Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Vista

Group Policy Settings (part 2) - Software Restrictions

- Windows 10 Product Activation Keys Free 2019
- How to active Windows 8 without product key
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
3/14/2011 10:12:35 PM

Software Restrictions

The next major area of GPO category is in Software Restrictions. These GPOs are used to deny all executables except those specifically allowed using the Restricted Default Rule, or used to allow all executables and then disallow specific executables using the Unrestricted Default Rule. These GPO settings are located in the GPO under Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies.

By default, the execution of applications is configured as Unrestricted, as shown in Figure 3. Application execution is intended to be controlled by the access permissions (share and NTFS) of the user on the executable.

Figure 3. By default, software execution is unrestricted.

You can configure permissions to keep users from executing applications. You need to do this on each computer where the application resides, a huge task in a large environment. Or you can do it much more easily and on a larger scale by creating a GPO with Software Restriction Rules and then link them appropriately.

Four types of Software Restriction Policy Rules can be used to modify the Default Rule:

  • Certificate Rule— A digital signature embedded within the executable file.

  • Hash Rule— A numeric fingerprint of the executable file.

  • Internet Zone Rule— From tab. They include Internet, Local Intranet, Trusted Sites, and Restricted Sites.

  • Path Rule— The local path or UNC path to the executable file.

These rules are shown in Figure 4.

Figure 4. Modifying the Software Restriction Policy Rules.

These rules often get applied in combinations, and it can get tricky to figure out which GPOs will effectively restrict which applications. As GPOs get processed on the computer, the Software Restriction GPOs are evaluated and then are prioritized in the following order:

1.
Certificate Rule—Strongest

2.
Hash Rule

3.
Path Rule

4.
Internet Zone Rule

5.
Default Rule—Weakest

Exam Alert

If an application fails to run due to Software Restrictions, you might need to add a new Unrestricted Rule of higher priority. An example would be that your OU is configured with a Default Rule set to Restricted. For any application to run, you must configure an Unrestricted Rule of higher priority, such as a Path Rule, as shown in Figure 5.

Figure 5. Setting the Unrestricted Path Rule.



Alert

With Path Rules, you may use wildcards within the path statement itself.

The more specific the path, the higher priority it receives when there is a conflict between Path Rules. You can use a single question mark to represent a wildcard for a single character, one question mark per character, or you can use an asterisk as a wildcard to represent any number of characters in the path statement.

For example, the use of \\Server?? in a Path Rule would satisfy all servers named \\Server00 through \\Server99, as well as \\Serveraa through \\ServerZZ. The use of the asterisk as a wildcard in a Path Rule might look like *.vbs, to allow or restrict all VBS scripts wherever they may be located.


Other -----------------
- Group Policy Settings (part 1) - Desktop Settings & Software Deployment by GPO
- Group Policy Object Overview (part 2) - Applying GPOs to a Computer and User in an AD Environment
- Group Policy Object Overview (part 1) - Building a Local Computer Policy & The Domain Member Computer
- User Account Control (UAC)
- Troubleshoot Authentication Issues - SmartCards
- Configure and Troubleshoot Access to Resources (part 4) - Securing Network Traffic for Remote Desktop Protocol (RDP) Access
- Configure and Troubleshoot Access to Resources (part 3) - IPSec for Securing Network Traffic on the Local LAN
- Configure and Troubleshoot Access to Resources (part 2) - Printer Sharing
- Configure and Troubleshoot Access to Resources (part 1) - Permissions
- Windows Update (part 4) - Troubleshooting Updates
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
Celebrity Style, Fashion Trends, Beauty and Makeup Tips.
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server