Setting the default security level to Disallowed

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Setting the default security level to Disallowed

You can set software restriction policies so that the operating system has one of two default security levels: Unrestricted and Disallowed. When you first create software restriction policies, a default setting of Unrestricted is automatically defined. You can then apply rules that restrict the execution of specified software programs. When you set the default security level to Disallowed, most software is restricted. There are four registry path rules that are automatically created to prevent you from completely locking down your system, including locking yourself out of it. You must then apply rules for all other software that you want to run.

Software restriction policies are applied through the operating system. Certain software programs must be set to Unrestricted for the operating system to function at all. The following tips can help you decide which programs to set to Unrestricted if you decide to use a default security level of Disallowed:

  • When the default security level is set to Disallowed, four registry path rules are created automatically. They are as follows:

    • %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%

    • %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\*.exe

    • %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\*.exe

    • %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

    These registry path rules are created as a safeguard against locking yourself and all users out of the system. Only advanced users should consider modifying or deleting these rules.

  • Startup items are put in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run in the registry. If you want them to run, make sure that you create a registry path rule for them. For information about creating a registry path rule, see Create a registry path rule.

  • If a computer must run logon scripts, create a path rule that allows them. For information about creating a path rule, see Create a path rule.

  • Explore your software programs when you create rules for them. Many programs start other programs to perform certain tasks. For example, Microsoft Word starts Microsoft Clip Organizer to manage clip art. For optimal performance, it is essential that all supporting programs be allowed to run.

For more information about software restriction policies, see Software Restriction Policies.