Software Restriction Policies
Updated: January 21, 2009
Applies To: Windows Server 2008
Software restriction policies provide a policy-driven system to specify which programs are allowed to run on the local computer and which are not. Two improvements have been made to software restriction policies for Windows Vista and Windows Server 2008. First, the default hash rule algorithm has been upgraded from Message Digest version 5 (MD5) to the Secure Hash Alogorithm-256(SHA256). SHA-256 is a 256-bit (32-byte) message digest hash and is meant to provide 128 bits of security against collision attacks and is considered much stronger than MD5, which has known vulnerabilities. MD5 is still supported for compatibility with Windows XP. Second, certificate rules can now be activated from within the Software Restriction Policies snap-in extension instead of from within the Local Security Policies snap-in.
The increased use of networks and the Internet in daily business computing means that it is more likely than ever that an organization's users encounter malicious software. Software restriction policies can help organizations protect themselves because they provide another layer of defense against viruses, Trojan horses, and other types of malicious software.
You can configure the Software Restriction Policy settings in the following location within the Group Policy Management Console:
Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies
People use computer networks to collaborate in many different ways; they use e-mail, instant messaging, and peer-to-peer applications. As these collaboration opportunities increase, so does the risk from viruses, worms, and other forms of malicious software. E-mail and instant messaging can transport unsolicited malicious software, which can take many forms—from native Windows® executable (.exe) files, to macros in word processing (.doc) documents, to script (.vbs) files.
Viruses and worms are often transmitted in e-mail messages, and they frequently include social engineering techniques that trick users into performing an action that activates the malicious software. The amount and variety of forms that malicious software can take make it difficult for users to know what is safe to run and what is not. When activated, malicious software can damage content on a hard disk, flood a network with requests to cause a denial of service (DoS) attack, send confidential information to the Internet, or compromise the security of a computer.
|Software restriction policies do not prevent restricted processes that run under the System account. For example, if a malicious program has set up a malicious service that starts under the Local System account, it starts successfully even if there is a software restriction policy configured to restrict it.|
Create a sound design for software restriction policies on end-user computers in your organization, and then thoroughly test the policies in a lab environment before you deploy them in a production environment.
A flawed software restriction policy implementation can disable necessary applications or allow malicious software to run. Therefore, it is important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies.
|Although software restriction policies are an important tool that can enhance the security of computers, they are not a replacement for other security measures such as antivirus programs, firewalls, and restrictive access control lists (ACLs).|
The following links provide additional information about designing and using software restriction policies:
- For information about implementing software restriction policies on Windows Vista®-based computers, see Using Software Restriction Policies to Protect Against Unauthorized Software (http://go.microsoft.com/fwlink/?LinkID=98671).
- For information about methods, including software restriction policies, to defend your computer against malicious software, see Chapter 2 of the Windows Vista Security Guide at (http://go.microsoft.com/fwlink/?LinkId=101048).