Hi Jacob & Darren, Many thanks for your replies. As per Jacob's suggestion, I have gone for the Disallow Option and as per Darren's suggestion, I have used adopted the per user approach. Before going further, I started testing my login scripts. From the Production Server I copied the script into the netlogon share of my Test Server with appropriate modifications. I have a bat file that runs and calls VB login script for mapping drive and printers. The batch file initiates but waits for the user's response with the popup as Unknown Publisher. I guess this might be because the under Trusted Publisher Properties - General Tab - End Users radio button is selected by default. Am I choosing the wrong option. The other two options I found are - Local Computer Administrator and Enterprise Administrator. Kindly give your opinion as how can I allow the scripts to run automatically. Thanks, Pankaj _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Thursday, May 29, 2008 12:46 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Start on Software Restriction Policy Its not clear to me why, if both the computer configurations and user configurations are identical, you would see different behavior, but in general you should only need one or the other and I like the approach of doing it per-user for most scenarios. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Pankaj Bhakta Sent: Wednesday, May 28, 2008 2:58 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Start on Software Restriction Policy Many thanks for giving me a start on the SRP. The links provided was of incredible help as it gave me more confidence to think in the approach of Disallow Everything and White list. I have setup a test environment and performed the following test: a) Created two GPOs 1) SRP - User Configuration 2) SRP - Computer Configuration * Both the SRP have been created with Disallowed as default * Enforcement Policies - Apply SRP on all software files except libraries and all users except local administrators. I created the above two GPO as I am not sure which one is more appropriate in actual environment. b) Created two OU 1) Users-OU having a user named TestUser 2) Computers-OU having a computer named TestComputer Our general users only run MS Office, IE & Firefox. We also run a VB login scripts Now I have applied the policies in the following steps: Step - 1 Applied SRP - User Configuration on the Users-OU When I logged in as a TestUser, I found that all default application ie MS Office, IE and Firefox was running alright however I could not install any software like SKYPE etc. When logged on as Domain Admin or Local Admin I could run all applications as well as install software. Step - 2 SRP - Computer Configuration on Computers-OU When I logged in as a TestUser, none of the above application was running as all was denied by the SRP. When logged on as Domain Admin or Local Admin I could run all applications as well as install software Now, kindly throw some light and let me know which approach is the correct one. If Step-1 is correct approach then, obviously I have to test it thoroughly and then implement in a phase manner. If Step -2 is the correct approach, then how do I make MS Office and the Browsers run. Do I have to create a HASH Key for them. Thanks, Pankaj _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Jakob H. Heidelberg Sent: Wednesday, May 28, 2008 3:30 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Start on Software Restriction Policy Hi SRP is a very hard thing to manage no matter how you do it, so be sure you know what you go into before taking the first step. Start by thinking through all good and bad things with SRP and then create your design, a design that fits you needs and time for "administrative overhead". Personally I think the best (most secure) way is to Disallow Everything and then White List from there (either HASH or Certificate rules in my world). Some guy (guess who) wrote a few articles on this which I'll recommend you to read :) http://windowsecurity.com/articles/Default-Deny-All-Applications-Part1.html http://windowsecurity.com/articles/Default-Deny-All-Applications-Part2.html To be honest I think this is an area on which MS should really use a lot of ressource over the next years (and I know they have some new AppID-thing on its way) - SRP does a good job to some extend, but as allways we need and demand more - the current SRP technology is back from the introduction of Windows XP... Well, I hope I could help a bit. Best regards Jakob H. Heidelberg MVP:Enterprise Security On Tue, 27 May 2008 23:27:09 +1200, Pankaj Bhakta wrote > Hi, > Can someone please give me a start on Software Restriction Policy. > > My environment is Win 2003 DC, and Win XP Pro desktops and Laptops. > I have two OU ie Desktops OU and Laptops OU > I require want to restrict users from downloading and installing games and other files. > > I was under the impression that by default users cannot install any software on their desktop. > > As a test case, I logged in as a domain users and tried to install a program called Sherif Draw Plus and found that it requires admin priviledge. > > However, from the same desktop when I downloaded SKYPE, I was able to install it under the same user's login. > I tried the same with Audacity and I was able to install it. > I am now confused. > After reading a few materials on the net, I am about to give a start to implement a Software Restriction Policy but I found that one school of thought says that you should start by Implementing a Policy that would disallow everything and add only rules to run the software we require. > > The other school says that it is not safe and we should use the unrestricted option with path rule to stop applications that we do not want to run. > Our general desktop users run MS office, IE, Firefox. We also run a vbs login script to map the drives and printers. > I went though the archive and could not find anything on the best practices. Since this forum is for the pros, I would seek your guidance. > Thanks in advance, > Pankajb > -- Open WebMail Project (http://openwebmail.org <http://openwebmail.org/> )