+ Post New Thread
Results 1 to 6 of 6
Windows Thread, Software Restriction Policy Whitelist in Technical; I've looked at several posts on software restriction policy whitelists but I can't seem to find anyone that has listed ...
  1. #1
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,185
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74

    Software Restriction Policy Whitelist

    I've looked at several posts on software restriction policy whitelists but I can't seem to find anyone that has listed the settings for creating a successfull XP whitelist. Anyone care to do so?


    I've also read some conflictions information about banninf exe's on USB drives, some people say that you need to ban *.exe at every folder level as it doesn't include subfolders but MS say this:

    A path rule can specify a folder or fully qualified path to a program. When a path rule specifies a folder, it matches any program contained in that folder and any programs contained in subfolders. Software restriction policies support local and Uniform Naming Convention (UNC) paths.
    How Software Restriction Policies Work: Group Policy
    Last edited by cookie_monster; 10th July 2009 at 11:13 AM.

  2. #2

    Join Date
    Jun 2008
    Posts
    701
    Thank Post
    118
    Thanked 58 Times in 48 Posts
    Rep Power
    25
    Have you considered setting the default security level to disallowed and then thought about what areas of the hard drive users can execute/run files?

    The above is much easier, in my opinion.

  3. #3
    bottletop's Avatar
    Join Date
    Oct 2007
    Location
    Preston
    Posts
    47
    Thank Post
    3
    Thanked 4 Times in 4 Posts
    Rep Power
    14
    Quote Originally Posted by Chuckster View Post
    Have you considered setting the default security level to disallowed and then thought about what areas of the hard drive users can execute/run files?

    The above is much easier, in my opinion.
    Agree thsi would be the easier solution. I have just started to set up software restriction policies and in doing so It is helping to resolve quite a few little head aches that are being caused.

  4. #4
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,185
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Well in my OP this was part of the request

    I've looked at several posts on software restriction policy whitelists but I can't seem to find anyone that has listed the settings for creating a successfull XP whitelist. Anyone care to do so?
    No point in spending ages on testing if someone can provide a basic starting template.

  5. #5

    Join Date
    Jun 2008
    Posts
    701
    Thank Post
    118
    Thanked 58 Times in 48 Posts
    Rep Power
    25
    Unrestricted

    %LogonServer%\SysVol\*
    (Logon Scripts etc)

    %ProgramFiles%\*
    (Allow software withing Program Files folder to execute.)

    %UserProfile%\Local Settings\Temp\*.tmp
    (Allow SIMS to use self-registration for DLLs during installation)

    %WinDir%\system32\cscript.exe

    %WinDir%\system32\wscript.exe

    \\servername\Templates$\*
    (Unrestricted access to Desktop & Start Menu shortcuts.)

    \\Domainname\SysVol\*
    (Logon Scripts etc)




    Restricted/Disallowed

    %WinDir%\System32\sethc.exe
    (Disable access to High Contrast.)


    %WinDir%\system32\reg.exe
    (Deny access to Registry Editor)

    %UserProfile%\Local Settings\Temp
    (Files run from compressed folders are unzipped to this directory and run from here - potentially circumventing Software Restrictions.)

    %SystemRoot%\temp\*
    (Temporary directory used by Offline files.)

    %SystemRoot%\System32\mstsc.exe
    (Deny access to RDP)

    %SystemRoot%\System32\dllcache\*
    (Executables located in the Windows directory are cached here in case they are deleted)

    %SystemRoot%\System32\command.com
    (Deny acccess to MS-DOS Prompt)

    %SystemRoot%\System32\cmd.exe
    (Deny access to CMD)

    %SystemRoot%\repair\*
    (System utilities are installed into this directory)

    %SystemDrive%\temp\*
    (Disable access to temp directory on the system drive)

    %ProgramFiles%\MSN Gaming Zone\*






    Hope this helps.

  6. Thanks to Chuckster from:

    cookie_monster (10th July 2009)

  7. #6
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,185
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    It does thanks, i'll give those settings a try.

    Any common issues that you come accross?



    Why have you got a disallowed section, isn’t the point to disallow everything except what you allow?

    EDIT

    I can see now that you're just banning exe's in the allowed area doh

    Cheers.
    Last edited by cookie_monster; 10th July 2009 at 12:59 PM.

SHARE:
+ Post New Thread

Similar Threads

  1. Software Restriction policy
    By mcloum in forum Windows Server 2000/2003
    Replies: 7
    Last Post: 22nd March 2009, 11:36 AM
  2. Group Policy Software Restriction
    By jj99 in forum Windows
    Replies: 5
    Last Post: 26th June 2008, 08:00 PM
  3. Software Restriction Policy
    By cookie_monster in forum Windows
    Replies: 2
    Last Post: 27th November 2007, 12:54 PM
  4. CC3 Software Restriction Policy
    By cookie_monster in forum Network and Classroom Management
    Replies: 8
    Last Post: 12th June 2007, 10:28 AM
  5. GPo - Software Restriction Policy
    By Gatt in forum Wireless Networks
    Replies: 26
    Last Post: 23rd January 2006, 01:53 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •