Software restrict policies

[Guest Jim]

I am creating a new GPO for Software restrictions. I have set the default

rule to "Software will not run, regardless of the access rights of the user."

We are creating a desktop image that we know exactly what applications will

be allowed to run. I figured this was a perfect candidate for blocking all

applications.

 

I am testing out the GPO. I have created a Hash Rule for Roxio Classic

Creator and set that rule to Unrestricted.

 

I go to click on the Shortcut for Roxio and I get a message saying that that

Roxio executable is blocked by the SRP. I go to the Event Log and see this:

 

Event Type: Warning

Event Source: Software Restriction Policies

Event Category: None

Event ID: 865

Date: 2/27/2008

Time: 9:21:08 AM

User: N/A

Computer: BLUEMAX

Description:

Access to C:\Documents and Settings\pds2\Start Menu\Programs\Roxio Easy

Media Creator 9\Data\Creator Classic.lnk has been restricted by your

Administrator by the default software restriction policy level.

 

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

 

So I try to create a hash rule for the LNK file, but the hash is the same as

the actual Executable and I still get the same error.

 

I took the LNK out of the Designated file types and it allowed the Roxio

Classic Creator to run, but it also allowed everything to run.

 

Is there something wrong I am doing or other documentation on to create a

SRP that will block everything except what I want to run?

[Guest Thee Chicago Wolf]

Re: Software restrict policies

 

>I am creating a new GPO for Software restrictions. I have set the default

>rule to "Software will not run, regardless of the access rights of the user."

>We are creating a desktop image that we know exactly what applications will

>be allowed to run. I figured this was a perfect candidate for blocking all

>applications.

>

>I am testing out the GPO. I have created a Hash Rule for Roxio Classic

>Creator and set that rule to Unrestricted.

>

>I go to click on the Shortcut for Roxio and I get a message saying that that

>Roxio executable is blocked by the SRP. I go to the Event Log and see this:

>

>Event Type: Warning

>Event Source: Software Restriction Policies

>Event Category: None

>Event ID: 865

>Date: 2/27/2008

>Time: 9:21:08 AM

>User: N/A

>Computer: BLUEMAX

>Description:

>Access to C:\Documents and Settings\pds2\Start Menu\Programs\Roxio Easy

>Media Creator 9\Data\Creator Classic.lnk has been restricted by your

>Administrator by the default software restriction policy level.

>

>For more information, see Help and Support Center at

>http://go.microsoft.com/fwlink/events.asp.

>

>So I try to create a hash rule for the LNK file, but the hash is the same as

>the actual Executable and I still get the same error.

>

>I took the LNK out of the Designated file types and it allowed the Roxio

>Classic Creator to run, but it also allowed everything to run.

>

>Is there something wrong I am doing or other documentation on to create a

>SRP that will block everything except what I want to run?

 

Software restriction doesn't work that way. You can block an

individual app based on its .exe name but if you were to block

everything (*.*), nothing would run and the computer would fall over.

 

I do not know of a way to block everything and only allow system

related files to run other than manually entering all apps you want to

block in the restricted software section of GP. Software is considered

anything that is .com or .exe (I suppose .msi and .msp count but never

tried to block them). You can't block shortcuts because they are just

pointers to the exe. SRP expect to be blocking binaries. Have you

tried using Path rules instead of Hash rules? So long as a user isn't

able to rename a binary to circumvent SRP, it works much better in my

experience.

 

- Thee Chicago Wolf

[Guest Jim]

Re: Software restrict policies

 

When you use "Software will not run, regardless of the access rights of the

user.", there are 4 path rules that allow the system to come up. The whole

purpose of "Software will not run, regardless of the access rights of the

user." is for this particular case. We know exactly what software should be

on a system. We do not what any other software running on it. The problem

is it is not recogonizing the HASH rules or the Path rules I set to

Unrestricted, just blocking everything.

 

"Thee Chicago Wolf" wrote:

> Software restriction doesn't work that way. You can block an

> individual app based on its .exe name but if you were to block

> everything (*.*), nothing would run and the computer would fall over.

>

> I do not know of a way to block everything and only allow system

> related files to run other than manually entering all apps you want to

> block in the restricted software section of GP. Software is considered

> anything that is .com or .exe (I suppose .msi and .msp count but never

> tried to block them). You can't block shortcuts because they are just

> pointers to the exe. SRP expect to be blocking binaries. Have you

> tried using Path rules instead of Hash rules? So long as a user isn't

> able to rename a binary to circumvent SRP, it works much better in my

> experience.

>

> - Thee Chicago Wolf

>