+ Post New Thread
Results 1 to 8 of 8
Windows Thread, Help with Software restrictions Policy in Technical; Hi all, i hope someone can help with this problem i am having trying to use a Software restrictions Policy, ...
  1. #1

    Join Date
    Jan 2008
    Posts
    37
    Thank Post
    2
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Help with Software restrictions Policy

    Hi all, i hope someone can help with this problem i am having trying to use a Software restrictions Policy, i want to disallow all software apart from the list i specify. If i allow all and just add a program i do not want to run it works fine, if however i reverse this to disallow all and add a program i want to run in additional rules via path or hash it just disallows everything...and i am left scratching my head.

  2. #2
    User3204's Avatar
    Join Date
    Aug 2006
    Location
    Wirral
    Posts
    769
    Thank Post
    55
    Thanked 66 Times in 62 Posts
    Rep Power
    34
    There's a whole lot of stuff here Using Software Restriction Policies to Protect Against Unauthorized Software about SRPs.

    I found if I make changes I need to get the users to logoff/logon to re-apply the GPO / ADM policy.
    The best way to do it is to create a completely new GPO, on a few test users, and then work out all the shared areas you have to allow access to, there's stuff like:

    \\servername\netlogon - to run logon/logoff scripts..
    \\servername\programs & p:\ or whatever you map the \\servername\programs to;
    c:\program files\*\* is one I allow, which seems stupid until you realise we have stopped installers running, and hide the c:\ drive;
    c:\windows\ - just in case...

  3. #3
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,421
    Thank Post
    10
    Thanked 486 Times in 426 Posts
    Rep Power
    110
    You may want to use \\domain.name instead of server name as you can use the one entry for all DCs then (assuming you then also use it when running the scripts).

    Program Files and Windows folders should be covered by the default reg key rules that get added for you.

    If you use default deny then you will need to allow %allusers% and %userprofile% otherwise the exe's are allowed but shortcuts are not. You may wish to disallow temp and tempory internet files again after adding the %userprofile% path.

    After that it's just any application servers etc, I also have a drive allowed for App-V client but less than 15 rules total. *.mdb will need adding as even if you remove it from the extensions with default deny it still gets blocked.
    Last edited by DMcCoy; 6th November 2008 at 11:01 PM. Reason: typo

  4. #4

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,644
    Thank Post
    858
    Thanked 645 Times in 428 Posts
    Rep Power
    498
    Yeah i tried a whitelist SRP and found that if you removed the default paths (mainly for Program Files, Windows, and System32 - odd things happen - including noone logging on due to userinit.exe not running!!

    Had to delete the SRP and start again leaving the defaults

    On other thing - x64 can have interesting effects on SRPs - had to go routing around the registry to find the environment variable for the Program Files (X86) Directory!
    Last edited by Gatt; 6th November 2008 at 09:22 PM.

  5. #5

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,613
    Thank Post
    1,229
    Thanked 772 Times in 670 Posts
    Rep Power
    234
    Quote Originally Posted by speckled View Post
    if however i reverse this to disallow all and add a program i want to run in additional rules via path or hash it just disallows everything...
    Mine does that too. I left the default "allow" paths in, added the hashes for Word and IE executables, set the default security setting to "disallow" and reset the machine. Darned thing refused to run Word or IE.

    --
    David Hicks

  6. #6
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,421
    Thank Post
    10
    Thanked 486 Times in 426 Posts
    Rep Power
    110
    Quote Originally Posted by dhicks View Post
    Mine does that too. I left the default "allow" paths in, added the hashes for Word and IE executables, set the default security setting to "disallow" and reset the machine. Darned thing refused to run Word or IE.

    --
    David Hicks
    Running word from the exe or from a shortcut? As I mentioned above, with disallow all being default, the automatically added rules do not allow the shortcut lnk files to be run.

  7. Thanks to DMcCoy from:

    dhicks (7th November 2008)

  8. #7

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,613
    Thank Post
    1,229
    Thanked 772 Times in 670 Posts
    Rep Power
    234
    Quote Originally Posted by DMcCoy View Post
    Running word from the exe or from a shortcut? As I mentioned above, with disallow all being default, the automatically added rules do not allow the shortcut lnk files to be run.
    Oh. Oh - ah! <Reads previous post in more detail...> Light dawns! I get it now! Thanks for that!

    --
    David Hicks

  9. #8

    Join Date
    Jan 2008
    Posts
    37
    Thank Post
    2
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Great stuff!....now works a treat, just had to add the filder with all the shortcuts in and voila.

SHARE:
+ Post New Thread

Similar Threads

  1. Software Restrictions Weirdness - Terminal Services
    By meastaugh1 in forum Thin Client and Virtual Machines
    Replies: 0
    Last Post: 21st May 2008, 05:58 PM
  2. Software restrictions
    By Edu-IT in forum Windows
    Replies: 9
    Last Post: 16th March 2008, 12:37 AM
  3. Software Restriction Policy
    By cookie_monster in forum Windows
    Replies: 2
    Last Post: 27th November 2007, 12:54 PM
  4. Software Restrictions
    By faza in forum Wireless Networks
    Replies: 10
    Last Post: 6th March 2007, 01:33 PM
  5. Software Restrictions
    By faza in forum Wireless Networks
    Replies: 4
    Last Post: 2nd February 2007, 08:21 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •