+ Post New Thread
Results 1 to 5 of 5
Windows Thread, Software Restrictions in Technical; Anyone got some suggestions for a good software restriction policy? I will just let user have access to the program ...
  1. #1
    nicholab's Avatar
    Join Date
    Nov 2006
    Location
    Birmingham
    Posts
    1,527
    Thank Post
    4
    Thanked 100 Times in 96 Posts
    Blog Entries
    1
    Rep Power
    53

    Software Restrictions

    Anyone got some suggestions for a good software restriction policy?


    I will just let user have access to the program share and windows stuff. What else do I need to make windows work.

  2. #2

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,071
    Thank Post
    210
    Thanked 430 Times in 310 Posts
    Rep Power
    144
    My software restriction policy is disallow everything by default, then allow the entire C:\ and disallow specific programs like regedit, cmd, command.com etc.

    You also might have to allow the sysvol and netlogon paths so logon scripts can run properly.

    Mike.

  3. #3
    morganw's Avatar
    Join Date
    Apr 2009
    Location
    Cambridge
    Posts
    816
    Thank Post
    46
    Thanked 132 Times in 126 Posts
    Rep Power
    40
    if you set rules for for %systemdrive% and %programfiles% then you are covered for alternate drive setups where things might not be on C

  4. #4
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34
    Software Restriction Policy
    Here's the setup I used. Obviously students are set as limited users only.

    The LNK extension has been removed from the Computer and User default SRP policies so that items on the start menu/desktop can be launched. There are other ways to achieve this, but this seemed easiest for my setup. I do not use redirected start menus/desktops for students. Students get a mandatory profile but to not see the 'all users' desktop/start menu by default. Instead a logon script copies approved items from the all users desktop/start menu into the student desktop/menus at every logon.

    Computer Policy (for all computers that students will use)
    - Default SRP policy
    - Remove LNK from the list of designated file types

    User Policy (for all students)
    - Default SRP policy
    - Enforcement: Apply SRP to: All software files except libraries (such as DLLs)
    - Enforcement: Apply SRP to the following users: All users except local admins
    - Designated file types: Remove LNK
    - Default security level: Disallowed
    Default Path Rules
    - %HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRoot%: Unrestricted
    - %HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe: Unrestricted
    - %HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe: Unrestricted
    - %HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\ProgramFilesDir%
    : Unrestricted
    Custom Path Rules (NB - The students only have read access to these locations)
    - \\(servername)\apps: Unrestricted (networked applications / ISO images)
    - \\(servername)\install: Unrestricted (managed software MSIs etc)
    - \\(servername)\public: Unrestricted (public area)
    - \\(servername)\sysvol: Unrestricted (required for logon)
    - \\(DNS domain name)\sysvol: Unrestricted (required for logon)
    - C:\OLDAPPS: Unrestricted (Any PC apps which don't like running from C:\Program Files are installed under OLDAPPS. Again, students only have read access to this folder by default.

    If you have any naughty applications that need write access to their program folder (under C:\Program Files or C:\OLDAPPS), then permissions can be altered as required and an additional path rule added to prevent execution from that folder.

    It is possible to use environment variables (eg %USERPROFILE%) in path rules, but avoid this as the value of an environment variable can sometimes be modified by the user.

    This was my first time with SRP, so I don't claim this list to be definitive in any way!! It seemed to work OK for me though.

  5. #5
    nicholab's Avatar
    Join Date
    Nov 2006
    Location
    Birmingham
    Posts
    1,527
    Thank Post
    4
    Thanked 100 Times in 96 Posts
    Blog Entries
    1
    Rep Power
    53
    Thank for your help. I was going down the right road but I found I had two other policy setting the default as allow.

SHARE:
+ Post New Thread

Similar Threads

  1. gpo software restrictions
    By irsprint in forum Windows Server 2000/2003
    Replies: 2
    Last Post: 23rd June 2009, 07:06 PM
  2. Help with Software restrictions Policy
    By speckled in forum Windows
    Replies: 7
    Last Post: 7th November 2008, 01:44 PM
  3. Software restrictions
    By Edu-IT in forum Windows
    Replies: 9
    Last Post: 16th March 2008, 12:37 AM
  4. Software Restrictions
    By faza in forum Wireless Networks
    Replies: 10
    Last Post: 6th March 2007, 01:33 PM
  5. Software Restrictions
    By faza in forum Wireless Networks
    Replies: 4
    Last Post: 2nd February 2007, 08:21 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •