1. Understanding Software Restriction Policies
Software restriction policies,
new in Windows XP and Windows Server 2003 operating systems, were
created to address the problem of regulating unknown or untrusted code.
Software restriction policies are security settings in a GPO provided
to identify software and control its ability to run on a local
computer, site, domain, or OU. Most organizations employ a set of known
and trusted programs. However, if users install and run other programs,
these programs might conflict with or change configuration data in the
known and trusted programs. Or, the newly installed user programs could
contain a virus or Trojan horse. Software restriction policies protect
your computer environment from unknown code by enabling you to identify
and specify the applications allowed to run. These policies can apply
to computers or users, depending on whether you choose to modify
settings in User Configuration or Computer Configuration. When software
restriction policies are set, end users must adhere to the guidelines
set up by administrators when executing programs.
With software restriction policies, you can:
Control
the ability of programs to run on your system. For example, you can
apply a policy that does not allow certain file types to run in the
e-mail attachment directory of your e-mail program if you are concerned
about users receiving viruses through e-mail.
Permit
users to run only specific files on multiuser computers. For example,
if you have multiple users on your computers, you can set up software
restriction policies and access control settings in such a way that
users do not have access to any software but specific files that are
necessary for their work.
Decide who can add trusted publishers to your computer.
Control whether software restriction policies affect all users or just certain users on a computer.
Prevent
any files from running on your local computer, OU, site, or domain. For
example, if you have a known virus, you can use software restriction
policies to stop the computer from opening the file that contains the
virus.
Important
Software
restriction policies should not be used as a replacement for antivirus
software. Software restriction policies do not work on Windows NT 4.0
or Windows 2000 systems. |
2. Default Security Levels
Software restriction policies run on one of two default security levels:
Unrestricted, which allows software to run with the full rights of the user who is logged on to the computer
Disallowed,
which does not allow the software to run, regardless of the access
rights of the user who is logged on to the computer
If
the default security level is set to Unrestricted, you can identify and
create rules for the set of programs that you want to prohibit from
running. If the default security level is set to Disallowed, you can
identify and create rule exceptions for the programs that you trust to
run. Either option can be set as the default security level for a GPO,
but when a GPO is created, the default security level is Unrestricted.
When
you set the default security level to Disallowed, most software
applications are restricted and you must apply a rule for nearly every
application you want to run. Some applications must remain unrestricted
for the operating system to function at all.
Four registry path rules are created automatically when you set the default security level to Disallowed:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
These
registry path rules are created as a safeguard against locking yourself
and all users out of the system. Only advanced users should consider
modifying or deleting these rules.
If you decide to use a default security level of Disallowed, consider the following issues:
If
a computer must run logon scripts, you must include a path rule that
allows the scripts to run. For more information, refer to the “Path
Rule” section in this lesson.
Startup
items are placed in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. If
startup items must run, you must create a rule for them. For more
information, refer to the “Path Rule” section in this lesson.
Many
applications start other programs to perform certain tasks, and you
must create rules for these other programs. For example, Microsoft Word
starts the Microsoft Clip Organizer to manage clip art.
3. How Software Restriction Policies Work
When
a user encounters an application to be run, software restriction
policies must first identify the software. Software can be identified
by its
Hash, a series of bytes with a fixed length that uniquely identify a program or file.
Certificate,
a digital document used for authentication and secure exchange of
information on open networks, such as the Internet, extranets, and
intranets.
Path, a sequence of folder names that specifies the location of the software within the directory tree.
Internet
zone, a subtree specified through Internet Explorer. Zone options
include Internet, Local Intranet, Restricted Sites, Trusted Sites, or
Local Computer.
4. Rules
Software
restriction policies identify and control the running of software by
using rules. There are four types of rules, which correspond to the
four ways of identifying software: a hash rule, a certificate rule, a
path rule, and an Internet zone rule. These rules override the default
security level. After software is identified by using a rule, you can
decide whether or not to allow it to run by setting a security level
(Disallowed or Unrestricted) for the program associated with the rule.
Hash Rule A hash is a series of bytes with a fixed length that uniquely identify a program or file. The hash is computed by a hash algorithm.
Software restriction policies can identify files by their hash, using
both the SHA-1 (Secure Hash Algorithm) and the MD5 hash algorithm. For
example, you can create a hash rule
and set the security level to Disallowed to prevent users from running
a certain file. A file can be renamed or moved to another folder and
still result in the same hash. However, any change to the file changes
its hash value and allows it to bypass restrictions. Software
restriction policies recognize only hashes that have been calculated by
using such policies.
Certificate Rule A certificate rule
identifies software by its signing certificate. For example, you can
use certificate rules to automatically trust software from a trusted
source in a domain without prompting the user. You can also use
certificate rules to run files in disallowed areas of your operating
system.
Path Rule A path rule
identifies software by its file path. For example, if you have a
computer that has a disallowed default policy, you can still grant
unrestricted access to a specific folder for each user. Simply create a
path rule using the file path and set the security level of the path
rule to Unrestricted. Some common paths for this type of rule are %Userprofile%, %Windir%, %Appdata%, %Programfiles%, and %Temp%. Because these rules are specified by path, if a program is moved, the path rule no longer applies. You can also create registry path rules that use the registry key of the software as the path.
Internet Zone Rule Internet zone rules
apply only to Windows Installer packages. A zone rule can identify
software from a zone that is specified through Internet Explorer. These
zones are Internet, Local Intranet, Restricted Sites, Trusted Sites,
and Local Computer.
5. Rule Precedence
You
can apply several rules to the same piece of software. The rules are
applied in the following order of precedence, from highest to lowest:
1. | Hash rule.
|
2. | Certificate rule.
|
3. | Path
rule. When there are conflicting path rules, the most restrictive rule
takes precedence. For example, if there is a path rule for C:\Windows,
with a security level of Disallowed, and there is a path rule for
C:\Windows\System32, with a security level of Unrestricted, the more
restrictive path rule takes precedence. In this case, software programs
in C:\Windows will not run, but programs in C:\Windows\System32 will
run.
|
4. | Internet zone rule.
Here is an example of rule precedence. If you have a file that has a
hash rule applied to it with a security level of Unrestricted, but the
file resides in a folder whose path rule is set to Disallowed, the file
runs because the hash rule has precedence over the path rule.
|
Note
For software restriction policies to take effect, users must log off from and then log on to their computers. |
