Implementing Software Restriction Policies
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
By using software restriction policies, you can protect your computer or network by identifying and specifying the software that is permitted to run. The first step is to set the security level for a computer to Unrestricted or Disallowed. If the default level of security is set to Unrestricted, users can run all programs, except for the programs that you restrict by using rules. If the default security level is Disallowed, no programs can run on the computer, except the programs that meet the requirements of the rules. After you set a default security level to Unrestricted or Disallowed, you can make exceptions to the default security level by creating software restriction policy rules.
Rule Precedence
Rules are evaluated in a specific order. The rules that more specifically match a program take precedence over rules that more generally match a program. From highest to lowest, rule precedence is as follows:
Hash rule
Certificate rule
Path rule
Internet zone rule
Default security level
Example of Rule Precedence with a Default Security Level of Unrestricted
Table 4.2 shows an example of rules that are configured by using software restriction policies on a computer that has a default security level of Unrestricted.
Table 4.2 Example of Software Restriction Policy Rules
| Rule | Type of Rule | Description | Setting |
|---|---|---|---|
Rule 1 |
Hash rule |
Hash of Pagefileconfig.vbs |
Disallowed |
Rule 2 |
Certificate rule |
IT management certificate |
Unrestricted |
Rule 3 |
Path rule |
%WINDIR%\System32\*.VBS |
Unrestricted |
Rule 4 |
Path rule |
*.VBS |
Disallowed |
Rule 5 |
Path rule |
%WINDIR% |
Unrestricted |
Table 4.3 shows examples of how the software restriction policy rules in Table 4.2 determine which programs users can run.
Table 4.3 Example of the Application of Software Restriction Policy Rules
| Program Started | Applied Rules | Outcome |
|---|---|---|
C:\WINDOWS\SYSTEM32\EventQuery.vbs |
Rule 3 is applied because EventQuery.vbs is a .vbs file in the System32 folder. Rule 4 is applied because EventQuery.vbs has a .vbs extension. Rule 5 is applied because EventQuery.vbs is stored in a subfolder of the Windows folder. |
Rule 3 is the most specific match for EventQuery.vbs. Because Rule 3 has a security level of Unrestricted, EventQuery.vbs is permitted to run. |
C:\WINDOWS\SYSTEM32\Pagefileconfig.vbs |
Rule 1 is applied because the hash in the rule matches the hash of Pagefileconfig.vbs. Rule 3 is applied because Pagefileconfig.vbs is a .vbs file in the System32 folder. Rule 4 is applied because Pagefileconfig.vbs has a .vbs extension. Rule 5 is applied because Pagefileconfig.vbs is stored in a subfolder of the Windows folder. |
Rule 1 is the most specific match for Pagefileconfig.vbs. Because Rule 1 has a security level of Disallowed, Pagefileconfig.vbs is not permitted to run. |
\\LOGIN_SRV\Scripts\CustomerScript1.vbs |
Rule 2 is applied because CustomerScript1.vbs is digitally signed by the certificate that belongs to the customer’s IT management group. Rule 4 is applied because CustomerScript1.vbs has a .vbs extension. |
Rule 2 is the most specific match for CustomerScript1.vbs. Because Rule 2 has a security level of Unrestricted, CustomerScript1.vbs is permitted to run. |
C:\Documents and Settings\user1\LOVE-LETTER-FOR-YOU.TXT.VBS |
Rule 4 is applied because LOVE-LETTER-FOR-YOU.TXT.VBS has a .vbs extension. |
Rule 4 is the most specific match for LOVE-LETTER-FOR-YOU.TXT.VBS. Because the Rule 4 has a security level of Disallowed, LOVE-LETTER-FOR-YOU.TXT.VBS is not permitted. |
DLL Checking
Most programs require multiple .dll files to run. By default, software restriction policy rules are not enforced against .dll files. This is the recommended option for most users for the following reasons:
Setting a program’s main executable file as Disallowed in the Software Restriction Policies snap-in prevents the program from running. Therefore, it is typically not necessary to set all of the related .dll files to Disallowed.
Checking .dll files results in performance degradation on the system. If a user runs 10 programs during his or her logon session, the software restriction policy is evaluated 10 times. If .dll checking is turned on, the software restriction policy is evaluated for each .dll file that is loaded with each program. For example, if each program uses 20 .dll files, 10 .exe files are checked, and then 200 .dll files are checked. The software restriction policy is evaluated 210 times.
If the default security level is set to Disallowed, the main executable file has to be identified so that it can run, and all of the executable file’s .dll files must be identified.
To activate .dll checking, in the Enforcement Properties policy, set Apply software restriction policies to the following to All software files. For more information about .dll checking, see "Apply software restriction policies to DLLs" in Help and Support Center for Windows Server 2003.
Exclude Administrators
You might want to prevent most users from running certain programs by setting them as Disallowed but permit administrators to run any programs. For example, a user might have a shared computer that multiple users connect to by using Terminal Server. You might want the users to run specific applications on the computer, while permitting members of the Local Administrators group to run any programs. To exclude local administrators, you can set the option to apply software restriction policies to All users except local administrators.
Note
- Setting the software restriction policies to exclude local administrators is only valid for Group Policy objects that are applied to computers.
For more information about software restriction policies, see "Prevent software restriction policies from applying to local administrators" and "Software Restriction Policies" in Help and Support Center for Windows Server 2003, and "Deploying a Managed Software Environment" in this book.