[gptalk] Re: Start on Software Restriction Policy

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 28 May 2008 05:46:16 -0700

Its not clear to me why, if both the computer configurations and user
configurations are identical, you would see different behavior, but in
general you should only need one or the other and I like the approach of
doing it per-user for most scenarios. 





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Pankaj Bhakta
Sent: Wednesday, May 28, 2008 2:58 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Start on Software Restriction Policy


Many thanks for giving me a start on the SRP.


The links provided was of incredible help as it gave me more confidence to
think in the approach of Disallow Everything and White list. 


I have setup a test environment and performed the following test:


a)     Created two GPOs  

1) SRP - User Configuration 

2) SRP - Computer Configuration 


*       Both the SRP have been created with Disallowed as default


*       Enforcement Policies - Apply SRP on all software files except
libraries and all users except local administrators.


I created the above two GPO as I am not sure which one is more appropriate
in actual environment.


b)    Created two OU 

1) Users-OU having a user named TestUser 

2) Computers-OU having a computer named TestComputer


Our general users only run MS Office, IE & Firefox. We also run a VB login


Now I have applied the policies in the following steps:


Step - 1                Applied SRP - User Configuration on the Users-OU

When I logged in as a TestUser,   I found that all default application ie MS
Office, IE and Firefox was running alright however I could not install any
software like SKYPE etc.

When logged on as Domain Admin or Local Admin I could run all applications
as well as install software.


Step - 2               SRP - Computer Configuration on Computers-OU

When I logged in as a TestUser, none of the above application was running as
all was denied by the SRP.

When logged on as Domain Admin or Local Admin I could run all applications
as well as install software


Now, kindly throw some light and let me know which approach is the correct


If Step-1 is correct approach then, obviously I have to test it thoroughly
and then implement in a phase manner.


If Step -2 is the correct approach, then how do I make MS Office and the
Browsers run. Do I have to create a HASH Key for them.







From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Jakob H. Heidelberg
Sent: Wednesday, May 28, 2008 3:30 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Start on Software Restriction Policy



SRP is a very hard thing to manage no matter how you do it, so be sure you
know what you go into before taking the first step. Start by thinking
through all good and bad things with SRP and then create your design, a
design that fits you needs and time for "administrative overhead".
Personally I think the best (most secure) way is to Disallow Everything and
then White List from there (either HASH or Certificate rules in my world).

Some guy (guess who) wrote a few articles on this which I'll recommend you
to read :) 

To be honest I think this is an area on which MS should really use a lot of
ressource over the next years (and I know they have some new AppID-thing on
its way) - SRP does a good job to some extend, but as allways we need and
demand more - the current SRP technology is back from the introduction of
Windows XP...

Well, I hope I could help a bit.

Best regards 
Jakob H. Heidelberg 
MVP:Enterprise Security

On Tue, 27 May 2008 23:27:09 +1200, Pankaj Bhakta wrote 
> Hi, 
> Can someone please give me a start on Software Restriction Policy. 
> My environment is Win 2003 DC, and Win XP Pro desktops and Laptops. 
> I have two OU ie Desktops OU and Laptops OU 
> I require want to restrict users from downloading and installing games and
other files. 
> I was under the impression that by default users cannot install any
software on their desktop. 
> As a test case, I logged in as a domain users and tried to install a
program called Sherif Draw Plus and found that it requires admin priviledge.

> However, from the same desktop when I downloaded SKYPE, I was able to
install it under the same user's login. 
> I tried the same with Audacity and I was able to install it. 
> I am now confused. 
> After reading a few materials on the net, I am about to give a start to
implement a Software Restriction Policy but I found that one school of
thought says that you should start by Implementing a Policy that would
disallow everything and add only rules to run the software we require. 
> The other school says that it is not safe and we should use the
unrestricted option with path rule to stop applications that we do not want
to run. 
> Our general desktop users run MS office, IE, Firefox. We also run a vbs
login script to map the drives and printers. 
> I went though the archive and could not find anything on the best
practices. Since this forum is for the pros, I would seek your guidance. 
> Thanks in advance, 
> Pankajb 

Open WebMail Project (http://openwebmail.org <http://openwebmail.org/> ) 

Other related posts: