Software Restriction Policies

Software restriction policies provide a policy-driven system to specify which programs are allowed to run on the local computer and which are not.

Software Restriction Policies settings

The increased use of networks and the Internet in daily business computing means that it is more likely than ever that an organization's users will encounter malicious software. Software restriction policies can help organizations protect themselves because they provide another layer of defense against viruses, Trojans, and other types of malicious software.

You can configure the Software Restriction Policy settings in the following location within the Group Policy Management Console:

Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies

Vulnerability

People use computer networks to collaborate in many different ways; they use e-mail, instant messaging, and peer-to-peer applications. As these collaboration opportunities increase, so does the risk from viruses, worms, and other forms of malicious software. E-mail and instant messaging can transport unsolicited malicious software, which can take many forms—from native Windows® executable (.exe) files, to macros in word processing (.doc) documents, to script (.vbs) files.

Viruses and worms are often transmitted in e-mail messages, and they frequently include social engineering techniques that trick users into performing an action that activates the malicious software. The amount and variety of forms that malicious software can take makes it difficult for users to know what is safe to run and what is not. When activated, malicious software can damage content on a hard disk, flood a network with requests to cause a denial of service (DoS) attack, send confidential information to the Internet, or compromise the security of a computer.

Note

Software restriction policies do not prevent restricted processes that run under the System account. For example, if a malicious program has set up a malicious service that starts under the Local System account, it will start successfully even if there is a software restriction policy configured to restrict it.

Countermeasure

Create a sound design for software restriction policies on end-user computers in your organization, and then thoroughly test the policies in a lab environment before you deploy them in a production environment.

Potential impact

A flawed software restriction policy implementation can disable necessary applications or allow malicious software to run. Therefore, it is important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies.

Note

Although software restriction policies are an important tool that can enhance the security of computers, they are not a replacement for other security measures such as antivirus programs, firewalls, and restrictive access control lists (ACLs).

Additional references

The following links provide additional information about designing and using software restriction policies:

  • For information about implementing software restriction policies on Windows Vista®-based computers, see Using Software Restriction Policies to Protect Against Unauthorized Software (https://go.microsoft.com/fwlink/?LinkID=98671).

  • For information about methods, including software restriction policies, to defend your computer against malicious software, see Chapter 2 of the Windows Vista Security Guide at (https://go.microsoft.com/fwlink/?LinkId=101048).

  • For information about how to deploy software restriction policies on Windows Server® 2003 systems and in Active Directory® directory service domains, see article 324036, How To Use Software Restriction Policies in Windows Server 2003, in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=101049).