[THIN] Re: Appsec, Software Restriction Policies and Windows Server 2003...

  • From: "Mack, Rick" <RMack@xxxxxxxxxxxxxx>
  • To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
  • Date: Thu, 12 Jun 2003 21:25:33 +1000

Hi Richard,
When you're doing software restriction policies (SRP) at a local machine
level, which of course is all you can do in an NT 4.0 domain, the MMC
interface writes to %systemroot%\system32\grouppolicy\machine\registry.pol,
and that policy is applied on reboot. Or you could use a machine policy
refresh (use gpupdate, or scripting, see:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/poli
cy/refreshpolicy.asp or set a fairly short machine group policy refresh
interval, no reboots needed.

The registry.pol file is used to patch the machine policies eg. software
restriction policy area  etc in the registry, and is used as the store for
the SRP, same as a *.pol file with poledit. There's no way that changing the
registry will be reflected back in registry.pol because it's a one-way
process. Unfortunately Microsoft changed the pol file format so hacking it
directly needs some new tools. I haven't tried it but it may be possible to
use the same registry.pol file on multiple systems.

Regards,

Rick

Ulrich Mack
rmack@xxxxxxxxxxxxxx
Volante Systems
18 Heussler Terrace, Milton 4064
Queensland Australia
tel +61 7 32467704



-----Original Message-----
From: RICHARD.CHAPMAN@xxxxxxxxxxxxxxxxxx
[mailto:RICHARD.CHAPMAN@xxxxxxxxxxxxxxxxxx] 
Sent: Thursday, 12 June 2003 6:55 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Appsec, Software Restriction Policies and Windows Server
2003...


Hi there
 
We currently run a Windows NT 4.0 Terminal Server farm for which we use
appsec very successfully to restrict access to unknown code whilst giving
access to over 100 known applications.  We use a scripted build to deploy
the applications and at the same time enter trusted applications into the
appsec registry section.  This works very well for us.
 
We are currently looking at moving to Windows Server 2003 and I see now that
appsec has been replaced by Software Restriction Policies.  So far, I
haven't been able to find any information on how to script these policies
or, for that matter, any way in the MMC to export and import these policies.
(An export option is available to a csv file but there is no way to import
this file... and all of the restrictions need to be entered manually in the
first instance anyway)
 
After a bit of digging I found that the Software Restriction Policies
themselves are stored in the registry under
 
HKLM\Software\Policies\Microsoft\Windows\Safer\codeidentifiers\0\Paths\{Some
GUID} for disallowed rules
 
and
 
HKLM\Software\Policies\Microsoft\Windows\Safer\codeidentifiers\262144\Paths\
{Some GUID} for unrestricted rules
 
If I directly enter restrictions into the above registry locations by
creating my own unique GUID and all of the other appropriate information and
then reboot the server, the policies do in fact take effect.  However, they
are not viewable in the MMC.
 
Does anyone know of any other ways to script this in a more refined manner
and in a way where everything will be viewable in the MMC?
 
Regards
Rich
Richard Chapman 
Technical Support 
richard.chapman@xxxxxxxxxxxxxxxxxx 
Ph +44 207 587 2205 
This email is confidential to the addressee only. If you do not believe that
you are the intended addressee, do not use, pass on or copy it in any way.
If you have received it in error, please delete it immediately and telephone
the number given, reversing the charges if necessary.

 


****************************************************************************


SMOKE ALARMS SAVE LIVES

Go to London Fire at www.london-fire.gov.uk/firesafety 

This email is confidential to the addressee only. If you do not believe that
you are the intended addressee, do not use, pass on or copy it in any way.
If you have received it in error, please delete it immediately and telephone
the number given, reversing the charges if necessary.
********************************************************
This weeks sponsor - Emergent Online 99Point9.com
Designed to facilitate efficient resolution of your technical server-based
questions, issues and incidents, technical support is a few mouse-clicks
away: you submit your incident-specific support requests via our online
support helpdesk, our certified engineers resolve them while you monitor the
progress, and your systems get back to 99.9% up-time in no time.
http://www.99point9.com 
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
--------------------------------------------------------------------------------------------------------------------
The information contained in this e-mail is confidential and may be subject
to legal professional privilege.  It is intended solely for the addressee.
If you receive this e-mail by mistake please promptly inform us by reply
e-mail and then delete the e-mail and destroy any printed copy.  You must
not disclose  or use in any way the information in the e-mail. There is no
warranty that this email or any attachment or message is error or virus free. 
It may be a private
communication, and if so, does not represent the views of Volante group Limited.


********************************************************
This weeks sponsor - Emergent Online 99Point9.com
Designed to facilitate efficient resolution of your technical server-based 
questions, issues and incidents, technical support is a few mouse-clicks away: 
you submit your incident-specific support requests via our online support 
helpdesk, our certified engineers resolve them while you monitor the progress, 
and your systems get back to 99.9% up-time in no time.
http://www.99point9.com 
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts: