Pankaj- I think what you are seeing are the effect of the 4 default Registry Path Rules, which do allow apps from a number of locations to continue to run even though the default level is Disallow. If you were to remove one or more of these registry path rules, you would begin to see all applications stop being able to execute, which may or may not be desirable, depending upon the application. I would experiment with it in your own environment. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Pankaj Bhakta Sent: Thursday, June 12, 2008 4:40 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Opinion on my Software Restriction Policy Hi Darren, Many thanks for your opinion and suggestion. I have been reading number of blogs and finally you have suggested that the best approach is Disallow all and then create a Whitelist for the applications that I wish to allow. With this approach I have setup a new GPO (shown below) to first of all prevent all application from running: ----------------------------------------------------- Default Security Level - Disallowed Enforcement Properties - All software files except libraries (such as DLLs) - All users except Local Administrators Designate File Types -Default ie whatever present as default Path rules The 4 default rules kept intact. ---------------------------------------------------------------------------- ------------ Various blogs on the net say that when you select Default Security Level - Disallowed, it stops everything from running. However my observation is that it definitely prevents everything from running when your try to run applications from desktop shortcut or Start Menu\Programs. But if we browse with Windows Explorer and invoke any application such as Acrobat Reader, MS Word etc from the Programs folder, then it runs without any prob. Is this the way SRP has been designed or am I missing something ie some other configuration needs to be done to completely disallow everything. Once I can establish the above, I will start creating my Whitelist. Cheers, Pankaj _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Thursday, June 12, 2008 1:08 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Opinion on my Software Restriction Policy By using a Software Restriction Policy whitelist, you are saying to Windows "don't allow execution of any code that is not explicitly allowed". This means that no matter how you install something that is not in the allow list, it will not run. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of hans straat Sent: Wednesday, June 11, 2008 6:03 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Opinion on my Software Restriction Policy not to trow in any windows but how do you want to block portable applications that don't need installation like firefox portable etc _____ From: darren@xxxxxxxxxx To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Opinion on my Software Restriction Policy Date: Wed, 11 Jun 2008 05:58:15 -0700 Pankaj- Its nearly impossible to prevent any kind of software installation, simply because software can be installed anywhere on the file system and its impossible to prevent writes to every location on the local file system. However, there are a series of things you can do to make it very difficult for users to either install or execute unwanted code. Part of that is using Software Restriction Policy-based whitelists (i.e. disallow all code as the default rule and then allow only the apps below). Part of it is using other measures including: --Making sure users are not members of the local Administrators or Power Users groups --Removing the ability for MSI packages to install outside of managed apps (i.e. those deployed via GP) by enabling the policy at Computer Configuration\Admin. Templates\Windows Components\Windows Installer\Disable Windows Installer Again, I think it's a combination of several steps that you will need to perform to ensure that only the code you want is executed. Sincerely, Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Pankaj Bhakta Sent: Tuesday, June 10, 2008 10:47 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Opinion on my Software Restriction Policy Hi, We are having a Win 2003 AD based Domain and users running Win XP SP2. The following applications are installed by our IT department on every workstation * MS Office 2003 Pro * IE and Firefox * Win Zip * Adobe Reader * Sonic Record Now Plus - for burning CD/DVDs * Cyberlink PowerDVD I want to setup a Software Restriction Policy to achieve the following: a) Do not permit Users to install any software b) All the above mentioned applications to run smoothly On a test domain I have setup a SRP as following ( User Configuration ): Default Security Level - Disallowed Enforcement Properties - All software files except libraries (such as DLLs) - All users except Local Administrators Designate File Types -Removed the .LNK from the Designated File Types Path rules The 4 default rules kept intact. Added the following %userprofile%\Start Menu\Programs %allusersprofile%\Start Menu\Programs %temp% %windir% \\myserver\netlogon\*.bat - running login scripts \\myserver\netlogon\*.vbs - running login scripts Although I removed the .LNK from the Designated File Types but the shortcuts on the desktop did not seem to work so added the following path rule. %allusersprofile%\desktop\*.lnk %userprofile%\desktop\*.lnk Everything seems to be working as I wanted. All my applications that are already installed are working fine. The applications that have desktop shortcuts are working fine. Also tested and found that the users cannot install any application. To me things seems to work alright but I would still request your valued opinion & suggestion before I apply the policy on production domain. Cheers, Pankajb