Logo
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
EPL Standings
 
 
Windows Server

Windows Server 2008 R2 : Managing Computers with Domain Policies (part 2) - Creating a Software Restriction Policy

- 2015 Chevrolet Camaro Z28 - The Legend Returns
- Wagon Audi Allroad Vs. Subaru Outback
- 996 Carrera 4S is Driving Perfection
3/26/2011 3:40:58 PM

Creating a Software Restriction Policy

Many business owners and organizations want to ensure that their employees are as productive as possible. This might require restricting users from playing computer games and surfing the Internet, or just providing a highly reliable computer system. Due to the restrictive nature of previous Windows operating systems and poor development practices by software vendors and independent programmers, many applications also required end users to have local administrator rights. When local users have the ability, through administrative group membership or reduced file system security, to perform administrative tasks, it can be helpful to implement software restriction policies to prevent users from running undesired programs that might impact system configuration and reliability. One important point to note about software restriction policies is that even after the policy is applied, the system will need to be rebooted before the new policy settings are applied. For example, restricting access to a certain Registry path, Registry editor, or any particular executable application can reduce undesired system configuration changes. Group Policy contains very specific Microsoft Management Console policy settings, but for undefined or standard built-in utilities and applications, it might be necessary to define and enforce a specific software restriction policy.

Note

For Windows 7 and Windows Server 2008 R2 only, new settings within domain policies named “application control policies” replace software restriction policies. Although software restriction policies will be processed and applied to Windows 7 and Windows Server 2008 R2 systems, it is recommended to use AppLocker on these systems and software restriction policies for all older operating systems.


To create a software restriction policy for a computer using a domain group policy, perform the following steps:

1.
Log on to a designated Windows Server 2008 R2 administrative server.

2.
Open the Group Policy Management Console from the Administrative Tools menu.

3.
Add the necessary domains to the GPMC as required.

4.
Expand the Domains node to reveal the Group Policy Objects container.

5.
Either create a new GPO or edit an existing GPO.

6.
After the GPO is opened for editing in the Group Policy Management Editor, expand the Computer Configuration node, expand the Policies node, expand the Windows Settings node, and select the Security Settings node.

7.
Expand the Security Settings node, and select Software Restriction Policies.

8.
Right-click on the Software Restriction Policies node in the tree pane, and select New Software Restriction Policies.

9.
After the previous task is completed, two subordinate policy setting nodes are created as well as three settings. In the Settings pane, double-click the Enforcement setting to open the properties of that setting.

10.
In the Enforcement Properties dialog box, define whether this software restriction policy should apply to all users or if local administrators should be excluded from the policy, as shown in Figure 2. Click OK when finished.

Figure 2. Excluding local administrators from the software restriction policies.


11.
Open the Security Levels settings node to reveal the three default levels of Disallowed, Basic User, or Unrestricted. The default configuration is the Unrestricted security level, which defines that all software will run based on the access rights of the user. If this is acceptable, do not make any changes; otherwise, select the desired security level, right-click the level, and select Set as Default.

12.
Regardless of which security level was selected as the default, additional rules will most likely need to be defined to block or allow access. For this example, the ability to block access to the Remote Desktop Connection client is outlined. Right-click on the Additional Rules node in the tree pane beneath Software Restriction Policies, and select New Hash Rule.

13.
When the New Hash Rule window opens, click the Browse button to locate the desired file. For this example, the filename is mstsc.exe and is located in the c:\windows\system32 folder. After the file is located, select it and click Open to add it to the hash rule.

14.
Select the desired security level of Disallowed for this particular file, and then click OK to complete the creation of the new hash rule, as shown in Figure 3.

Figure 3. Configuring the security level for a software restriction hash rule.


15.
The file properties will be used to generate the hash rule and will be added to the Additional Rules, and this completes the software restriction policy for this exercise. Close the Group Policy Management Editor window.

Note

A hash rule uses the filename and the file’s specific properties when the rule is created. If a specific application or file needs to be restricted with a hash rule, each version of that file stored on the computer’s operating system should be added to the policy because different versions of the same file will exist in client and server operating systems and in different service pack levels.

16.
Back in the Group Policy Management Console, link the new software restriction GPO to an OU with a computer that can be used to test the policy.

17.
Log on to a test system that the new policy has been applied to, reboot the system, and verify that the software restriction policy is working by attempting to launch the Remote Desktop client on the test system.

18.
If the policy is working as desired, the user will receive a message stating that the program is blocked by Group Policy.
Top Search -----------------
- Windows Server 2008 R2 : Work with RAID Volumes - Understand RAID Levels & Implement RAID
- Windows Server 2008 R2 Administration : Managing Printers with the Print Management Console
- Configuring Email Settings in Windows Small Business Server 2011
- Windows Server 2008 R2 : Configuring Folder Security, Access, and Replication - Implement Permissions
- Monitoring Exchange Server 2010 : Monitoring Mail Flow
- Windows Server 2008 R2 :Task Scheduler
- Windows Server 2008 R2 : File Server Resource Manager
- Windows Server 2008 R2 : Installing DFS
- Exchange Server 2010 : Managing Anti-Spam and Antivirus Countermeasures
- Windows Server 2008 R2 : Configuring Folder Security, Access, and Replication - Share Folders
Other -----------------
- BizTalk 2010 Recipes : Document Schemas - Defining Regular Expressions
- BizTalk 2010 Recipes : Creating Complex Types
- Windows Server 2008 High Availability : Load Balancing (part 2) - Load-Balancing Hardware & Load Balancing and SharePoint Farm Topology
- Windows Server 2008 High Availability : Load Balancing (part 1) - Load-Balancing Software
- Windows Server 2003 : Troubleshooting Internet Connectivity (part 2) - Verifying the Computer’s Network Settings
- Windows Server 2003 : Troubleshooting Internet Connectivity (part 1) - Identifying the Specific Networking Issue
- Exchange Server 2010 : Securing Windows for the Edge Transport Server Role
- Exchange Server 2010 : Edge Transport Server Connectors
- BizTalk 2010 Recipes : Creating Envelopes to Split Inbound Data
- BizTalk 2010 Recipes : Referencing Schemas
 
 
Most view of day
- Microsoft Project 2010 : Putting a Price Tag on Your Project & Incorporating Resource Costs
- Microsoft Dynamics AX 2009 : Working with Data in Forms - Creating custom instant search filters
- Security Essentials - Preventing Unsafe Actions with User Account Control
- System Center Configuration Manager 2007 : Network Design - Network Discovery
- Exchange Server 2010 : Installing Edge Transport Monitoring Certificates (part 3) - Install the Agent on the Edge Transport & Configure the Agent to Use the Certificate
- Administering an Exchange Server 2013 Environment (part 1) - Exchange Administration Center - Accessing the Exchange Administration Center
- Troubleshoot Security Configuration Issues (part 1) - The Windows Security Center & Securing the Operating System and Data in Storage with BitLocker
Top 10
- Windows Phone 8 : Configuring Basic Device Settings - Providing Feedback
- Windows Phone 8 : Configuring Basic Device Settings - About Your Phone
- Windows Phone 8 : Configuring Basic Device Settings - Find My Phone
- Windows Phone 8 : Configuring Basic Device Settings - Accessibility (part 2) - Enabling the Screen Magnifier, Using Speech for Phone Accessibility
- Windows Phone 8 : Configuring Basic Device Settings - Accessibility (part 1) - Adjusting the Text Size, Enabling High Contrast
- Microsoft Visio 2010 : Linking External Data to Shapes (part 6) - Using Link Data - Linking Data to Shapes Using Link Data
- Microsoft Visio 2010 : Linking External Data to Shapes (part 5) - Using Link Data - Preparing a Master for Link Data , Importing Data for Link Data
- Microsoft Visio 2010 : Linking External Data to Shapes (part 4) - Using the Database Wizard - Taking the Data-Linked Light Bulb Shape for a Spin
- Microsoft Visio 2010 : Linking External Data to Shapes (part 3) - Using the Database Wizard - Setting Up the Excel File as a Data Source
- Microsoft Visio 2010 : Linking External Data to Shapes (part 3) - Using the Database Wizard - Setting Up the Excel File as a Data Source
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro