Re: Software Restriction Policy
From: Steven L Umbach (n9rou_at_comcast.net)
Date: 10/12/03
- Next message: Alora Duncan: "The case of the once-transparent WinXP pulldown menus"
- Previous message: GoumbaYa: "Re: Spam"
- In reply to: Sam Sena: "Software Restriction Policy"
- Next in thread: Roger Abell: "Re: Software Restriction Policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 12 Oct 2003 02:46:22 GMT
This link goes into much more detail including how to use SRP to help block malicious
code. -- Steve
"Sam Sena" <ssena@iug.net> wrote in message
news:f582f422.0310111658.1bf893e3@posting.google.com...
> I am posting this information here in response to the surge in
> questions from my students in recent weeks who are studying for the
> upgrade exams.
>
> Apologies to all if this is a re-post.
> Sam Sena MCT
>
> ********** Moral of the Story ************
> The K.B. it exists... use it!!!
>
> Microsoft Knowledge Base Article - 324036
>
> HOW TO: Use Software Restriction Policies in Windows Server 2003
> View products that this article applies to.
> This article was previously published under Q324036
> IN THIS TASK
> SUMMARY
> How to Start Software Restriction Policies
> For the Local Computer Only
> For a Domain, a Site, or an Organizational Unit on a Member Server or
> a Workstation That Is Joined to a Domain
> For an Organizational Unit or Domain on a Domain Controller or a
> Workstation That Has the Administration Tools Pack Installed
> For Your Site and a Domain Controller or a Workstation That Has the
> Administration Tools Pack Installed
> How to Prevent Software Restriction Policies from Applying to Local
> Administrators
> How to Create a Certificate Rule
> How to Create a Hash Rule
> How to Create an Internet Zone Rule
> How to Create a Path Rule
> How to Create a Registry Path Rule
> How to Add or Delete a Designated File Type
> How to Change the Default Security Level of Software Restriction
> Policies
> How to Set Trusted Publisher Options
> SUMMARY
> This article describes how to use software restriction policies in
> Windows Server 2003. When you use software restriction policies, you
> can identify and specify the software that is allowed to run so that
> you can protect your computer environment from untrusted code. When
> you use software restriction policies, you can define a default
> security level of Unrestricted or Disallowed for a Group Policy object
> (GPO) so that software is either allowed or not allowed to run by
> default. To create exceptions to this default security level, you can
> create rules for specific software. You can create the following types
> of rules:
> Hash rules
> Certificate rules
> Path rules
> Internet zone rules
> A policy is made up of the default security level and all of the rules
> applied to a GPO. This policy can apply to all of the computers or to
> individual users. Software restriction policies provide a number of
> ways to identify software, and they provide a policy-based
> infrastructure to enforce decisions about whether the software can
> run. With software restriction policies, users must follow the
> guidelines that are set up by administrators when they run programs.
>
> With software restriction policies, you can perform the following
> tasks:
> Control which programs can run on your computer. For example, you can
> apply a policy that does not allow certain file types to run in the
> e-mail attachment folder of your e-mail program if you are concerned
> about users receiving viruses through e-mail.
> Permit users to run only specific files on multiple-user computers.
> For example, if you have multiple users on your computers, you can set
> up software restriction policies in such a way that users do not have
> access to any software except for those specific files that they must
> use for their work.
> Decide who can add trusted publishers to your computer.
> Control whether software restriction policies affect all users or just
> certain users on a computer.
> Prevent any files from running on your local computer, your
> organizational unit, your site, or your domain. For example, if there
> is a known virus, you can use software restriction policies to stop
> the computer from opening the file that contains the virus.IMPORTANT:
> Microsoft recommends that you do not use software restriction policies
> as a replacement for antivirus software.
> back to the top
> How to Start Software Restriction Policies
> For the Local Computer Only
> Click Start, point to Programs, point to Administrative Tools, and
> then click Local Security Policy.
> In the console tree, expand Security Settings, and then expand
> Software Restriction Policies.
> back to the top
> For a Domain, a Site, or an Organizational Unit on a Member Server or
> a Workstation That Is Joined to a Domain
> Open Microsoft Management Console (MMC). To do so, click Start, click
> Run, type mmc, and then click OK.
> On the File menu, click Add/Remove Snap-in, and then click Add.
