[gptalk] Re: Opinion on my Software Restriction Policy

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 11 Jun 2008 05:58:15 -0700


Its nearly impossible to prevent any kind of software installation, simply 
because software can be installed anywhere on the file system and its 
impossible to prevent writes to every location on the local file system. 
However, there are a series of things you can do to make it very difficult for 
users to either install or execute unwanted code. Part of that is using 
Software Restriction Policy-based whitelists (i.e. disallow all code as the 
default rule and then allow only the apps below). Part of it is using other 
measures including:


--Making sure users are not members of the local Administrators or Power Users 

--Removing the ability for MSI packages to install outside of managed apps 
(i.e. those deployed via GP) by enabling the policy at Computer 
Configuration\Admin. Templates\Windows Components\Windows Installer\Disable 
Windows Installer


Again, I think it’s a combination of several steps that you will need to 
perform to ensure that only the code you want is executed.







From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Pankaj Bhakta
Sent: Tuesday, June 10, 2008 10:47 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Opinion on my Software Restriction Policy



We are having a Win 2003 AD based Domain and users running Win XP SP2.


The following applications are installed by our IT department on every 

*       MS Office 2003 Pro
*       IE and Firefox
*       Win Zip
*       Adobe Reader
*       Sonic Record Now Plus - for burning CD/DVDs
*       Cyberlink PowerDVD

I want to setup a Software Restriction Policy to achieve the following:


a) Do not permit Users to install any software
b) All the above mentioned applications to run smoothly



On a test domain I have setup a SRP as following ( User Configuration ):


Default Security Level - Disallowed

Enforcement Properties 

- All software files except libraries (such as DLLs)

- All users except Local Administrators

Designate File Types

-Removed the .LNK from the Designated File Types


Path rules

The 4 default rules kept intact.


Added the following


%userprofile%\Start Menu\Programs
%allusersprofile%\Start Menu\Programs
\\myserver\netlogon\*.bat - running login scripts
\\myserver\netlogon\*.vbs - running login scripts

Although I removed the .LNK from the Designated File Types but the shortcuts on 
the desktop did not seem to work so added the following path rule.




Everything seems to be working as I wanted. All my applications that are 
already installed are working fine. The applications that have desktop 
shortcuts are working fine.

Also tested and found that the users cannot install any application. 


To me things seems to work alright but I would still request your valued 
opinion & suggestion before I apply the policy on production domain. 




Other related posts: