+ Post New Thread
Results 1 to 5 of 5
Windows Server 2008 R2 Thread, APPDATA install problem due to software restriction policy. HELP! in Technical; Hi All, After putting in the APPDATA software restriction policy to stop conficker, obviously nothing runs from there. I am ...
  1. #1
    Koldov's Avatar
    Join Date
    May 2011
    Location
    Bedfordshire
    Posts
    505
    Thank Post
    101
    Thanked 50 Times in 46 Posts
    Rep Power
    39

    APPDATA install problem due to software restriction policy. HELP!

    Hi All,

    After putting in the APPDATA software restriction policy to stop conficker, obviously nothing runs from there.

    I am trying to put an exception in which would allow a specific program to run.

    The program is trying to run C:\Users\USERNAME\appdata\local\temp\irsetup.exe but obviously failing!

    Could anyone please give me the exact syntax to allow this to run please?

    Kol.

  2. #2

    Join Date
    Jul 2013
    Posts
    19
    Thank Post
    0
    Thanked 4 Times in 4 Posts
    Rep Power
    3
    We have a similar Software restriction policy in place and an unintended consequence was that Dropbox failed to run. Our work around was to take the digital certificate that Dropbox was signed with, export it, then import it as a "Trusted Publisher" within the same GPO that our Software restriction policy was defined in, which I believe, automatically creates a certificate based rule under the software restriction-->Additional Rules node in the GPO and sets it to unrestricted, but I might have also done that manually - it's been a while. After that, Dropbox ran just fine. So if "irsetup.exe" is signed, you can use a certificate rule and set it to "unrestricted". If it's not signed, I think you can also do a hash rule.

    Check the section about rule precedence on this page and I think you'll get it:
    Using Software Restriction Policies to Protect Against Unauthorized Software

  3. #3

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,249
    Thank Post
    110
    Thanked 242 Times in 193 Posts
    Blog Entries
    1
    Rep Power
    74

    APPDATA install problem due to software restriction policy. HELP!

    We tend to use the the file hash.


    Pretty sure that using the cert is pretty easy though, just tell app locker to trust apps signed by a specific publisher, no need to export anything?
    Last edited by psydii; 15th July 2014 at 08:47 PM.

  4. #4

    Join Date
    Jul 2013
    Posts
    19
    Thank Post
    0
    Thanked 4 Times in 4 Posts
    Rep Power
    3
    That may very well be Psy. Maybe I'm doing it the hard way. I've always just grabbed it by:

    Navigate to .exe in question --> Properties-->Digital Signatures-->Details-->View Certificate-->Details-->Copy to File (Then follow the prompts of the wizard to save a .cer file)

    Once you have the .cer, you can import it to the Trusted Publishers node within a GPO and create a software restriction policy using the cert, setting it to unrestricted.

  5. #5


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,748
    Thank Post
    221
    Thanked 2,626 Times in 1,936 Posts
    Rep Power
    778
    Quote Originally Posted by psydii View Post
    just tell AppLocker to trust apps signed by a specific publisher, no need to export anything
    +1. This is what I do too. There isn't any need to export certificates.



    ^ When you get to this step, browse for the executable, then move the slider on the left to adjust how specific you want the Publisher rule to be. In the screenshot above everything that has been signed with Google's digital signature will be allowed to run.
    Last edited by Arthur; 15th July 2014 at 11:05 PM.

SHARE:
+ Post New Thread

Similar Threads

  1. Software restriction policies problem
    By mrbios in forum Windows
    Replies: 3
    Last Post: 9th December 2009, 03:48 PM
  2. Software Restriction Policy (w2k3) - path question
    By indiegirl in forum How do you do....it?
    Replies: 5
    Last Post: 19th October 2006, 05:05 PM
  3. Software Restriction Policy (w2k3) - path question
    By indiegirl in forum How do you do....it?
    Replies: 0
    Last Post: 19th October 2006, 10:11 AM
  4. GPo - Software Restriction Policy
    By Gatt in forum Wireless Networks
    Replies: 26
    Last Post: 23rd January 2006, 01:53 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •