Software Restriction Setup

[ful56_uk]

hi guys

coming from a RM back ground were all the software restrictions are setup for you, we now are moving away from RM and we have got to setup software restrictions on a 2008 server xp client setup

i was woundering what people do as a default when setting up software restrictions policys. I want one just to cover all pc's and laptops.

what do you allow to run by default and block by default?

thanks

mark

[maniac]

I've just written my software restriction policy and did the following.

Disallow everything by default, then created a rule which allows everything on the C:\ this stops anything from memorysticks etc. being run.

I then added in specific deny rules for certain programs like regedit, windows messenger, microsoft help and support centre, command prompt, mmc and a few others to stop those being run (although our GPO should stop most of them anyway)

I find this is the easiest way to set it up so it works reliably. Ideally what you should do is deny everything then allow the programs you want one by one, but we run so much different software allowing the C:\ as a whole entity is a much easier option and it still stops execution of programs from memorysticks which is the main idea of the policy in the first place for us.

One big tip if you do it this way is to make sure you stop the execution of programs from the Temporary files directory, as there's a loop hole that will allow programs to be run if they're in a ZIP file and double clicked, as it extracts by default to the TEMP folder.

Mike.

[FN-GM]

We do the exact same as manic

[rh91uk]

Thanks maniac ... i'm just setting up our R2 software restriction policies now and that was very very useful!