CC3 Software Restriction Policy

**cookie_monster** · 8th June 2007, 01:45 PM

We run a vanilla 2003 / XP setup and have recently started to look at using software restriction policy.
I'm wondering if RM enable this as a black or white list and if it's configured as a whitelist how hard it is to manage and configure?

We currently have a students GPO with desktop settings and software restrictions configured as a blacklist, the restrictions are all listed in this one policy is that the standard RM/Windows way or should multiple GPO's be used?

Any input welcome.

Thanks.

**meastaugh1** · 9th June 2007, 08:54 AM

Disallowed is the security level used in one GPO. There are then path rules to unrestrict execution on the systemdrive, then variour rules to disallow and unrestrict as required.

**cookie_monster** · 9th June 2007, 09:31 AM

Thanks for the reply

Are these all set in the user policy or can restrictions be applied to computers as well? If both which would you recommend in a typical education setup with very specific groups/GPOs like teacher/student.

Cheers.

**meastaugh1** · 9th June 2007, 09:48 AM

Software restriction policies are computer only settings.

**cookie_monster** · 11th June 2007, 08:35 AM

No i don't think so i have them working just fine in user policy this has the benefit that i can ban applications for students but not for teachers.

**meastaugh1** · 11th June 2007, 08:48 AM

Ah yes, apologies. I think it used to be the case, but may have changed since 2003 or an SP?

**cookie_monster** · 12th June 2007, 11:09 AM

Does CC3 allow .exes to be run from the users local temp folder?

C:\Documents and Settings\%username%\Local Settings\Temp

I've noticed that when xp unzips an exe it sends it to a temp folder and executes it from there which gets around R2's file screen and path rules. I've created an exe restriction policy on this folderwhich works but i'm wondering what impact this might have on applications.

**meastaugh1** · 12th June 2007, 11:21 AM

Afaik, it's the same on C3 as it is on vanilla. You need to add the path rule to prevent users executing from this temp location.

Applications shouldn't be executing from there. I've only seen it negatively effect one bad application, which would extract itself and it's files at runtime to this location then execute it. An unrestricted hash rule resolved this though.

**cookie_monster** · 12th June 2007, 11:28 AM

That was my thinking as well so i'll see how it goes.

Cheers.

LinkBack

Thread Tools

Search Thread

CC3 Software Restriction Policy

Re: CC3 Software Restriction Policy

Re: CC3 Software Restriction Policy

Re: CC3 Software Restriction Policy

Re: CC3 Software Restriction Policy

Re: CC3 Software Restriction Policy

Re: CC3 Software Restriction Policy

Re: CC3 Software Restriction Policy

Re: CC3 Software Restriction Policy

Similar Threads

Software restriction policy, half working?

Software Restriction Policy

Software Restriction Policy (w2k3) - path question

Software Restriction Policy (w2k3) - path question

GPo - Software Restriction Policy

Thread Information

Users Browsing this Thread

Posting Permissions