> Click Group Policy Object Editor, and then click Add.
> In Select Group Policy Object, click Browse.
> In Browse for a Group Policy Object, either select a Group Policy
> object (GPO) in the appropriate domain, site, or organizational unit,
> and then click Finish.
>
> Alternatively, you can create a new GPO, and then click Finish.
> Click Close, and then click OK.
> In the console tree, go to the following location:
> Group Policy Object Computer_name Policy/Computer Configuration or
> User/Configuration/Windows Settings/Security Settings/Software
> Restriction Policies
>
> back to the top
> For an Organizational Unit or a Domain on a Domain Controller or a
> Workstation That Has the Administration Tools Pack Installed
> Click Start, point to All Programs, point to Administrative Tools, and
> then click Active Directory Users and Computers.
> In the console tree, right-click the domain or organizational unit
> that you want to set Group Policy for.
> Click Properties, and then click the Group Policy tab.
> Click an entry in Group Policy Object Links to select an existing GPO,
> and then click Edit.
>
> Alternatively, you can click New to create a new GPO, and then click
> Edit.
> In the console tree, go to the following location:
> Group Policy Object Computer_name Policy/Computer Configuration or
> User Configuration/Windows Settings/Security Settings/Software
> Restriction Policies
>
> back to the top
> For Your Site and on a Domain Controller or a Workstation That Has the
> Administration Tools Pack Installed
> Click Start, point to All Programs, point to Administrative Tools, and
> then click Active Directory Sites and Services.
> In the console tree, right-click the site that you want to set Group
> Policy for:
> Active Directory Sites and Services [ Domain_Controller_Name.
> Domain_Name]
> Sites
> Site
>
>
> Click Properties, and then click the Group Policy tab.
> Click an entry in Group Policy Object Links to select an existing
> Group Policy object (GPO), and then click Edit.
>
> Alternatively, click New to create a new GPO, and then click Edit.
> In the console tree, go to the following location:
> Group Policy Object Computer_name Policy/Computer Configuration or
> User Configuration/Windows Settings/Security Settings/Software
> Restriction Policies
>
> IMPORTANT: Click User Configuration to set policies that will be
> applied to users, regardless of the computer to which they log on.
> Click Computer Configuration to set policies that will be applied to
> computers, regardless of the users who log on to them.
>
> You can also apply software restriction policies to specific users
> when they log on to specific computer by using an advanced Group
> Policy setting named loopback.
> back to the top
> How to Prevent Software Restriction Policies from Applying to Local
> Administrators
> Click Start, click Run, type mmc, and then click OK.
> Open Software Restriction Policies.
> In the details pane, double-click Enforcement.
> Under Apply software restriction policies to the following users,
> click All users except local administrators.
> NOTES:
> You may have to create a new software restriction policy setting for
> this GPO if you have not already done so.
> Typically, users are members of the local administrator group on their
> computers in your organization; therefore, you may not want to turn on
> this setting. Software restriction policies do not apply to any users
> who are members of their local administrator group.
> If you are defining a software restriction policy setting for your
> local computer, use this procedure to prevent local administrators
> from having software restriction policies applied to them. If you are
> defining a software restriction policy setting for your network,
> filter user policy settings based on membership in security groups by
> using Group Policy.
> back to the top
> How to Create a Certificate Rule
> Click Start, click Run, type mmc, and then click OK.
> Open Software Restriction Policies.
> In either the console tree or the details pane, right-click Additional
> Rules, and then click New Certificate Rule.
> Click Browse, and then select a certificate.
> Select a security level.
> In the Description box, type a description for this rule, and then
> click OK.
> NOTES:
> For information about how to start software restriction policies in
> MMC, see "Start software restriction policies" in Related Topics in
> the Windows Server 2003 Help file.
> You may have to create a new software restriction policy setting for
> this GPO if you have not already done so.
> By default, certificate rules are not turned on. To turn on
> certificate rules:
> Click Start, click Run, type regedit, and then click OK.
> Locate and then click the following registry key:
> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
>
> In the details pane, double-click AuthenticodeEnabled, and then change
> the value data from 0 to 1.
> The only file types that are affected by certificate rules are those
> that are listed in Designated file types. There is one list of
> designated file types that is shared by all rules.
> For software restriction policies to take effect, users must update
> policy settings by logging off from and then logging on to their
> computers.
