How To Use Software Restriction Policies in Windows Server

2003

This article describes how to use software restriction policies in Windows

Server 2003. When you use software restriction policies, you can identify and
specify the software that is allowed to run so that you can protect your
computer environment from untrusted code. When you use software
restriction policies, you can define a default security level of Unrestricted or
Disallowed for a Group Policy object (GPO) so that software is either
allowed or not allowed to run by default. To create exceptions to this default
security level, you can create rules for specific software. You can create the
following types of rules:

Hash rules
Certificate rules
Path rules
Internet zone rules

A policy is made up of the default security level and all of the rules applied to
a GPO. This policy can apply to all of the computers or to individual users.
Software restriction policies provide a number of ways to identify software,
and they provide a policy-based infrastructure to enforce decisions about
whether the software can run. With software restriction policies, users must
follow the guidelines that are set up by administrators when they run
programs.

With software restriction policies, you can perform the following tasks:

Control which programs can run on your computer. For

example, you can apply a policy that does not allow certain file types
to run in the e-mail attachment folder of your e-mail program if you
are concerned about users receiving viruses through e-mail.
Permit users to run only specific files on multiple-user
computers. For example, if you have multiple users on your
computers, you can set up software restriction policies in such a way
 that users do not have access to any software except for those specific
files that they must use for their work.
Decide who can add trusted publishers to your computer.
Control whether software restriction policies affect all users or
just certain users on a computer.
Prevent any files from running on your local computer, your
organizational unit, your site, or your domain. For example, if there is
a known virus, you can use software restriction policies to stop the
computer from opening the file that contains the virus.IMPORTANT:
Microsoft recommends that you do not use software restriction policies
as a replacement for antivirus software.

Back to the top

How to Start Software Restriction Policies
For the Local Computer Only

1. Click Start, point to Programs, point to Administrative

Tools, and then click Local Security Policy.
2. In the console tree, expand Security Settings, and then
expand Software Restriction Policies.

For a Domain, a Site, or an Organizational Unit on a Member Server

or a Workstation That Is Joined to a Domain

1. Open Microsoft Management Console (MMC). To do so, click

Start, click Run, type mmc, and then click OK.
2. On the File menu, click Add/Remove Snap-in, and then click
Add.
3. Click Group Policy Object Editor, and then click Add.
4. In Select Group Policy Object, click Browse.
5. In Browse for a Group Policy Object, either select a Group
Policy object (GPO) in the appropriate domain, site, or organizational
unit, and then click Finish.

Alternatively, you can create a new GPO, and then click Finish.
6. Click Close, and then click OK.
 7. In the console tree, go to the following location:

Group Policy Object Computer_name Policy/Computer Configuration or

User/Configuration/Windows Settings/Security Settings/Software
Restriction Policies

For an Organizational Unit or a Domain on a Domain Controller or a

Workstation That Has the Administration Tools Pack Installed

1. Click Start, point to All Programs, point to Administrative

Tools, and then click Active Directory Users and Computers.
2. In the console tree, right-click the domain or organizational unit
that you want to set Group Policy for.
3. Click Properties, and then click the Group Policy tab.
4. Click an entry in Group Policy Object Links to select an
existing GPO, and then click Edit.

Alternatively, you can click New to create a new GPO, and then click
Edit.
5. In the console tree, go to the following location:

Group Policy Object Computer_name Policy/Computer Configuration or

User Configuration/Windows Settings/Security Settings/Software
Restriction Policies

For Your Site and on a Domain Controller or a Workstation That Has

the Administration Tools Pack Installed

1. Click Start, point to All Programs, point to Administrative

Tools, and then click Active Directory Sites and Services.
2. In the console tree, right-click the site that you want to set
Group Policy for:
o Active Directory Sites and Services [
Domain_Controller_Name. Domain_Name]
o Sites
o Site
 3. Click Properties, and then click the Group Policy tab.
4. Click an entry in Group Policy Object Links to select an
existing Group Policy object (GPO), and then click Edit.

Alternatively, click New to create a new GPO, and then click Edit.
5. In the console tree, go to the following location:

Group Policy Object Computer_name Policy/Computer Configuration or

User Configuration/Windows Settings/Security Settings/Software
Restriction Policies

IMPORTANT: Click User Configuration to set policies that will be

applied to users, regardless of the computer to which they log on.
Click Computer Configuration to set policies that will be applied to
computers, regardless of the users who log on to them.

You can also apply software restriction policies to specific users when
they log on to specific computer by using an advanced Group Policy
setting named loopback.

Back to the top

How to Prevent Software Restriction Policies from Applying to Local
Administrators

1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In the details pane, double-click Enforcement.
4. Under Apply software restriction policies to the following
users, click All users except local administrators.

NOTES:

You may have to create a new software restriction policy setting

for this GPO if you have not already done so.
 Typically, users are members of the local administrator group on
their computers in your organization; therefore, you may not want to
turn on this setting. Software restriction policies do not apply to any
users who are members of their local administrator group.
If you are defining a software restriction policy setting for your
local computer, use this procedure to prevent local administrators
from having software restriction policies applied to them. If you are
defining a software restriction policy setting for your network, filter
user policy settings based on membership in security groups by using
Group Policy.

Back to the top

How to Create a Certificate Rule

1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In either the console tree or the details pane, right-click
Additional Rules, and then click New Certificate Rule.
4. Click Browse, and then select a certificate.
5. Select a security level.
6. In the Description box, type a description for this rule, and
then click OK.

NOTES:

For information about how to start software restriction policies

in MMC, see "Start software restriction policies" in Related Topics in
the Windows Server 2003 Help file.
You may have to create a new software restriction policy setting
for this GPO if you have not already done so.
By default, certificate rules are not turned on. To turn on
certificate rules:
1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
Windows\Safer\CodeIdentifiers
 3. In the details pane, double-click AuthenticodeEnabled,
and then change the value data from 0 to 1.
The only file types that are affected by certificate rules are those
that are listed in Designated file types. There is one list of
designated file types that is shared by all rules.
For software restriction policies to take effect, users must
update policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.

Back to the top

How to Create a Hash Rule

1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In either the console tree or the details pane, right-click
Additional Rules, and then click New Hash Rule.
4. Click Browse to find a file, or paste a precalculated hash in the
File hash box.
5. In the Security level box, click either Disallowed or
Unrestricted.
6. In the Description box, type a description for this rule, and
then click OK.

NOTES:

You may have to create a new software restriction policy setting

for this GPO if you have not already done so.
You can create a hash rule for a virus or a Trojan horse to
prevent the malicious software from running.
If you want other users to use a hash rule so that a virus cannot
run, calculate the hash of the virus by using software restriction
policies, and then e-mail the hash value to other users. Never e-mail
the virus itself.
 If a virus has been sent through e-mail, you can also create a
path rule to prevent users from running mail attachments.
A file that is renamed or moved to another folder still results in
the same hash.
Any change to a file results in a different hash.
The only file types that are affected by hash rules are those that
are listed in Designated file types. There is one list of designated file
types that is shared by all rules.
For software restriction policies to take effect, users must
update policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.

Back to the top

How to Create an Internet Zone Rule

1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In the console tree, click Software Restriction Policies.
4. In either the console tree or the details pane, right-click
Additional Rules, and then click New Internet Zone Rule.
5. In Internet zone, click an Internet zone.
6. In the Security Level box, click either Disallowed or
Unrestricted, and then click OK.

NOTES:

You may have to create a new software restriction policy setting

for this GPO if you have not already done so.
Zone rules apply to Windows Installer packages only.
The only file types that are affected by zone rules are those that
are listed in Designated file types. There is one list of designated file
types that is shared by all rules.
 For software restriction policies to take effect, users must
update policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.

Back to the top

How to Create a Path Rule

1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In either the console tree or the details pane, right-click
Additional Rules, and then click New Path Rule.
4. In the Path box, type a path or click Browse to find a file or
folder.
5. In the Security level box, click either Disallowed or
Unrestricted.
6. In the Description box, type a description for this rule, and
then click OK.IMPORTANT: On certain folders, such as the Windows
folder, setting the security level to Disallowed can adversely affect
the operation of your operating system. Make sure that you do not
disallow a crucial component of the operating system or one of its
dependent programs.

