Software Restriction Policy Whitelist

[cookie_monster]

I've looked at several posts on software restriction policy whitelists but I can't seem to find anyone that has listed the settings for creating a successfull XP whitelist. Anyone care to do so?


I've also read some conflictions information about banninf exe's on USB drives, some people say that you need to ban *.exe at every folder level as it doesn't include subfolders but MS say this:

A path rule can specify a folder or fully qualified path to a program. When a path rule specifies a folder, it matches any program contained in that folder and any programs contained in subfolders. Software restriction policies support local and Uniform Naming Convention (UNC) paths.

How Software Restriction Policies Work: Group Policy

[Chuckster]

Have you considered setting the default security level to disallowed and then thought about what areas of the hard drive users can execute/run files?

The above is much easier, in my opinion.

[bottletop]

Have you considered setting the default security level to disallowed and then thought about what areas of the hard drive users can execute/run files?

The above is much easier, in my opinion.

Agree thsi would be the easier solution. I have just started to set up software restriction policies and in doing so It is helping to resolve quite a few little head aches that are being caused.

[cookie_monster]

Well in my OP this was part of the request

I've looked at several posts on software restriction policy whitelists but I can't seem to find anyone that has listed the settings for creating a successfull XP whitelist. Anyone care to do so?

No point in spending ages on testing if someone can provide a basic starting template.

[Chuckster]

Unrestricted

%LogonServer%\SysVol\*
(Logon Scripts etc)

%ProgramFiles%\*
(Allow software withing Program Files folder to execute.)

%UserProfile%\Local Settings\Temp\*.tmp
(Allow SIMS to use self-registration for DLLs during installation)

%WinDir%\system32\cscript.exe

%WinDir%\system32\wscript.exe

\\servername\Templates$\*
(Unrestricted access to Desktop & Start Menu shortcuts.)

\\Domainname\SysVol\*
(Logon Scripts etc)




Restricted/Disallowed

%WinDir%\System32\sethc.exe
(Disable access to High Contrast.)


%WinDir%\system32\reg.exe
(Deny access to Registry Editor)

%UserProfile%\Local Settings\Temp
(Files run from compressed folders are unzipped to this directory and run from here - potentially circumventing Software Restrictions.)

%SystemRoot%\temp\*
(Temporary directory used by Offline files.)

%SystemRoot%\System32\mstsc.exe
(Deny access to RDP)

%SystemRoot%\System32\dllcache\*
(Executables located in the Windows directory are cached here in case they are deleted)

%SystemRoot%\System32\command.com
(Deny acccess to MS-DOS Prompt)

%SystemRoot%\System32\cmd.exe
(Deny access to CMD)

%SystemRoot%\repair\*
(System utilities are installed into this directory)

%SystemDrive%\temp\*
(Disable access to temp directory on the system drive)

%ProgramFiles%\MSN Gaming Zone\*






Hope this helps.

[cookie_monster]

It does thanks, i'll give those settings a try.

Any common issues that you come accross?



Why have you got a disallowed section, isn’t the point to disallow everything except what you allow?

EDIT

I can see now that you're just banning exe's in the allowed area doh

Cheers.