Export (0) Print
Expand All

Using Software Restriction Policies

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Software restriction policies, which are new with Windows XP and Windows Server 2003, enable you to identify software running on computers in your domain and to control whether a user can run them. Restricting certain types of applications can, for example, protect your organization against viruses. As a way to lock down the user environment on a terminal server, you can set up software restriction policies that allow users to run only specific applications on the server.

Software restriction policies are located in the Group Policy Object Editor under Windows Settings/Security Settings. Windows Installer operates with applications permitted by these Software Restriction Policies. For more information, see "Software Restriction Policies" in Help and Support Center for Windows Server 2003.

You can use software restriction policies with Terminal Server by using path rules, as shown in Table 4.4. These rules allow groups of users, when separated into different OUs, to access only the applications or application components that you want the groups of users to access on the server. For example, a company has a terminal server with a line-of-business application and a few productivity applications for the use of the accounts payable department. The company has decided that account managers need access to all of the available applications for that department, but the data-entry workers in that department need access only to the line-of-business application. The company sets the default rule to Disallowed and configures the software restriction policies as outlined in the following table.

Table 4.4   Example Software Restriction Policy Configuration

 

Path Rule Security Level

Terminal Server OU

%windir%

Unrestricted

%windir%\regedit.exe

Disallowed

%windir%\system32\cmd.exe

Disallowed

%windir%\system32\command.com

Disallowed

%windir%\system32\dllcache

Disallowed

%windir%\system32\gpresult.exe

Disallowed

%windir%\system32\gpupdate.exe

Disallowed

%ProgramFiles%\Windows NT\Accessories

Unrestricted

Data Entry OU

%ProgramFiles%\Accounts Payable Software

Unrestricted

Account Managers OU

%ProgramFiles%\Microsoft Office\Office

Unrestricted

%ProgramFiles%\Internet Explorer

Unrestricted

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft