Ninho said:
VanguardLH wrote::
Exactly how I wish it worked for me too; but it didn't.
Local security settings (secpol.msc)/software restriction
policies/additional rules
I do *not* find that branch under gpedit.msc. Are we using the
same versions of XP (Pro, SP3, workgroup) or comparing apples &
oranges ?
I am using Windows XP Professional Service Pack 3. From your
description of using the local policy editor (secpol.msc), the node does
exist because you mention it in the tree node to which you navigated.
So I have to suspect that in the group policy editor (gpedit.msc) that
you are under the wrong major tree branch; that is, you are under the
"User Configuration" branch instead of under the "Computer
Configuration" branch.
The Additional Rules node only exists if you have actually defined the
structure to list the rules. The install-time default has no such
"Additional Rules" subnode. That structure isn't required until needed.
Until then you won't find any subnodes under "Software Restriction
Policies". Right-click on "Software Restriction Policies" and use the
"Create new policies" context menu entry. Then you'll see the following
subnodes appear under "Software Restriction Policies":
Security Levels
Additional Rules
Since all policies are registry entries, you will find the SRP rules
created under:
HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects
HKLM\SOFTWARE\Policies
Since you say you can see them using secpol.msc then they are there even
if you haven't yet updated the structure in gpedit.msc to show the
subnodes.
I defined hash based rules to block specific executables, path
rules wouldn't suit my situation. This is a difference, though
why would Windows ring bells on one kind of rules and not another
I can't fathom. Isn't there some registry setting governing the
popup behavior ?
Path rules are when you want to control execution of an executable file
that is in a particular location. For example, I created a Path rule
for Internet Explorer so it always runs under a LUA (limited user
account) token. That way, IE runs under a LUA token just as if I had
logged under a limited account which means privileges available to it
are reduced and the web browser is a safer process. However, there are
times when I must run IE without any restrictions. For example, IE must
run with admin privileges to use the Windows Update site, install
addons, line Adobe Flash Player, and so on. So I created a subfolder
named _noSRP under which I copied iexplore.exe (IE doesn't like its
program file renamed so that wasn't an option). Since the Path rule
works on the C:\Program Files\Internet Explorer copy of iexplore.exe,
the copy under the _noSRP folder won't get restricted. If I used a hash
rule, it wouldn't matter where was the file as it would always be
restricted under a LUA token and I could do WU or add-on updates.
The hash rule is used when it's possible the file could move around. A
hash is taken of the file's content and that hash value is used in the
SRP block rule. Alas, if the program ever gets updated then your hash
rule is no longer valid and you'll have to create another one for the
new version.
Of course no disagreement here. Obviously I too was trying to
prevent certain unwanted exe's from being run by background
processes which I need (...snipped more irrelevant arguing...)
Well, if I can't have the SRPs do their job silently, I'll use
other methods to prevent unwanted child processes from running.
The background starts of the blocked program don't result in popup
alerts about getting blocked by an SRP rule. Those background instances
were started as a child process by something else, like a startup item
or a scheduled event. It's only when YOU try to start the program that
you get alerted that it is blocked from running. If you defined the
block rule then you know that program won't run and you shouldn't be
trying to load it, anyway. If you defined the rule and someone else
tries to load the program, not doing anything (the user doesn't see the
program get loaded) would indicate to the user there was a problem and
not that the program wasn't allowed to run.
Those defining the block rules don't need the alerts but they they
shouldn't be running the blocked programs. Those that don't know the
programs are blocked really need to be told why the program won't load.
When you define an SRP rule, you don't get to specify against which
accounts they are applicable. SRPs are global across all accounts, even
admin-level account, and Windows is designed to be a multi-user
operating system, so the alerts are intended to give notice to those
that did NOT define the block rules using other accounts on that same
host. After all, along a similar vein, the IT folks don't need to be
warned that the programs they chose to block are getting blocked via
pushed policies in a domain. The alert is for the benefit of users
other than those who defined the SRP rules.
No, I know of know way that you or anyone else that attempts to run a
program that is blocked from being kept in the dark as to why the
program wasn't allowed to get loaded. A user trying to run a blocked
program (that won't load) gets notified about the block. Something else
that tries to load the same program does not show an alert but instead
gets recorded in the event logs.
If the point of defining an SRP block rule is to prevent execution of a
program by a *user*, why is that software installed that can never run?
In fact, I've read about setups where everything is blocked by default
and a list of authorized programs is whitelisted. That way, users
cannot go willy nilly installing software on their hosts, including
those that don't MSI and pollute the %userprofile% path where many
programs dump their executables because users have read, write, AND
execute privileges there. I don't know how you are managing the host(s)
on which you are defining SRP rules. They're really designed for use in
a domain environment where policies get pushed to the workstations.
They are usable in home setups (i.e., in workgroups) but to a somewhere
limited extent. I found them handy not to prevent software from running
that should've never been installed in the first place but instead to
prevent software that is wanted from running ancilliary programs that I
don't want them to run. After doing a registry hack to add Basic mode
instead of just Block or Allow modes, I can also decide which programs
will always run under Basic mode (i.e., under a LUA token), like web-
facing programs (web browser, e-mail client, etc). It really doesn't
make sense on a host that you personally manage to be blocking software
that you shouldn't have installed and don't want running there.