> When more than one rule is applied to policy settings, there is a
> precedence of rules for handling conflicts.
> back to the top
> How to Create a Hash Rule
> Click Start, click Run, type mmc, and then click OK.
> Open Software Restriction Policies.
> In either the console tree or the details pane, right-click Additional
> Rules, and then click New Hash Rule.
> Click Browse to find a file, or paste a precalculated hash in the File
> hash box.
> In the Security level box, click either Disallowed or Unrestricted.
> In the Description box, type a description for this rule, and then
> click OK.
> NOTES:
> You may have to create a new software restriction policy setting for
> this GPO if you have not already done so.
> You can create a hash rule for a virus or a Trojan horse to prevent
> the malicious software from running.
> If you want other users to use a hash rule so that a virus cannot run,
> calculate the hash of the virus by using software restriction
> policies, and then e-mail the hash value to other users. Never e-mail
> the virus itself.
> If a virus has been sent through e-mail, you can also create a path
> rule to prevent users from running mail attachments.
> A file that is renamed or moved to another folder still results in the
> same hash.
> Any change to a file results in a different hash.
> The only file types that are affected by hash rules are those that are
> listed in Designated file types. There is one list of designated file
> types that is shared by all rules.
> For software restriction policies to take effect, users must update
> policy settings by logging off from and then logging on to their
> computers.
> When more than one rule is applied to policy settings, there is a
> precedence of rules for handling conflicts.
> back to the top
> How to Create an Internet Zone Rule
> Click Start, click Run, type mmc, and then click OK.
> Open Software Restriction Policies.
> In the console tree, click Software Restriction Policies.
> In either the console tree or the details pane, right-click Additional
> Rules, and then click New Internet Zone Rule.
> In Internet zone, click an Internet zone.
> In the Security Level box, click either Disallowed or Unrestricted,
> and then click OK.
> NOTES:
> You may have to create a new software restriction policy setting for
> this GPO if you have not already done so.
> Zone rules apply to Windows Installer packages only.
> The only file types that are affected by zone rules are those that are
> listed in Designated file types. There is one list of designated file
> types that is shared by all rules.
> For software restriction policies to take effect, users must update
> policy settings by logging off from and then logging on to their
> computers.
> When more than one rule is applied to policy settings, there is a
> precedence of rules for handling conflicts.
> back to the top
> How to Create a Path Rule
> Click Start, click Run, type mmc, and then click OK.
> Open Software Restriction Policies.
> In either the console tree or the details pane, right-click Additional
> Rules, and then click New Path Rule.
> In the Path box, type a path or click Browse to find a file or folder.
> In the Security level box, click either Disallowed or Unrestricted.
> In the Description box, type a description for this rule, and then
> click OK.IMPORTANT: On certain folders, such as the Windows folder,
> setting the security level to Disallowed can adversely affect the
> operation of your operating system. Make sure that you do not disallow
> a crucial component of the operating system or one of its dependent
> programs.
> NOTES:
> You may have to create a new software restriction policy setting for
> this GPO if you have not already done so.
> If you create a path rule for a program with a security level of
> Disallowed, a user can still run the software by copying it to another
> location.
> The wildcard characters that are supported by the path rule are the
> asterisk (*) and the question mark (?).
> You can use environment variables, such as %programfiles% or
> %systemroot%, in your path rule.
> To create a path rule for software when you do not know where it is
> stored on a computer but you have its registry key, you can create a
> registry path rule.
> To prevent users from running e-mail attachments, you can create a
> path rule for your mail program's attachment folder that prevents
> users from running e-mail attachments.
> The only file types that are affected by path rules are those that are
> listed in Designated file types. There is one list of designated file
> types that is shared by all rules.
> For software restriction policies to take effect, users must update
> policy settings by logging off from and then logging on to their
> computers.
> When more than one rule is applied to policy settings, there is a
> precedence of rules for handling conflicts.
> back to the top
> How to Create a Registry Path Rule
> Click Start, click Run, type regedit, and then click OK.
> In the console tree, right-click the registry key that you want to
> create a rule for, and then click Copy Key Name.
> Note the value name in the details pane.
> Click Start, click Run, type mmc, and then click OK.
> Open Software Restriction Policies.
> In either the console tree or the details pane, right-click Additional
> Rules, and then click New Path Rule.
> In Path, paste the registry key name and the value name.
> Enclose the registry path in percent signs (%), for example:
> %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PlatformSDK\Directories\InstallDir%
>
> In the Security level box, click either Disallowed or Unrestricted.
> In the Description box, type a description for this rule, and then
> click OK.
> NOTES:
> You may have to create a new software restriction policy setting for
> this GPO if you have not already done so.
> You must be a member of the Administrators group to perform this
> procedure.
> Format the registry path as follows:
> % Registry Hive\ Registry Key Name\ Value Name%
>
> You must write out the name of the registry hive; you cannot use
> abbreviations. For example, you cannot substituted HKCU for
> HKEY_CURRENT_USER.
> The registry path rule can contain a suffix after the closing percent
> sign (%). Do not use a backslash (\) in the suffix. For example, you
> can use the following registry path rule:
> %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
> Folders\Cache%OLK*
>
> The only file types that are affected by path rules are those that are
> listed in Designated file types. There is one list of designated file
> types that is shared by all rules.
> For software restriction policies to take effect, users must update
> policy settings by logging off from and then logging on to their
> computers.
> When more than one rule is applied to policy settings, there is a
> precedence of rules for handling conflicts.
> back to the top
> How to Add or Delete a Designated File Type
> Click Start, click Run, type mmc, and then click OK.
> Open Software Restriction Policies.
> In the details pane, double-click Designated File Types.
> Perform one of the following steps as appropriate:
> To add a file type, type the file name extension in the File extension
> box, and then click Add.
> To delete a file type, click the file type in the Designated file
> types box, and then click Remove.
> NOTES:
> You may have to create a new software restriction policy setting for
> this GPO if you have not already done so.
> The designated file types list is shared by all rules for each
> configuration. The designated file types list for computer policy
> settings is different from the designated file types list for user
> policy settings.
> back to the top
> How to Change the Default Security Level of Software Restriction
> Policies
> Click Start, click Run, type mmc, and then click OK.
> Open Software Restriction Policies.
> In the details pane, double-click Security Levels.
> Right-click the security level that you want to set as the default,
> and then click Set as default.
>
> CAUTION: In certain folders, if you set the default security level to
> Disallowed, you can adversely affect your operating system.
> NOTES:
> You may have to create a new software restriction policy setting for
> this GPO if you have not already done so.
> In the details pane, the current default security level is indicated
> by a black circle with a check mark in it. If you right-click the
> current default security level, the Set as default command does not
> appear in the menu.
> Rules are created to specify exceptions to the default security level.
> When the default security level is set to Unrestricted, rules specify
> software that is not allowed to run. When the default security level
> is set to Disallowed, rules specify software that is allowed to run.
> If you change the default level, you affect all files on the computers
> that have software restriction policies applied to them.
> At installation, the default security level of software restriction
> policies on all files on your computer is set to Unrestricted.
> back to the top
> How to Set Trusted Publisher Options
> Click Start, click Run, type mmc, and then click OK.
> Open Software Restriction Policies.
> Double-click Trusted Publishers.
> Click the users who you want to decide which certificates will be
> trusted, and then click OK.
> NOTES:
> You may have to create a new software restriction policy setting for
> this GPO if you have not already done so.
> You can select who can add trusted publishers, users, administrators,
> or enterprise administrators. For example, you can use this tool to
> prevent users from making trust decisions about publishers of ActiveX
> Controls.
> Local computer administrators have the right to specify trusted
> publishers on the local computer, but enterprise administrators have
> the right to specify trusted publishers on an organizational unit
> level.
> back to the top
> The information in this article applies to:
> Microsoft Windows Server 2003, Enterprise Edition
> Microsoft Windows Server 2003, Standard Edition
> Last Reviewed: 6/6/2003 (4.0)
> Keywords: kbMgmtServices kbhowto kbHOWTOmaster KB324036 kbAudITPro
>
>
>
>
>
> Contact Us
>
>
> © 2003 Microsoft Corporation. All rights reserved. Terms of use
> Security & Privacy Accessibility
- Next message: Alora Duncan: "The case of the once-transparent WinXP pulldown menus"
- Previous message: GoumbaYa: "Re: Spam"
- In reply to: Sam Sena: "Software Restriction Policy"
- Next in thread: Roger Abell: "Re: Software Restriction Policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
