Security levels and additional rules
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Security levels and additional rules
For software restriction policies, the security level options are:
Unrestricted, which allows software to run with the full rights of the user who is logged on to the computer.
Disallowed, which does not allow the software to run.
You can use the following rules to make exceptions to the default security level for software restriction policies. For example, if the default security level is Disallowed, you can create a path rule that makes an exception to the default security level and allows a software program to run.
More than one rule can be applied to software. When this happens, the rule with the highest precedence determines if the software will run or not run. For information about the precedence of these rules, see Precedence of software restriction policies rules.
A hash is a series of bytes with a fixed length that uniquely identifies a software program or file. The hash is computed by a hash algorithm. When a hash rule is created for a software program, software restriction policies calculate a hash of the program. When a user tries to open a software program, a hash of the program is compared to existing hash rules for software restriction policies. The hash of a software program is always the same, regardless of where the program is located on the computer. However, if a software program is altered in any way, its hash also changes, and it no longer matches the hash in the hash rule for software restriction policies.
For example, you can create a hash rule and set the security level to Disallowed to prevent users from running a certain file. A file can be renamed or moved to another folder and still result in the same hash. However, any changes to the file itself also change its hash value and allow the file to bypass restrictions.
For more information, see Create a hash rule.
Software restriction policies can also identify software by its signing certificate. You can create a certificate rule that identifies software and then allows or does not allow the software to run, depending on the security level. For example, you can use certificate rules to automatically trust software from a trusted source in a domain without prompting the user. You can also use certificate rules to run files in disallowed areas of your operating system.
Certificate rules are not enabled by default. For information about how to enable certificate rules, see Enable certificate rules.
A path rule identifies software by its file path. For example, if you have a computer that has a default security level of Disallowed, you can still grant unrestricted access to a specific folder for each user. You can create a path rule by using the file path and setting the security level of the path rule to Unrestricted. Some common paths for this type of rule are %userprofile%, %windir%, %appdata%, %programfiles%, and %temp%. You can also create registry path rules that use the registry key of the software as its path.
Because these rules are specified by the path, if a software program is moved, the path rule no longer applies.
For information about the precedence of path rules when more than one path rule is applied to a file or folder, see Precedence of software restriction policies rules.
Internet zone rule
Zone rules apply only to Windows Installer packages. For more information, see Windows Installer overview.
A zone rule can identify software from a zone that is specified through Internet Explorer. These zones are Internet, Intranet, Restricted sites, Trusted sites, and My Computer.
For more information, see Create an Internet zone rule.