Hi Richard, When you're doing software restriction policies (SRP) at a local machine level, which of course is all you can do in an NT 4.0 domain, the MMC interface writes to %systemroot%\system32\grouppolicy\machine\registry.pol, and that policy is applied on reboot. Or you could use a machine policy refresh (use gpupdate, or scripting, see: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/poli cy/refreshpolicy.asp or set a fairly short machine group policy refresh interval, no reboots needed. The registry.pol file is used to patch the machine policies eg. software restriction policy area etc in the registry, and is used as the store for the SRP, same as a *.pol file with poledit. There's no way that changing the registry will be reflected back in registry.pol because it's a one-way process. Unfortunately Microsoft changed the pol file format so hacking it directly needs some new tools. I haven't tried it but it may be possible to use the same registry.pol file on multiple systems. Regards, Rick Ulrich Mack rmack@xxxxxxxxxxxxxx Volante Systems 18 Heussler Terrace, Milton 4064 Queensland Australia tel +61 7 32467704 -----Original Message----- From: RICHARD.CHAPMAN@xxxxxxxxxxxxxxxxxx [mailto:RICHARD.CHAPMAN@xxxxxxxxxxxxxxxxxx] Sent: Thursday, 12 June 2003 6:55 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Appsec, Software Restriction Policies and Windows Server 2003... Hi there We currently run a Windows NT 4.0 Terminal Server farm for which we use appsec very successfully to restrict access to unknown code whilst giving access to over 100 known applications. We use a scripted build to deploy the applications and at the same time enter trusted applications into the appsec registry section. This works very well for us. We are currently looking at moving to Windows Server 2003 and I see now that appsec has been replaced by Software Restriction Policies. So far, I haven't been able to find any information on how to script these policies or, for that matter, any way in the MMC to export and import these policies. (An export option is available to a csv file but there is no way to import this file... and all of the restrictions need to be entered manually in the first instance anyway) After a bit of digging I found that the Software Restriction Policies themselves are stored in the registry under HKLM\Software\Policies\Microsoft\Windows\Safer\codeidentifiers\0\Paths\{Some GUID} for disallowed rules and HKLM\Software\Policies\Microsoft\Windows\Safer\codeidentifiers\262144\Paths\ {Some GUID} for unrestricted rules If I directly enter restrictions into the above registry locations by creating my own unique GUID and all of the other appropriate information and then reboot the server, the policies do in fact take effect. However, they are not viewable in the MMC. Does anyone know of any other ways to script this in a more refined manner and in a way where everything will be viewable in the MMC? Regards Rich Richard Chapman Technical Support richard.chapman@xxxxxxxxxxxxxxxxxx Ph +44 207 587 2205 This email is confidential to the addressee only. If you do not believe that you are the intended addressee, do not use, pass on or copy it in any way. If you have received it in error, please delete it immediately and telephone the number given, reversing the charges if necessary. **************************************************************************** SMOKE ALARMS SAVE LIVES Go to London Fire at www.london-fire.gov.uk/firesafety This email is confidential to the addressee only. If you do not believe that you are the intended addressee, do not use, pass on or copy it in any way. If you have received it in error, please delete it immediately and telephone the number given, reversing the charges if necessary. ******************************************************** This weeks sponsor - Emergent Online 99Point9.com Designed to facilitate efficient resolution of your technical server-based questions, issues and incidents, technical support is a few mouse-clicks away: you submit your incident-specific support requests via our online support helpdesk, our certified engineers resolve them while you monitor the progress, and your systems get back to 99.9% up-time in no time. http://www.99point9.com ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm -------------------------------------------------------------------------------------------------------------------- The information contained in this e-mail is confidential and may be subject to legal professional privilege. It is intended solely for the addressee. If you receive this e-mail by mistake please promptly inform us by reply e-mail and then delete the e-mail and destroy any printed copy. You must not disclose or use in any way the information in the e-mail. There is no warranty that this email or any attachment or message is error or virus free. It may be a private communication, and if so, does not represent the views of Volante group Limited. ******************************************************** This weeks sponsor - Emergent Online 99Point9.com Designed to facilitate efficient resolution of your technical server-based questions, issues and incidents, technical support is a few mouse-clicks away: you submit your incident-specific support requests via our online support helpdesk, our certified engineers resolve them while you monitor the progress, and your systems get back to 99.9% up-time in no time. http://www.99point9.com ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm