Académique Documents
Professionnel Documents
Culture Documents
2003
Hash rules
Certificate rules
Path rules
Internet zone rules
A policy is made up of the default security level and all of the rules applied to
a GPO. This policy can apply to all of the computers or to individual users.
Software restriction policies provide a number of ways to identify software,
and they provide a policy-based infrastructure to enforce decisions about
whether the software can run. With software restriction policies, users must
follow the guidelines that are set up by administrators when they run
programs.
With software restriction policies, you can perform the following tasks:
Alternatively, you can create a new GPO, and then click Finish.
6. Click Close, and then click OK.
7. In the console tree, go to the following location:
Alternatively, you can click New to create a new GPO, and then click
Edit.
5. In the console tree, go to the following location:
Alternatively, click New to create a new GPO, and then click Edit.
5. In the console tree, go to the following location:
You can also apply software restriction policies to specific users when
they log on to specific computer by using an advanced Group Policy
setting named loopback.
1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In the details pane, double-click Enforcement.
4. Under Apply software restriction policies to the following
users, click All users except local administrators.
NOTES:
1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In either the console tree or the details pane, right-click
Additional Rules, and then click New Certificate Rule.
4. Click Browse, and then select a certificate.
5. Select a security level.
6. In the Description box, type a description for this rule, and
then click OK.
NOTES:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
Windows\Safer\CodeIdentifiers
3. In the details pane, double-click AuthenticodeEnabled,
and then change the value data from 0 to 1.
The only file types that are affected by certificate rules are those
that are listed in Designated file types. There is one list of
designated file types that is shared by all rules.
For software restriction policies to take effect, users must
update policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.
1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In either the console tree or the details pane, right-click
Additional Rules, and then click New Hash Rule.
4. Click Browse to find a file, or paste a precalculated hash in the
File hash box.
5. In the Security level box, click either Disallowed or
Unrestricted.
6. In the Description box, type a description for this rule, and
then click OK.
NOTES:
1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In the console tree, click Software Restriction Policies.
4. In either the console tree or the details pane, right-click
Additional Rules, and then click New Internet Zone Rule.
5. In Internet zone, click an Internet zone.
6. In the Security Level box, click either Disallowed or
Unrestricted, and then click OK.
NOTES:
1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In either the console tree or the details pane, right-click
Additional Rules, and then click New Path Rule.
4. In the Path box, type a path or click Browse to find a file or
folder.
5. In the Security level box, click either Disallowed or
Unrestricted.
6. In the Description box, type a description for this rule, and
then click OK.IMPORTANT: On certain folders, such as the Windows
folder, setting the security level to Disallowed can adversely affect
the operation of your operating system. Make sure that you do not
disallow a crucial component of the operating system or one of its
dependent programs.
NOTES:
1. Click Start, click Run, type regedit, and then click OK.
2. In the console tree, right-click the registry key that you want to
create a rule for, and then click Copy Key Name.
3. Note the value name in the details pane.
4. Click Start, click Run, type mmc, and then click OK.
5. Open Software Restriction Policies.
6. In either the console tree or the details pane, right-click
Additional Rules, and then click New Path Rule.
7. In Path, paste the registry key name and the value name.
8. Enclose the registry path in percent signs (%), for example:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PlatformSDK
\Directories\InstallDir%
You must write out the name of the registry hive; you cannot
use abbreviations. For example, you cannot substituted HKCU for
HKEY_CURRENT_USER.
The registry path rule can contain a suffix after the closing
percent sign (%). Do not use a backslash (\) in the suffix. For
example, you can use the following registry path rule:
%HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre
ntVersion\Explorer\Shell Folders\Cache%OLK*
The only file types that are affected by path rules are those that
are listed in Designated file types. There is one list of designated file
types that is shared by all rules.
For software restriction policies to take effect, users must
update policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.
1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In the details pane, double-click Designated File Types.
4. Perform one of the following steps as appropriate:
o To add a file type, type the file name extension in the File
extension box, and then click Add.
o To delete a file type, click the file type in the Designated
file types box, and then click Remove.
NOTES:
1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. In the details pane, double-click Security Levels.
4. Right-click the security level that you want to set as the default,
and then click Set as default.
NOTES:
1. Click Start, click Run, type mmc, and then click OK.
2. Open Software Restriction Policies.
3. Double-click Trusted Publishers.
4. Click the users who you want to decide which certificates will be
trusted, and then click OK.
NOTES: