How To Use Software Restriction Policies in Windows Server 2003 (324036)
The information in this article applies to:
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Standard Edition
This article was previously published under Q324036 SUMMARY This article describes how to use software restriction
policies in Windows Server 2003. When you use software restriction policies,
you can identify and specify the software that is allowed to run so that you
can protect your computer environment from untrusted code. When you use
software restriction policies, you can define a default security level of Unrestricted or Disallowed for a Group Policy object (GPO) so that software is either
allowed or not allowed to run by default. To create exceptions to this default
security level, you can create rules for specific software. You can create the
following types of rules:
- Hash rules
- Certificate rules
- Path rules
- Internet zone rules
A policy is made up of the default security level and all of
the rules applied to a GPO. This policy can apply to all of the computers or to
individual users. Software restriction policies provide a number of ways to
identify software, and they provide a policy-based infrastructure to enforce
decisions about whether the software can run. With software restriction
policies, users must follow the guidelines that are set up by administrators
when they run programs. With software restriction policies, you can
perform the following tasks:
- Control which programs can run on your computer. For
example, you can apply a policy that does not allow certain file types to run
in the e-mail attachment folder of your e-mail program if you are concerned
about users receiving viruses through e-mail.
- Permit users to run only specific files on multiple-user
computers. For example, if you have multiple users on your computers, you can
set up software restriction policies in such a way that users do not have
access to any software except for those specific files that they must use for
their work.
- Decide who can add trusted publishers to your
computer.
- Control whether software restriction policies affect all
users or just certain users on a computer.
- Prevent any files from running on your local computer, your
organizational unit, your site, or your domain. For example, if there is a
known virus, you can use software restriction policies to stop the computer
from opening the file that contains the virus.IMPORTANT: Microsoft recommends that you do not use software restriction
policies as a replacement for antivirus software.
back to the top
How to Start Software Restriction PoliciesFor the Local Computer Only- Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.
- In the console tree, expand Security Settings, and then expand Software Restriction Policies.
back to the top
For a Domain, a Site, or an Organizational Unit on a Member Server or a Workstation That Is Joined to a Domain- Open Microsoft Management Console (MMC). To do so, click Start, click Run, type mmc, and then click OK.
- On the File menu, click Add/Remove Snap-in, and then click Add.
- Click Group Policy Object Editor, and then click Add.
- In Select Group Policy Object, click Browse.
- In Browse for a Group Policy Object, either select a Group Policy object (GPO) in the appropriate
domain, site, or organizational unit, and then click Finish.
Alternatively, you can create a new GPO, and then
click Finish. - Click Close, and then click OK.
- In the console tree, go to the following location:
Group Policy Object Computer_name Policy/Computer Configuration or User/Configuration/Windows Settings/Security Settings/Software Restriction Policies
back to the top
For an Organizational Unit or a Domain on a Domain Controller or a Workstation That Has the Administration Tools Pack Installed- Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- In the console tree, right-click the domain or
organizational unit that you want to set Group Policy for.
- Click Properties, and then click the Group Policy tab.
- Click an entry in Group Policy Object Links to select an existing GPO, and then click Edit.
Alternatively, you can click New to create a new GPO, and then click Edit. - In the console tree, go to the following location:
Group Policy Object Computer_name Policy/Computer Configuration or User Configuration/Windows Settings/Security Settings/Software Restriction Policies
back to the top
For Your Site and on a Domain Controller or a Workstation That Has the Administration Tools Pack Installed- Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
- In the console tree, right-click the site that you want to
set Group Policy for:
- Active Directory Sites and Services [
Domain_Controller_Name.
Domain_Name]
- Sites
- Site
- Click Properties, and then click the Group Policy tab.
- Click an entry in Group Policy Object Links to select an existing Group Policy object (GPO), and then click Edit.
Alternatively, click New to create a new GPO, and then click Edit. - In the console tree, go to the following location:
Group Policy Object Computer_name Policy/Computer Configuration or User Configuration/Windows Settings/Security Settings/Software Restriction Policies
IMPORTANT: Click User Configuration to set policies that will be applied to users, regardless of the
computer to which they log on. Click Computer Configuration to set policies that will be applied to computers, regardless of
the users who log on to them.
You can also apply software
restriction policies to specific users when they log on to specific computer by
using an advanced Group Policy setting named loopback.
back to the top
How to Prevent Software Restriction Policies from Applying to Local Administrators- Click Start, click Run, type mmc, and then click OK.
- Open Software Restriction Policies.
- In the details pane, double-click Enforcement.
- Under Apply software restriction policies to the
following users, click All users except local
administrators.
