[gptalk] Re: Start on Software Restriction Policy

  • From: "Jakob H. Heidelberg" <jakob@xxxxxxxxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Tue, 27 May 2008 17:30:13 +0200


SRP is a very hard thing to manage no matter how you do it, so be sure you know 
what you go into before taking the first step. Start by thinking through all 
good and bad things with SRP and then create your design, a design that fits 
you needs and time for "administrative overhead". Personally I think the best 
(most secure) way is to Disallow Everything and then White List from there 
(either HASH or Certificate rules in my world).

Some guy (guess who) wrote a few articles on this which I'll recommend you to 
read :)

To be honest I think this is an area on which MS should really use a lot of 
ressource over the next years (and I know they have some new AppID-thing on its 
way) - SRP does a good job to some extend, but as allways we need and demand 
more - the current SRP technology is back from the introduction of Windows XP...

Well, I hope I could help a bit.

Best regards
Jakob H. Heidelberg
MVP:Enterprise Security

On Tue, 27 May 2008 23:27:09 +1200, Pankaj Bhakta wrote
> Hi, 
> Can someone please give me a start on Software Restriction Policy. 
> My environment is Win 2003 DC, and Win XP Pro desktops and Laptops. 
> I have two OU ie Desktops OU and Laptops OU 
> I require want to restrict users from downloading and installing games and 
> other files. 
> I was under the impression that by default users cannot install any software 
> on their desktop. 
> As a test case, I logged in as a domain users and tried to install a program 
> called Sherif Draw Plus and found that it requires admin priviledge. 
> However, from the same desktop when I downloaded SKYPE, I was able to install 
> it under the same user?s login. 
> I tried the same with Audacity and I was able to install it. 
> I am now confused. 
> After reading a few materials on the net, I am about to give a start to 
> implement a Software Restriction Policy but I found that one school of 
> thought says that you should start by Implementing a Policy that would 
> disallow everything and add only rules to run the software we require. 
> The other school says that it is not safe and we should use the unrestricted 
> option with path rule to stop applications that we do not want to run. 
> Our general desktop users run MS office, IE, Firefox. We also run a vbs login 
> script to map the drives and printers. 
> I went though the archive and could not find anything on the best practices. 
> Since this forum is for the pros, I would seek your guidance. 
> Thanks in advance, 
> Pankajb 

Open WebMail Project (http://openwebmail.org)


Other related posts: