How To use Software Restriction Policies in Windows Server 2003

12/15/2012 08:02:00 PM    

How to start Software Restriction Policies


For the Local Computer Only

  1. Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.
  2. In the console tree, expand Security Settings, and then expand Software Restriction Policies.

For a Domain, a Site, or an Organizational Unit on a Member Server or a Workstation that is joined to a Domain

  1. Open Microsoft Management Console (MMC). To do so, click Start, click Run, type mmc, and then click OK.
  2. On the File menu, click Add/Remove Snap-in, and then click Add.
  3. Click Group Policy Object Editor, and then click Add.
  4. In Select Group Policy Object, click Browse.
  5. In Browse for a Group Policy Object, either select a Group Policy object (GPO) in the appropriate domain, site, or organizational unit, and then click Finish.

    Alternatively, you can create a new GPO, and then click Finish.
  6. Click Close, and then click OK.
  7. In the console tree, go to the following location:
    Group Policy Object Computer_name Policy/Computer Configuration or User/Configuration/Windows Settings/Security Settings/Software Restriction Policies

For an Organizational Unit or a Domain on a Domain Controller or a Workstation that has the Administration Tools Pack installed

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, right-click the domain or organizational unit that you want to set Group Policy for.
  3. Click Properties, and then click the Group Policy tab.
  4. Click an entry in Group Policy Object Links to select an existing GPO, and then click Edit.

    Alternatively, you can click New to create a new GPO, and then click Edit.
  5. In the console tree, go to the following location:
    Group Policy Object Computer_name Policy/Computer Configuration or User Configuration/Windows Settings/Security Settings/Software Restriction Policies

For Your Site and on a Domain Controller or a Workstation that has the Administration Tools Pack installed

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
  2. In the console tree, right-click the site that you want to set Group Policy for:
    • Active Directory Sites and Services [ Domain_Controller_NameDomain_Name]
    • Sites
    • Site
  3. Click Properties, and then click the Group Policy tab.
  4. Click an entry in Group Policy Object Links to select an existing Group Policy object (GPO), and then click Edit.

    Alternatively, click New to create a new GPO, and then click Edit.
  5. In the console tree, go to the following location:
    Group Policy Object Computer_name Policy/Computer Configuration or User Configuration/Windows Settings/Security Settings/Software Restriction Policies
    Important: Click User Configuration to set policies that will be applied to users, regardless of the computer to which they log on. Click Computer Configuration to set policies that will be applied to computers, regardless of the users who log on to them.

    You can also apply software restriction policies to specific users when they log on to specific computer by using an advanced Group Policy setting named loopback.

How to prevent Software Restriction Policies from applying to Local Administrators

  1. Click Start, click Run, type mmc, and then click OK.
  2. Open Software Restriction Policies.
  3. In the details pane, double-click Enforcement.
  4. Under Apply software restriction policies to the following users, click All users except local administrators.
Notes:
  • You may have to create a new software restriction policy setting for this GPO if you have not already done so.
  • Typically, users are members of the local administrator group on their computers in your organization; therefore, you may not want to turn on this setting. Software restriction policies do not apply to any users who are members of their local administrator group.
  • If you are defining the software restriction policy settings for your local computer, use this procedure to prevent local administrators from having the software restriction policies applied to them. If you are defining the software restriction policy settings for your network, filter user policy settings based on membership in security groups by using Group Policy.

How to create a Certificate Rule

  1. Click Start, click Run, type mmc, and then click OK.
  2. Open Software Restriction Policies.
  3. In either the console tree or the details pane, right-click Additional Rules, and then click New Certificate Rule.
  4. Click Browse, and then select a certificate.
  5. Select a security level.
  6. In the Description box, type a description for this rule, and then click OK.
Notes:
  • For information about how to start the software restriction policies in MMC, see "Start software restriction policies" in Related Topics in the Windows Server 2003 Help file.
  • You may have to create new software restriction policy settings for this GPO if you have not already done so.
  • By default, certificate rules are not turned on. To turn on certificate rules:
    1. Click Start, click Run, type regedit, and then click OK.
    2. Locate and then click the following registry key:
      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    3. In the details pane, double-click AuthenticodeEnabled, and then change the value data from 0 to 1.
  • The only file types that are affected by certificate rules are those that are listed in Designated file types. There is one list of designated file types that is shared by all rules.
  • For software restriction policies to take effect, users must update policy settings by logging off from and then logging on to their computers.
  • When more than one rule is applied to policy settings, there is a precedence of rules for handling conflicts.

How to create a Hash Rule

  1. Click Start, click Run, type mmc, and then click OK.
  2. Open Software Restriction Policies.
  3. In either the console tree or the details pane, right-click Additional Rules, and then click New Hash Rule.
  4. Click Browse to find a file, or paste a precalculated hash in the File hash box.
  5. In the Security level box, click either Disallowed or Unrestricted.
  6. In the Description box, type a description for this rule, and then click OK.
Notes:
  • You may have to create new software restriction policy settings for this GPO if you have not already done so.
  • You can create a hash rule for a virus or a Trojan horse to prevent the malicious software from running.
  • If you want other users to use a hash rule so that a virus cannot run, calculate the hash of the virus by using software restriction policies, and then e-mail the hash value to other users. Never e-mail the virus itself.
  • If a virus has been sent through e-mail, you can also create a path rule to prevent users from running mail attachments.
  • A file that is renamed or moved to another folder still results in the same hash.
  • Any change to a file results in a different hash.
  • The only file types that are affected by hash rules are those that are listed in Designated file types. There is one list of designated file types that is shared by all rules.
  • For software restriction policies to take effect, users must update policy settings by logging off from and then logging on to their computers.
  • When more than one rule is applied to policy settings, there is a precedence of rules for handling conflicts.

How to create an Internet Zone Rule

  1. Click Start, click Run, type mmc, and then click OK.
  2. Open Software Restriction Policies.
  3. In the console tree, click Software Restriction Policies.
  4. In either the console tree or the details pane, right-click Additional Rules, and then click New Internet Zone Rule.
  5. In Internet zone, click an Internet zone.
  6. In the Security Level box, click either Disallowed or Unrestricted, and then click OK.
Notes:
  • You may have to create new software restriction policy settings for this GPO if you have not already done so.
  • Zone rules apply to Windows Installer packages only.
  • The only file types that are affected by zone rules are those that are listed in Designated file types. There is one list of designated file types that is shared by all rules.
  • For software restriction policies to take effect, users must update policy settings by logging off from and then logging on to their computers.
  • When more than one rule is applied to policy settings, there is a precedence of rules for handling conflicts.

How to create a Path Rule

  1. Click Start, click Run, type mmc, and then click OK.
  2. Open Software Restriction Policies.
  3. In either the console tree or the details pane, right-click Additional Rules, and then click New Path Rule.
  4. In the Path box, type a path or click Browse to find a file or folder.
  5. In the Security level box, click either Disallowed or Unrestricted.
  6. In the Description box, type a description for this rule, and then click OK.

    Important: On certain folders, such as the Windows folder, setting the security level to Disallowed can adversely affect the operation of your operating system. Make sure that you do not disallow a crucial component of the operating system or one of its dependent programs.
Notes:
  • You may have to create new software restriction policy settings for this GPO if you have not already done so.
  • If you create a path rule for a program with a security level of Disallowed, a user can still run the software by copying it to another location.
  • The wildcard characters that are supported by the path rule are the asterisk (*) and the question mark (?).
  • You can use environment variables, such as %programfiles% or %systemroot%, in your path rule.
  • To create a path rule for software when you do not know where it is stored on a computer but you have its registry key, you can create a registry path rule.
  • To prevent users from running e-mail attachments, you can create a path rule for your mail program's attachment folder that prevents users from running e-mail attachments.
  • The only file types that are affected by path rules are those that are listed in Designated file types. There is one list of designated file types that is shared by all rules.
  • For software restriction policies to take effect, users must update policy settings by logging off from and then logging on to their computers.
  • When more than one rule is applied to policy settings, there is a precedence of rules for handling conflicts.

How to create a Registry Path Rule

  1. Click Start, click Run, type regedit, and then click OK.
  2. In the console tree, right-click the registry key that you want to create a rule for, and then click Copy Key Name.
  3. Note the value name in the details pane.
  4. Click Start, click Run, type mmc, and then click OK.
  5. Open Software Restriction Policies.
  6. In either the console tree or the details pane, right-click Additional Rules, and then click New Path Rule.
  7. In Path, paste the registry key name and the value name.
  8. Enclose the registry path in percent signs (%), for example:
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PlatformSDK\Directories\InstallDir%
  9. In the Security level box, click either Disallowed or Unrestricted.
  10. In the Description box, type a description for this rule, and then click OK.
Notes:
  • You may have to create new software restriction policy settings for this GPO if you have not already done so.
  • You must be a member of the Administrators group to perform this procedure.
  • Format the registry path as follows:
    Registry HiveRegistry Key NameValue Name%
  • You must write out the name of the registry hive; you cannot use abbreviations. For example, you cannot substitutedHKCU for HKEY_CURRENT_USER.
  • The registry path rule can contain a suffix after the closing percent sign (%). Do not use a backslash (\) in the suffix. For example, you can use the following registry path rule:
    %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*
  • The only file types that are affected by path rules are those that are listed in Designated file types. There is one list of designated file types that is shared by all rules.
  • For software restriction policies to take effect, users must update policy settings by logging off from and then logging on to their computers.
  • When more than one rule is applied to policy settings, there is a precedence of rules for handling conflicts.

How to add or delete a Designated File Type

  1. Click Start, click Run, type mmc, and then click OK.
  2. Open Software Restriction Policies.
  3. In the details pane, double-click Designated File Types.
  4. Perform one of the following steps as appropriate:
    • To add a file type, type the file name extension in the File extension box, and then click Add.
    • To delete a file type, click the file type in the Designated file types box, and then click Remove.
Notes:
  • You may have to create new software restriction policy settings for this GPO if you have not already done so.
  • The designated file types list is shared by all rules for each configuration. The designated file types list for computer policy settings is different from the designated file types list for user policy settings.

How to change the default Security Level of Software Restriction Policies

  1. Click Start, click Run, type mmc, and then click OK.
  2. Open Software Restriction Policies.
  3. In the details pane, double-click Security Levels.
  4. Right-click the security level that you want to set as the default, and then click Set as default.

    Caution: In certain folders, if you set the default security level to Disallowed, you can adversely affect your operating system.
Notes:
  • You may have to create new software restriction policy settings for this GPO if you have not already done so.
  • In the details pane, the current default security level is indicated by a black circle with a check mark in it. If you right-click the current default security level, the Set as default command does not appear in the menu.
  • Rules are created to specify exceptions to the default security level. When the default security level is set to Unrestricted, rules specify software that is not allowed to run. When the default security level is set to Disallowed, rules specify software that is allowed to run.
  • If you change the default level, you affect all files on the computers that have software restriction policies applied to them.
  • At installation, the default security level of software restriction policies on all files on your computer is set toUnrestricted.

How to set Trusted Publisher options

  1. Click Start, click Run, type mmc, and then click OK.
  2. Open Software Restriction Policies.
  3. Double-click Trusted Publishers.
  4. Click the users who you want to decide which certificates will be trusted, and then click OK.
Notes:
  • You may have to create new software restriction policy settings for this GPO if you have not already done so.
  • You can select who can add trusted publishers, users, administrators, or enterprise administrators. For example, you can use this tool to prevent users from making trust decisions about publishers of ActiveX Controls.
  • Local computer administrators have the right to specify trusted publishers on the local computer, but enterprise administrators have the right to specify trusted publishers on an organizational unit level.