NOTES:
- You may have to create a new software restriction policy
setting for this GPO if you have not already done so.
- Typically, users are members of the local administrator
group on their computers in your organization; therefore, you may not want to
turn on this setting. Software restriction policies do not apply to any users
who are members of their local administrator group.
- If you are defining a software restriction policy setting
for your local computer, use this procedure to prevent local administrators
from having software restriction policies applied to them. If you are defining
a software restriction policy setting for your network, filter user policy
settings based on membership in security groups by using Group Policy.
back to the top
How to Create a Certificate Rule- Click Start, click Run, type mmc, and then click OK.
- Open Software Restriction Policies.
- In either the console tree or the details pane, right-click
Additional Rules, and then click New Certificate Rule.
- Click Browse, and then select a certificate.
- Select a security level.
- In the Description box, type a description for this rule, and then click OK.
NOTES:
- For information about how to start software restriction
policies in MMC, see "Start software restriction policies" in Related Topics in
the Windows Server 2003 Help file.
- You may have to create a new software restriction policy
setting for this GPO if you have not already done so.
- By default, certificate rules are not turned on. To turn on
certificate rules:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers - In the details pane, double-click AuthenticodeEnabled, and then change the value data from 0 to 1.
- The only file types that are affected by certificate rules
are those that are listed in Designated file types. There is one list of designated file types that is shared by all
rules.
- For software restriction policies to take effect, users
must update policy settings by logging off from and then logging on to their
computers.
- When more than one rule is applied to policy settings,
there is a precedence of rules for handling conflicts.
back to the top
How to Create a Hash Rule- Click Start, click Run, type mmc, and then click OK.
- Open Software Restriction Policies.
- In either the console tree or the details pane, right-click
Additional Rules, and then click New Hash Rule.
- Click Browse to find a file, or paste a precalculated hash in the File hash box.
- In the Security level box, click either Disallowed or Unrestricted.
- In the Description box, type a description for this rule, and then click OK.
NOTES:
- You may have to create a new software restriction policy
setting for this GPO if you have not already done so.
- You can create a hash rule for a virus or a Trojan horse to
prevent the malicious software from running.
- If you want other users to use a hash rule so that a virus
cannot run, calculate the hash of the virus by using software restriction
policies, and then e-mail the hash value to other users. Never e-mail the virus
itself.
- If a virus has been sent through e-mail, you can also
create a path rule to prevent users from running mail attachments.
- A file that is renamed or moved to another folder still
results in the same hash.
- Any change to a file results in a different
hash.
- The only file types that are affected by hash rules are
those that are listed in Designated file types. There is one list of designated file types that is shared by all
rules.
- For software restriction policies to take effect, users
must update policy settings by logging off from and then logging on to their
computers.
- When more than one rule is applied to policy settings,
there is a precedence of rules for handling conflicts.
back to the top
How to Create an Internet Zone Rule- Click Start, click Run, type mmc, and then click OK.
- Open Software Restriction Policies.
- In the console tree, click Software Restriction Policies.
- In either the console tree or the details pane, right-click
Additional Rules, and then click New Internet Zone Rule.
- In Internet zone, click an Internet zone.
- In the Security Level box, click either Disallowed or Unrestricted, and then click OK.
NOTES:
- You may have to create a new software restriction policy
setting for this GPO if you have not already done so.
- Zone rules apply to Windows Installer packages
only.
- The only file types that are affected by zone rules are
those that are listed in Designated file types. There is one list of designated file types that is shared by all
rules.
- For software restriction policies to take effect, users
must update policy settings by logging off from and then logging on to their
computers.
- When more than one rule is applied to policy settings,
there is a precedence of rules for handling conflicts.
back to the top
How to Create a Path Rule- Click Start, click Run, type mmc, and then click OK.
- Open Software Restriction Policies.
- In either the console tree or the details pane, right-click
Additional Rules, and then click New Path Rule.
- In the Path box, type a path or click Browse to find a file or folder.
- In the Security level box, click either Disallowed or Unrestricted.
- In the Description box, type a description for this rule, and then click OK.IMPORTANT: On certain folders, such as the Windows folder, setting the
security level to Disallowed can adversely affect the operation of your operating system. Make
sure that you do not disallow a crucial component of the operating system or
one of its dependent programs.
NOTES:
- You may have to create a new software restriction policy
setting for this GPO if you have not already done so.
- If you create a path rule for a program with a security
level of Disallowed, a user can still run the software by copying it to another
location.
- The wildcard characters that are supported by the path rule
are the asterisk (*) and the question mark (?).
- You can use environment variables, such as %programfiles%
or %systemroot%, in your path rule.
- To create a path rule for software when you do not know
where it is stored on a computer but you have its registry key, you can create
a registry path rule.
- To prevent users from running e-mail attachments, you can
create a path rule for your mail program's attachment folder that prevents
users from running e-mail attachments.
- The only file types that are affected by path rules are
those that are listed in Designated file types. There is one list of designated file types that is shared by all
rules.
- For software restriction policies to take effect, users
must update policy settings by logging off from and then logging on to their
computers.
- When more than one rule is applied to policy settings,
there is a precedence of rules for handling conflicts.
back to the top
How to Create a Registry Path Rule- Click Start, click Run, type regedit, and then click OK.
- In the console tree, right-click the registry key that you
want to create a rule for, and then click Copy Key Name.
- Note the value name in the details pane.
- Click Start, click Run, type mmc, and then click OK.
- Open Software Restriction Policies.
- In either the console tree or the details pane, right-click
Additional Rules, and then click New Path Rule.
- In Path, paste the registry key name and the value name.
- Enclose the registry path in percent signs (%), for
example:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PlatformSDK\Directories\InstallDir% - In the Security level box, click either Disallowed or Unrestricted.
- In the Description box, type a description for this rule, and then click OK.
NOTES:
- You may have to create a new software restriction policy
setting for this GPO if you have not already done so.
- You must be a member of the Administrators group to perform
this procedure.
- Format the registry path as follows:
% Registry Hive\ Registry Key Name\ Value Name% - You must write out the name of the registry hive; you
cannot use abbreviations. For example, you cannot substituted HKCU for HKEY_CURRENT_USER.
- The registry path rule can contain a suffix after the
closing percent sign (%). Do not use a backslash (\) in the suffix. For
example, you can use the following registry path rule:
%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* - The only file types that are affected by path rules are
those that are listed in Designated file types. There is one list of designated file types that is shared by all
rules.
- For software restriction policies to take effect, users
must update policy settings by logging off from and then logging on to their
computers.
- When more than one rule is applied to policy settings,
there is a precedence of rules for handling conflicts.
back to the top
How to Add or Delete a Designated File Type- Click Start, click Run, type mmc, and then click OK.
- Open Software Restriction Policies.
- In the details pane, double-click Designated File Types.
- Perform one of the following steps as appropriate:
- To add a file type, type the file name extension in the
File extension box, and then click Add.
- To delete a file type, click the file type in the Designated file types box, and then click Remove.
NOTES:
- You may have to create a new software restriction policy
setting for this GPO if you have not already done so.
- The designated file types list is shared by all rules for
each configuration. The designated file types list for computer policy settings
is different from the designated file types list for user policy
settings.
back to the top
How to Change the Default Security Level of Software Restriction Policies- Click Start, click Run, type mmc, and then click OK.
- Open Software Restriction Policies.
- In the details pane, double-click Security Levels.
- Right-click the security level that you want to set as the
default, and then click Set as default.
CAUTION: In certain folders, if you set the default security level to Disallowed, you can adversely affect your operating system. NOTES:
- You may have to create a new software restriction policy
setting for this GPO if you have not already done so.
- In the details pane, the current default security level is
indicated by a black circle with a check mark in it. If you right-click the
current default security level, the Set as default command does not appear in the menu.
- Rules are created to specify exceptions to the default
security level. When the default security level is set to Unrestricted, rules specify software that is not allowed to run. When the
default security level is set to Disallowed, rules specify software that is allowed to run.
- If you change the default level, you affect all files on
the computers that have software restriction policies applied to
them.
- At installation, the default security level of software
restriction policies on all files on your computer is set to Unrestricted.
back to the top
How to Set Trusted Publisher Options- Click Start, click Run, type mmc, and then click OK.
- Open Software Restriction Policies.
- Double-click Trusted Publishers.
- Click the users who you want to decide which certificates
will be trusted, and then click OK.
NOTES:
- You may have to create a new software restriction policy
setting for this GPO if you have not already done so.
- You can select who can add trusted publishers, users,
administrators, or enterprise administrators. For example, you can use this
tool to prevent users from making trust decisions about publishers of ActiveX
Controls.
- Local computer administrators have the right to specify
trusted publishers on the local computer, but enterprise administrators have
the right to specify trusted publishers on an organizational unit level.
back to the top
Modification Type: | Minor | Last Reviewed: | 7/15/2004 |
---|
Keywords: | kbMgmtServices kbhowto kbHOWTOmaster KB324036 kbAudITPro |
---|
|