[gptalk] Re: Opinion on my Software Restriction Policy

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 11 Jun 2008 06:07:34 -0700

By using a Software Restriction Policy whitelist, you are saying to Windows
"don't allow execution of any code that is not explicitly allowed". This
means that no matter how you install something that is not in the allow
list, it will not run.





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of hans straat
Sent: Wednesday, June 11, 2008 6:03 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Opinion on my Software Restriction Policy


not to trow in any windows but how do you want to block portable
applications that don't need installation like firefox portable etc 


From: darren@xxxxxxxxxx
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Opinion on my Software Restriction Policy
Date: Wed, 11 Jun 2008 05:58:15 -0700


Its nearly impossible to prevent any kind of software installation, simply
because software can be installed anywhere on the file system and its
impossible to prevent writes to every location on the local file system.
However, there are a series of things you can do to make it very difficult
for users to either install or execute unwanted code. Part of that is using
Software Restriction Policy-based whitelists (i.e. disallow all code as the
default rule and then allow only the apps below). Part of it is using other
measures including:


--Making sure users are not members of the local Administrators or Power
Users groups

--Removing the ability for MSI packages to install outside of managed apps
(i.e. those deployed via GP) by enabling the policy at Computer
Configuration\Admin. Templates\Windows Components\Windows Installer\Disable
Windows Installer


Again, I think it's a combination of several steps that you will need to
perform to ensure that only the code you want is executed.







From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Pankaj Bhakta
Sent: Tuesday, June 10, 2008 10:47 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Opinion on my Software Restriction Policy



We are having a Win 2003 AD based Domain and users running Win XP SP2.


The following applications are installed by our IT department on every

*       MS Office 2003 Pro
*       IE and Firefox
*       Win Zip
*       Adobe Reader
*       Sonic Record Now Plus - for burning CD/DVDs
*       Cyberlink PowerDVD

I want to setup a Software Restriction Policy to achieve the following:


a) Do not permit Users to install any software
b) All the above mentioned applications to run smoothly



On a test domain I have setup a SRP as following ( User Configuration ):


Default Security Level - Disallowed

Enforcement Properties 

- All software files except libraries (such as DLLs)

- All users except Local Administrators

Designate File Types

-Removed the .LNK from the Designated File Types


Path rules

The 4 default rules kept intact.


Added the following


%userprofile%\Start Menu\Programs
%allusersprofile%\Start Menu\Programs
\\myserver\netlogon\*.bat - running login scripts
\\myserver\netlogon\*.vbs - running login scripts

Although I removed the .LNK from the Designated File Types but the shortcuts
on the desktop did not seem to work so added the following path rule.




Everything seems to be working as I wanted. All my applications that are
already installed are working fine. The applications that have desktop
shortcuts are working fine.

Also tested and found that the users cannot install any application. 


To me things seems to work alright but I would still request your valued
opinion & suggestion before I apply the policy on production domain. 




Other related posts: