Precedence of software restriction policies rules

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Precedence of software restriction policies rules

You can apply several software restriction policies rules to the same software. The rules are applied in the following order of precedence, from highest to lowest:

• Hash rule

• Certificate rule

• Path rule

• Internet zone rule

For example, if you create a hash rule with a security level of Unrestricted for a software program that resides in a folder that has a path rule assigned to it with a security level of Disallowed, the program will run. The hash rule takes precedence over the path rule.

If two path rules are assigned to the same object, the more specific rule takes precedence. For example, if there is a path rule for C:\Windows\ with a security level of Disallowed, but there is also a path rule for C:\Windows\System32\ with a security level of Unrestricted, the more specific path rule takes precedence. Software programs in C:\Windows\ will not run, but programs in C:\Windows\System32\ will run.

If two identical rules with differing security levels are applied to software, the more conservative rule takes precedence. For example, if two hash rules--one with a security level of Disallowed and one with a security level of Unrestricted--are applied to the same software program, the rule with a security level of Disallowed takes precedence, and the program will not run.

For more information, see:

• Software Restriction Policies

• Create a hash rule

• Create a certificate rule

• Create a path rule

• Create an Internet zone rule