How To Use Software Restriction Policies in Windows Server 2003 (324036)

SUMMARY

This article describes how to use software restriction policies in Windows Server 2003. When you use software restriction policies, you can identify and specify the software that is allowed to run so that you can protect your computer environment from untrusted code. When you use software restriction policies, you can define a default security level of Unrestricted or Disallowed for a Group Policy object (GPO) so that software is either allowed or not allowed to run by default. To create exceptions to this default security level, you can create rules for specific software. You can create the following types of rules:

• Hash rules
• Certificate rules
• Path rules
• Internet zone rules

A policy is made up of the default security level and all of the rules applied to a GPO. This policy can apply to all of the computers or to individual users. Software restriction policies provide a number of ways to identify software, and they provide a policy-based infrastructure to enforce decisions about whether the software can run. With software restriction policies, users must follow the guidelines that are set up by administrators when they run programs.

With software restriction policies, you can perform the following tasks:

• Control which programs can run on your computer. For example, you can apply a policy that does not allow certain file types to run in the e-mail attachment folder of your e-mail program if you are concerned about users receiving viruses through e-mail.
• Permit users to run only specific files on multiple-user computers. For example, if you have multiple users on your computers, you can set up software restriction policies in such a way that users do not have access to any software except for those specific files that they must use for their work.
• Decide who can add trusted publishers to your computer.
• Control whether software restriction policies affect all users or just certain users on a computer.
• Prevent any files from running on your local computer, your organizational unit, your site, or your domain. For example, if there is a known virus, you can use software restriction policies to stop the computer from opening the file that contains the virus.IMPORTANT: Microsoft recommends that you do not use software restriction policies as a replacement for antivirus software.

back to the top

How to Start Software Restriction Policies

For the Local Computer Only

1. Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.
2. In the console tree, expand Security Settings, and then expand Software Restriction Policies.

back to the top

For a Domain, a Site, or an Organizational Unit on a Member Server or a Workstation That Is Joined to a Domain

1. Open Microsoft Management Console (MMC). To do so, click Start, click Run, type mmc, and then click OK.
2. On the File menu, click Add/Remove Snap-in, and then click Add.
3. Click Group Policy Object Editor, and then click Add.
4. In Select Group Policy Object, click Browse.
5. In Browse for a Group Policy Object, either select a Group Policy object (GPO) in the appropriate domain, site, or organizational unit, and then click Finish.
   
   Alternatively, you can create a new GPO, and then click Finish.
6. Click Close, and then click OK.
7. In the console tree, go to the following location:

   Group Policy Object Computer_name Policy/Computer Configuration or User/Configuration/Windows Settings/Security Settings/Software Restriction Policies

back to the top

For an Organizational Unit or a Domain on a Domain Controller or a Workstation That Has the Administration Tools Pack Installed

1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the console tree, right-click the domain or organizational unit that you want to set Group Policy for.
3. Click Properties, and then click the Group Policy tab.
4. Click an entry in Group Policy Object Links to select an existing GPO, and then click Edit.
   
   Alternatively, you can click New to create a new GPO, and then click Edit.
5. In the console tree, go to the following location:

   Group Policy Object Computer_name Policy/Computer Configuration or User Configuration/Windows Settings/Security Settings/Software Restriction Policies

back to the top

For Your Site and on a Domain Controller or a Workstation That Has the Administration Tools Pack Installed

1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
2. In the console tree, right-click the site that you want to set Group Policy for:
   • Active Directory Sites and Services [ Domain_Controller_Name. Domain_Name]
   • Sites
   • Site
   
   
3. Click Properties, and then click the Group Policy tab.
4. Click an entry in Group Policy Object Links to select an existing Group Policy object (GPO), and then click Edit.
   
   Alternatively, click New to create a new GPO, and then click Edit.
5. In the console tree, go to the following location:

   Group Policy Object Computer_name Policy/Computer Configuration or User Configuration/Windows Settings/Security Settings/Software Restriction Policies

   IMPORTANT: Click User Configuration to set policies that will be applied to users, regardless of the computer to which they log on. Click Computer Configuration to set policies that will be applied to computers, regardless of the users who log on to them.
   
   You can also apply software restriction policies to specific users when they log on to specific computer by using an advanced Group Policy setting named loopback.

back to the top

How to Prevent Software Restriction Policies from Applying to Local Administrators

1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In the details pane, double-click Enforcement.
4. Under Apply software restriction policies to the following users, click All users except local administrators.

NOTES:

• You may have to create a new software restriction policy setting for this GPO if you have not already done so.
• Typically, users are members of the local administrator group on their computers in your organization; therefore, you may not want to turn on this setting. Software restriction policies do not apply to any users who are members of their local administrator group.
• If you are defining a software restriction policy setting for your local computer, use this procedure to prevent local administrators from having software restriction policies applied to them. If you are defining a software restriction policy setting for your network, filter user policy settings based on membership in security groups by using Group Policy.

back to the top

How to Create a Certificate Rule

1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In either the console tree or the details pane, right-click Additional Rules, and then click New Certificate Rule.
4. Click Browse, and then select a certificate.
5. Select a security level.
6. In the Description box, type a description for this rule, and then click OK.

NOTES:

• For information about how to start software restriction policies in MMC, see "Start software restriction policies" in Related Topics in the Windows Server 2003 Help file.
• You may have to create a new software restriction policy setting for this GPO if you have not already done so.
• By default, certificate rules are not turned on. To turn on certificate rules:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry key:

     HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers

  3. In the details pane, double-click AuthenticodeEnabled, and then change the value data from 0 to 1.
• The only file types that are affected by certificate rules are those that are listed in Designated file types. There is one list of designated file types that is shared by all rules.
• For software restriction policies to take effect, users must update policy settings by logging off from and then logging on to their computers.
• When more than one rule is applied to policy settings, there is a precedence of rules for handling conflicts.

back to the top

How to Create a Hash Rule

1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In either the console tree or the details pane, right-click Additional Rules, and then click New Hash Rule.
4. Click Browse to find a file, or paste a precalculated hash in the File hash box.
5. In the Security level box, click either Disallowed or Unrestricted.
6. In the Description box, type a description for this rule, and then click OK.

NOTES:

• You may have to create a new software restriction policy setting for this GPO if you have not already done so.
• You can create a hash rule for a virus or a Trojan horse to prevent the malicious software from running.
• If you want other users to use a hash rule so that a virus cannot run, calculate the hash of the virus by using software restriction policies, and then e-mail the hash value to other users. Never e-mail the virus itself.
• If a virus has been sent through e-mail, you can also create a path rule to prevent users from running mail attachments.
• A file that is renamed or moved to another folder still results in the same hash.
• Any change to a file results in a different hash.
• The only file types that are affected by hash rules are those that are listed in Designated file types. There is one list of designated file types that is shared by all rules.
• For software restriction policies to take effect, users must update policy settings by logging off from and then logging on to their computers.
• When more than one rule is applied to policy settings, there is a precedence of rules for handling conflicts.

back to the top

How to Create an Internet Zone Rule

1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In the console tree, click Software Restriction Policies.
4. In either the console tree or the details pane, right-click Additional Rules, and then click New Internet Zone Rule.
5. In Internet zone, click an Internet zone.
6. In the Security Level box, click either Disallowed or Unrestricted, and then click OK.

NOTES:

• You may have to create a new software restriction policy setting for this GPO if you have not already done so.
• Zone rules apply to Windows Installer packages only.
• The only file types that are affected by zone rules are those that are listed in Designated file types. There is one list of designated file types that is shared by all rules.
• For software restriction policies to take effect, users must update policy settings by logging off from and then logging on to their computers.
• When more than one rule is applied to policy settings, there is a precedence of rules for handling conflicts.

back to the top

How to Create a Path Rule

1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In either the console tree or the details pane, right-click Additional Rules, and then click New Path Rule.
4. In the Path box, type a path or click Browse to find a file or folder.
5. In the Security level box, click either Disallowed or Unrestricted.
6. In the Description box, type a description for this rule, and then click OK.IMPORTANT: On certain folders, such as the Windows folder, setting the security level to Disallowed can adversely affect the operation of your operating system. Make sure that you do not disallow a crucial component of the operating system or one of its dependent programs.

NOTES:

• You may have to create a new software restriction policy setting for this GPO if you have not already done so.
• If you create a path rule for a program with a security level of Disallowed, a user can still run the software by copying it to another location.
• The wildcard characters that are supported by the path rule are the asterisk (*) and the question mark (?).
• You can use environment variables, such as %programfiles% or %systemroot%, in your path rule.
• To create a path rule for software when you do not know where it is stored on a computer but you have its registry key, you can create a registry path rule.
• To prevent users from running e-mail attachments, you can create a path rule for your mail program's attachment folder that prevents users from running e-mail attachments.
• The only file types that are affected by path rules are those that are listed in Designated file types. There is one list of designated file types that is shared by all rules.
• For software restriction policies to take effect, users must update policy settings by logging off from and then logging on to their computers.
• When more than one rule is applied to policy settings, there is a precedence of rules for handling conflicts.

back to the top

How to Create a Registry Path Rule

1. Click Start, click Run, type regedit, and then click OK.
2. In the console tree, right-click the registry key that you want to create a rule for, and then click Copy Key Name.
3. Note the value name in the details pane.
4. Click Start, click Run, type mmc, and then click OK.
5. Open Software Restriction Policies.
6. In either the console tree or the details pane, right-click Additional Rules, and then click New Path Rule.
7. In Path, paste the registry key name and the value name.
8. Enclose the registry path in percent signs (%), for example:

   %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PlatformSDK\Directories\InstallDir%

9. In the Security level box, click either Disallowed or Unrestricted.
10. In the Description box, type a description for this rule, and then click OK.

NOTES:

• You may have to create a new software restriction policy setting for this GPO if you have not already done so.
• You must be a member of the Administrators group to perform this procedure.
• Format the registry path as follows:

  % Registry Hive\ Registry Key Name\ Value Name%

• You must write out the name of the registry hive; you cannot use abbreviations. For example, you cannot substituted HKCU for HKEY_CURRENT_USER.
• The registry path rule can contain a suffix after the closing percent sign (%). Do not use a backslash (\) in the suffix. For example, you can use the following registry path rule:

  %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*

• The only file types that are affected by path rules are those that are listed in Designated file types. There is one list of designated file types that is shared by all rules.
• For software restriction policies to take effect, users must update policy settings by logging off from and then logging on to their computers.
• When more than one rule is applied to policy settings, there is a precedence of rules for handling conflicts.

back to the top

How to Add or Delete a Designated File Type

1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In the details pane, double-click Designated File Types.
4. Perform one of the following steps as appropriate:
   • To add a file type, type the file name extension in the File extension box, and then click Add.
   • To delete a file type, click the file type in the Designated file types box, and then click Remove.

NOTES:

• You may have to create a new software restriction policy setting for this GPO if you have not already done so.
• The designated file types list is shared by all rules for each configuration. The designated file types list for computer policy settings is different from the designated file types list for user policy settings.

back to the top

How to Change the Default Security Level of Software Restriction Policies

1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In the details pane, double-click Security Levels.
4. Right-click the security level that you want to set as the default, and then click Set as default.
   
   CAUTION: In certain folders, if you set the default security level to Disallowed, you can adversely affect your operating system.

NOTES:

• You may have to create a new software restriction policy setting for this GPO if you have not already done so.
• In the details pane, the current default security level is indicated by a black circle with a check mark in it. If you right-click the current default security level, the Set as default command does not appear in the menu.
• Rules are created to specify exceptions to the default security level. When the default security level is set to Unrestricted, rules specify software that is not allowed to run. When the default security level is set to Disallowed, rules specify software that is allowed to run.
• If you change the default level, you affect all files on the computers that have software restriction policies applied to them.
• At installation, the default security level of software restriction policies on all files on your computer is set to Unrestricted.

back to the top

How to Set Trusted Publisher Options

1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. Double-click Trusted Publishers.
4. Click the users who you want to decide which certificates will be trusted, and then click OK.

NOTES:

• You may have to create a new software restriction policy setting for this GPO if you have not already done so.
• You can select who can add trusted publishers, users, administrators, or enterprise administrators. For example, you can use this tool to prevent users from making trust decisions about publishers of ActiveX Controls.
• Local computer administrators have the right to specify trusted publishers on the local computer, but enterprise administrators have the right to specify trusted publishers on an organizational unit level.

back to the top