Re: SUS/WSUS & Software Restriction Policies

From: Asher_N (compguy666_at_hotmail.com)
Date: 07/25/05 

Date: Mon, 25 Jul 2005 07:00:41 -0700

"DJ_Chiro" <dj_chiro@hotmail.<DOT>com> wrote in
news:uLKb3mRkFHA.1480@TK2MSFTNGP10.phx.gbl:

My first thought is that your policy may be a bit too restrictive.

Anyway, consider moving to WSUS. It deposits all the updates in sub-dirs in
a structure inside the windows dir. You can then have your policy allow
execution of anything under that sub-dir.

> Hello all, here's a good one!
>
> I am running SUS and software restriction policies on my domain.
> Problem seems that any patches that are approved get downloaded and
> run from a randomly generated directory off the C drive. My software
> restriction policy is locked down with ONLY the know file paths added
> to the rules list. i.e I have c:\program files locked down only
> allowing certain sub dirs to run.
>
> I notice the initial file getting blocked is update.exe. I allow this
> file to execute only to find another one blocked... I dont want to
> have to make exceptions for every file in every future update. Any to
> make matters even more fun it seems the folder name where the patches
> are extracted to is a randomly generated name that changes EVERY time!
> Is there any solution for this? I can't imagine MS not allowing
> these two great features to not play nice together!
>
>
> First error:
> Access to c:\eee41c89bfcc5092e94bd7458786c4\update\update.exe has been
> restricted by your Administrator by the default software restriction
> policy level.
>
> After allowing update.exe I get:
> Access to c:\54054a918f273519e2fd8418a7\update\arpidfix.exe has been
> restricted by your Administrator by the default software restriction
> policy level.
>
>
>

Relevant Pages

  • Safer
    ... support the software restriction policies themselves. ... The default policy is to ... // Set safer level parameter passed ... // Delete previous safer entry for the program ...
    (microsoft.public.scripting.jscript)
  • Re: How to Remove Software Restriction?
    ... Hopefully you created the software restriction in it's own policy... ... HASH to work on an application... ... policy and create a new one in a GPO that is applied to the entire OU. ...
    (microsoft.public.win2000.active_directory)
  • Re: run only allowed windows applications
    ... You can still use software restriction policies to do this on Windows 2000. ... -Make sure drives are formatted NTFS ... -Set a default software restriction policy to disallow all applications. ... You should also look at the policy to prevent Registry Editing tools ...
    (microsoft.public.win2000.group_policy)
  • Re: [Full-disclosure] Windows Software Restriction Policy Protection Bypass
    ... This MS answer speaks volumes to their approach to security (I had ... "Software Restriction Policy and Group Policy are not meant to be ... "...Software restriction policies are a part of Microsoft's security ...
    (Bugtraq)
  • Re: [Full-disclosure] Windows Software Restriction Policy Protection Bypass
    ... This MS answer speaks volumes to their approach to security (I had ... "Software Restriction Policy and Group Policy are not meant to be ... "...Software restriction policies are a part of Microsoft's security ...
    (Full-Disclosure)
Quantcast