_machine\software\policies\Microsoft\Windows\Safer\CodeIdentif
iers\Logfilename) is not reporting the restriction correctly.

I have tried this implementation in two separate test labs with
different configurations and hardware,and it is only the Office Suite
that is failing. Applications such as Adobe Acrobat Reader 5, Wordpad,
Windows Media Player can all be authorised by file hash successfully.

Can anyone replicate file hashing failing against Office XP? Also is
anyone else using Software Restriction Polices, there appears to be very
little mentioned in Technet or from searching Deja.com

Many Thanks

-- 
Graham Turner

---

• Next message: EvilPetRock: "Event Viewer remote admin"
• Previous message: John: "Re: System Intrusion"
• Next in thread: Chris Weber: "Re: Software Restriction Policies with Office XP Failing"
• Reply: Chris Weber: "Re: Software Restriction Policies with Office XP Failing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Prblm: Cant get Software Restrictions Policies to work as expected ... I'm administering a number of computers at a school and I use SRP ... Our default policy configuration is to disallow running of applications, ... I've studied the document "Using Software Restriction Policies to Protect ... (microsoft.public.win2000.group_policy) Prblm: Cant get Software Restrictions Policies to work as expected ... I'm administering a number of computers at a school and I use SRP ... Our default policy configuration is to disallow running of applications, ... I've studied the document "Using Software Restriction Policies to Protect ... (microsoft.public.windowsxp.security_admin) Prblm: Cant get Software Restrictions Policies to work as expected ... I'm administering a number of computers at a school and I use SRP ... Our default policy configuration is to disallow running of applications, ... I've studied the document "Using Software Restriction Policies to Protect ... (microsoft.public.win2000.security) Re: Designing restrictive GPO ... > Software Restriction policies are definetly the way to go. ... > to create a GPO and link it to the container the machines reside in (such ... You can 'disallow' applications from running there. ... (microsoft.public.win2000.active_directory) Re: Preventing access to command.com ... Software Restriction Policies for 16-bit applications. ... Software Restriction Policy for command.com and it works great. ... (microsoft.public.windowsxp.security_admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)