Software Restriction Policies (SRP)
Updated: December 16, 2008
Applies To: Windows Server 2008 R2
Software restriction policies provide administrators with a mechanism for identifying software programs running on a computer and controlling the ability of those programs to run. Software restriction policies are not enabled by default. These policies are enabled and configured using either the Group Policy Management Console or the Local Group Policy Editor.
A software restriction policy consists of a default rule that defines the security level under which programs can run and additional rules that define the exceptions to the default rule. You can set the default security level either Unrestricted (program can run if the access rights of the user allow it), Disallowed (program cannot run), or Basic User (program runs as a normal user, regardless of the rights of the user). This policy can be enforced on all users, or you can specify that the policy is not enforced on users that are members of the local administrators group.
There are four types of additional rules that can be defined in a software restriction policy to identify software that is an exception to the default rule. Your software restriction policy can identify software using the following methods
- Hash. A cryptographic fingerprint of the file.
- Certificate. A software publisher certificate used to digitally sign a file.
- Path. The local or universal naming convention (UNC) path to where the file is stored.
- Network Zone. The network zone.
For more information about software restriction policies, see Using Software Restriction Policies to Protect Against Unauthorized Software(http://go.microsoft.com/fwlink/?LinkID=98671).
The following is a list of all aspects that are part of this managed entity:
Software Restriction Policy Notification displays a messages to the user and writes an event to the event log when the user attempts to run a program that is not allowed by the policy. If the software restriction policy is enforced on all users, then messages will be displayed to both standard users and administrators. If the policy is enforced on all users except local administrators, then users logged on with administrative credentials will not be notified as the policy will not apply to the programs that they run.
If the policy is enforced on all users and the Basic User default security level is selected, local administrators may not be able to run programs that require administrative credentials unless those programs are specifically excepted from the rule.