7. Optional Tasks for Implementing Software Restriction Policies
When implementing software restriction policies, you can optionally complete the following tasks:
To prevent software restriction policies from applying to local administrators, complete the following steps:
1. | Access the Group Policy Object Editor console for a GPO.
| 2. | In
the Group Policy Object Editor console, click Computer Configuration,
double-click Windows Settings, double-click Security Settings, and then
double-click Software Restriction Policies.
| 3. | In the details pane, double-click the Enforcement setting.
| 4. | In the Enforcement Properties dialog box, shown in Figure 6, click All Users Except Local Administrators and then click OK.
|
To set trusted publisher options, complete the following steps:
1. | Access the Group Policy Object Editor console for a GPO.
| 2. | In
the Group Policy Object Editor console, click Computer Configuration,
double-click Windows Settings, double-click Security Settings, and then
double-click Software Restriction Policies.
| 3. | In the details pane, double-click the Trusted Publishers setting.
| 4. | In the Trusted Publishers Properties dialog box, shown in Figure 7, select the users that you want to have the right to decide what certificates will be trusted, and then click OK.
Note Local
computer administrators have the right to specify trusted publishers on
the local computer, while enterprise administrators have the right to
specify trusted publishers on an OU level. |
|
Best Practices for Software Restriction Policies
The following are the best practices for applying software restriction policies:
Create
a separate GPO for software restriction policies so that you can
disable them in an emergency without affecting the rest of your
security settings. Test a software
restriction policy before applying it to other computers. Do not
disallow programs or files without the proper testing. Restrictions on
certain files can seriously affect the operation of your computer or
network. If you need to edit a software
restriction policy, first disable it. If you apply the policy in parts
and a user refreshes the policy before all of the parts are in effect,
that user’s computer might be adversely affected. If you experience problems with applied policies, reboot in safe mode. Software restriction policies do not apply in safe mode. If
you accidentally lock down a workstation with software restriction
policies, reboot in safe mode, log on as a local administrator, modify
the policy, run Gpupdate.exe, reboot the computer, and log on normally. Use software restriction policies in conjunction with access control settings. Use
caution when defining a default setting of Disallowed. When you set the
default security level to Disallowed, every application is restricted.
A policy must be applied for every application that you want to run.
Software Restriction Policies Troubleshooting
Table 1 describes some troubleshooting scenarios related to software restriction policies.
Table 1. Software Restriction Policies Troubleshooting Scenarios| Problem:
The user receives an error message such as “Windows cannot open this
program because it has been prevented by a software restriction policy.
For more information, open the Event Viewer console or contact your
system administrator.” Or, on the command line, the message “The system
cannot execute the specified program” appears. |
|---|
| Cause | Solution | | The default security level (or a rule) was set to Disallowed, and the software will not start. | Check the event log to see whether the software program is set to Disallowed and what rule is applied. | | Problem: Modified software restriction policies are not taking effect. | | Cause | Solution | | Software
restriction policies that are specified in a domain through Group
Policy override any policies that are configured locally. The problem
might be occurring because there is a policy from the domain that is
overriding your setting. | Use the Gpresult.exe command-line tool to determine which policies apply. Check domain-level policies for No Override settings. | | Group
Policy might not have refreshed its settings. Group Policy applies
policy changes periodically; therefore, it is likely that the policy
changes made in the directory have not yet been refreshed. | Refresh the policy with the command-line utility Gpupdate.exe. | | The local computer on which you changed software restriction policies for the network cannot contact a domain controller. | The
computer on which you modify software restriction policies must be able
to contact a domain controller to update policy for a network. Ensure
the computer can contact a domain controller. | | Problem: You have added a rule to software restriction policies, and you cannot log on to your computer. | | Cause | Solution | | Your
computer accesses many programs and files when it starts. You might
have inadvertently set one of these programs or files to Disallowed.
Because the computer cannot access the program or file, it cannot start
properly. | Start
your computer in safe mode, log on as a local administrator, and change
software restriction policies to allow the program or file to run. | | Problem: A new policy is not applying to a specific filename extension. | | Cause | Solution | | The filename extension is not in the list of file types supported by the software restriction policies. | Add the filename extension to the list of supported file types in the Designated File Types setting. |
|