NOTES:

You may have to create a new software restriction policy setting

for this GPO if you have not already done so.
If you create a path rule for a program with a security level of
Disallowed, a user can still run the software by copying it to another
location.
The wildcard characters that are supported by the path rule are
the asterisk (*) and the question mark (?).
You can use environment variables, such as %programfiles% or
%systemroot%, in your path rule.
 To create a path rule for software when you do not know where
it is stored on a computer but you have its registry key, you can
create a registry path rule.
To prevent users from running e-mail attachments, you can
create a path rule for your mail program's attachment folder that
prevents users from running e-mail attachments.
The only file types that are affected by path rules are those that
are listed in Designated file types. There is one list of designated file
types that is shared by all rules.
For software restriction policies to take effect, users must
update policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.

Back to the top

How to Create a Registry Path Rule

1. Click Start, click Run, type regedit, and then click OK.
2. In the console tree, right-click the registry key that you want to
create a rule for, and then click Copy Key Name.
3. Note the value name in the details pane.
4. Click Start, click Run, type mmc, and then click OK.
5. Open Software Restriction Policies.
6. In either the console tree or the details pane, right-click
Additional Rules, and then click New Path Rule.
7. In Path, paste the registry key name and the value name.
8. Enclose the registry path in percent signs (%), for example:

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PlatformSDK
\Directories\InstallDir%

9. In the Security level box, click either Disallowed or

Unrestricted.
10. In the Description box, type a description for this rule, and
then click OK.
NOTES:

You may have to create a new software restriction policy setting

for this GPO if you have not already done so.
You must be a member of the Administrators group to perform
this procedure.
Format the registry path as follows:

% Registry Hive\ Registry Key Name\ Value Name%

You must write out the name of the registry hive; you cannot
use abbreviations. For example, you cannot substituted HKCU for
HKEY_CURRENT_USER.
The registry path rule can contain a suffix after the closing
percent sign (%). Do not use a backslash (\) in the suffix. For
example, you can use the following registry path rule:

%HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre
ntVersion\Explorer\Shell Folders\Cache%OLK*

The only file types that are affected by path rules are those that
are listed in Designated file types. There is one list of designated file
types that is shared by all rules.
For software restriction policies to take effect, users must
update policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.

Back to the top

How to Add or Delete a Designated File Type

1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In the details pane, double-click Designated File Types.
4. Perform one of the following steps as appropriate:
 o To add a file type, type the file name extension in the File
extension box, and then click Add.
o To delete a file type, click the file type in the Designated
file types box, and then click Remove.

NOTES:

You may have to create a new software restriction policy setting

for this GPO if you have not already done so.
The designated file types list is shared by all rules for each
configuration. The designated file types list for computer policy
settings is different from the designated file types list for user policy
settings.

Back to the top

How to Change the Default Security Level of Software Restriction
Policies

1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In the details pane, double-click Security Levels.
4. Right-click the security level that you want to set as the default,
and then click Set as default.

CAUTION: In certain folders, if you set the default security level to

Disallowed, you can adversely affect your operating system.

NOTES:

You may have to create a new software restriction policy setting

for this GPO if you have not already done so.
In the details pane, the current default security level is indicated
by a black circle with a check mark in it. If you right-click the current
default security level, the Set as default command does not appear
in the menu.
Rules are created to specify exceptions to the default security
level. When the default security level is set to Unrestricted, rules
 specify software that is not allowed to run. When the default security
level is set to Disallowed, rules specify software that is allowed to
run.
If you change the default level, you affect all files on the
computers that have software restriction policies applied to them.
At installation, the default security level of software restriction
policies on all files on your computer is set to Unrestricted.

Back to the top

How to Set Trusted Publisher Options

1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. Double-click Trusted Publishers.
4. Click the users who you want to decide which certificates will be
trusted, and then click OK.

NOTES:

You may have to create a new software restriction policy setting

for this GPO if you have not already done so.
You can select who can add trusted publishers, users,
administrators, or enterprise administrators. For example, you can use
this tool to prevent users from making trust decisions about publishers
of ActiveX Controls.
Local computer administrators have the right to specify trusted
publishers on the local computer, but enterprise administrators have
the right to specify trusted publishers on an organizational unit level.