Software restrict policies

[Jim]

I am creating a new GPO for Software restrictions. I have set the default
rule to "Software will not run, regardless of the access rights of the user."
We are creating a desktop image that we know exactly what applications will
be allowed to run. I figured this was a perfect candidate for blocking all
applications.

I am testing out the GPO. I have created a Hash Rule for Roxio Classic
Creator and set that rule to Unrestricted.

I go to click on the Shortcut for Roxio and I get a message saying that that
Roxio executable is blocked by the SRP. I go to the Event Log and see this:

Event Type: Warning
Event Source: Software Restriction Policies
Event Category: None
Event ID: 865
Date: 2/27/2008
Time: 9:21:08 AM
User: N/A
Computer: BLUEMAX
Description:
Access to C:\Documents and Settings\pds2\Start Menu\Programs\Roxio Easy
Media Creator 9\Data\Creator Classic.lnk has been restricted by your
Administrator by the default software restriction policy level.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

So I try to create a hash rule for the LNK file, but the hash is the same as
the actual Executable and I still get the same error.

I took the LNK out of the Designated file types and it allowed the Roxio
Classic Creator to run, but it also allowed everything to run.

Is there something wrong I am doing or other documentation on to create a
SRP that will block everything except what I want to run?

 

[Thee Chicago Wolf]

I am creating a new GPO for Software restrictions. I have set the default

rule to "Software will not run, regardless of the access rights of the user."
We are creating a desktop image that we know exactly what applications will
be allowed to run. I figured this was a perfect candidate for blocking all
applications.

I am testing out the GPO. I have created a Hash Rule for Roxio Classic
Creator and set that rule to Unrestricted.

I go to click on the Shortcut for Roxio and I get a message saying that that
Roxio executable is blocked by the SRP. I go to the Event Log and see this:

Event Type: Warning
Event Source: Software Restriction Policies
Event Category: None
Event ID: 865
Date: 2/27/2008
Time: 9:21:08 AM
User: N/A
Computer: BLUEMAX
Description:
Access to C:\Documents and Settings\pds2\Start Menu\Programs\Roxio Easy
Media Creator 9\Data\Creator Classic.lnk has been restricted by your
Administrator by the default software restriction policy level.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

So I try to create a hash rule for the LNK file, but the hash is the same as
the actual Executable and I still get the same error.

I took the LNK out of the Designated file types and it allowed the Roxio
Classic Creator to run, but it also allowed everything to run.

Is there something wrong I am doing or other documentation on to create a
SRP that will block everything except what I want to run?

Software restriction doesn't work that way. You can block an
individual app based on its .exe name but if you were to block
everything (*.*), nothing would run and the computer would fall over.

I do not know of a way to block everything and only allow system
related files to run other than manually entering all apps you want to
block in the restricted software section of GP. Software is considered
anything that is .com or .exe (I suppose .msi and .msp count but never
tried to block them). You can't block shortcuts because they are just
pointers to the exe. SRP expect to be blocking binaries. Have you
tried using Path rules instead of Hash rules? So long as a user isn't
able to rename a binary to circumvent SRP, it works much better in my
experience.

- Thee Chicago Wolf

 

[Jim]

When you use "Software will not run, regardless of the access rights of the
user.", there are 4 path rules that allow the system to come up. The whole
purpose of "Software will not run, regardless of the access rights of the
user." is for this particular case. We know exactly what software should be
on a system. We do not what any other software running on it. The problem
is it is not recogonizing the HASH rules or the Path rules I set to
Unrestricted, just blocking everything.