[gptalk] Re: Opinion on my Software Restriction Policy
- From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Thu, 12 Jun 2008 06:37:38 -0700
Pankaj-
I think what you are seeing are the effect of the 4 default Registry Path
Rules, which do allow apps from a number of locations to continue to run
even though the default level is Disallow. If you were to remove one or more
of these registry path rules, you would begin to see all applications stop
being able to execute, which may or may not be desirable, depending upon the
application. I would experiment with it in your own environment.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Pankaj Bhakta
Sent: Thursday, June 12, 2008 4:40 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Opinion on my Software Restriction Policy
Hi Darren,
Many thanks for your opinion and suggestion.
I have been reading number of blogs and finally you have suggested that the
best approach is Disallow all and then create a Whitelist for the
applications that I wish to allow.
With this approach I have setup a new GPO (shown below) to first of all
prevent all application from running:
-----------------------------------------------------
Default Security Level - Disallowed
Enforcement Properties
- All software files except libraries (such as DLLs)
- All users except Local Administrators
Designate File Types
-Default ie whatever present as default
Path rules
The 4 default rules kept intact.
----------------------------------------------------------------------------
------------
Various blogs on the net say that when you select Default Security Level -
Disallowed, it stops everything from running.
However my observation is that it definitely prevents everything from
running when your try to run applications from desktop shortcut or Start
Menu\Programs. But if we browse with Windows Explorer and invoke any
application such as Acrobat Reader, MS Word etc from the Programs folder,
then it runs without any prob.
Is this the way SRP has been designed or am I missing something ie some
other configuration needs to be done to completely disallow everything.
Once I can establish the above, I will start creating my Whitelist.
Cheers,
Pankaj
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Thursday, June 12, 2008 1:08 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Opinion on my Software Restriction Policy
By using a Software Restriction Policy whitelist, you are saying to Windows
"don't allow execution of any code that is not explicitly allowed". This
means that no matter how you install something that is not in the allow
list, it will not run.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of hans straat
Sent: Wednesday, June 11, 2008 6:03 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Opinion on my Software Restriction Policy
not to trow in any windows but how do you want to block portable
applications that don't need installation like firefox portable etc
_____
From: darren@xxxxxxxxxx
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Opinion on my Software Restriction Policy
Date: Wed, 11 Jun 2008 05:58:15 -0700
Pankaj-
Its nearly impossible to prevent any kind of software installation, simply
because software can be installed anywhere on the file system and its
impossible to prevent writes to every location on the local file system.
However, there are a series of things you can do to make it very difficult
for users to either install or execute unwanted code. Part of that is using
Software Restriction Policy-based whitelists (i.e. disallow all code as the
default rule and then allow only the apps below). Part of it is using other
measures including:
--Making sure users are not members of the local Administrators or Power
Users groups
--Removing the ability for MSI packages to install outside of managed apps
(i.e. those deployed via GP) by enabling the policy at Computer
Configuration\Admin. Templates\Windows Components\Windows Installer\Disable
Windows Installer
Again, I think it's a combination of several steps that you will need to
perform to ensure that only the code you want is executed.
Sincerely,
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Pankaj Bhakta
Sent: Tuesday, June 10, 2008 10:47 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Opinion on my Software Restriction Policy
Hi,
We are having a Win 2003 AD based Domain and users running Win XP SP2.
The following applications are installed by our IT department on every
workstation
* MS Office 2003 Pro
* IE and Firefox
* Win Zip
* Adobe Reader
* Sonic Record Now Plus - for burning CD/DVDs
* Cyberlink PowerDVD
I want to setup a Software Restriction Policy to achieve the following:
a) Do not permit Users to install any software
b) All the above mentioned applications to run smoothly
On a test domain I have setup a SRP as following ( User Configuration ):
Default Security Level - Disallowed
Enforcement Properties
- All software files except libraries (such as DLLs)
- All users except Local Administrators
Designate File Types
-Removed the .LNK from the Designated File Types
Path rules
The 4 default rules kept intact.
Added the following
%userprofile%\Start Menu\Programs
%allusersprofile%\Start Menu\Programs
%temp%
%windir%
\\myserver\netlogon\*.bat - running login scripts
\\myserver\netlogon\*.vbs - running login scripts
Although I removed the .LNK from the Designated File Types but the shortcuts
on the desktop did not seem to work so added the following path rule.
%allusersprofile%\desktop\*.lnk
%userprofile%\desktop\*.lnk
Everything seems to be working as I wanted. All my applications that are
already installed are working fine. The applications that have desktop
shortcuts are working fine.
Also tested and found that the users cannot install any application.
To me things seems to work alright but I would still request your valued
opinion & suggestion before I apply the policy on production domain.
Cheers,
Pankajb
Other related posts:
