S
Sam Sena
I am posting this information here in response to the surge in
questions from my students in recent weeks who are studying for the
upgrade exams.
Apologies to all if this is a re-post.
Sam Sena MCT
********** Moral of the Story ************
The K.B. it exists... use it!!!
Microsoft Knowledge Base Article - 324036
HOW TO: Use Software Restriction Policies in Windows Server 2003
View products that this article applies to.
This article was previously published under Q324036
IN THIS TASK
SUMMARY
How to Start Software Restriction Policies
For the Local Computer Only
For a Domain, a Site, or an Organizational Unit on a Member Server or
a Workstation That Is Joined to a Domain
For an Organizational Unit or Domain on a Domain Controller or a
Workstation That Has the Administration Tools Pack Installed
For Your Site and a Domain Controller or a Workstation That Has the
Administration Tools Pack Installed
How to Prevent Software Restriction Policies from Applying to Local
Administrators
How to Create a Certificate Rule
How to Create a Hash Rule
How to Create an Internet Zone Rule
How to Create a Path Rule
How to Create a Registry Path Rule
How to Add or Delete a Designated File Type
How to Change the Default Security Level of Software Restriction
Policies
How to Set Trusted Publisher Options
SUMMARY
This article describes how to use software restriction policies in
Windows Server 2003. When you use software restriction policies, you
can identify and specify the software that is allowed to run so that
you can protect your computer environment from untrusted code. When
you use software restriction policies, you can define a default
security level of Unrestricted or Disallowed for a Group Policy object
(GPO) so that software is either allowed or not allowed to run by
default. To create exceptions to this default security level, you can
create rules for specific software. You can create the following types
of rules:
Hash rules
Certificate rules
Path rules
Internet zone rules
A policy is made up of the default security level and all of the rules
applied to a GPO. This policy can apply to all of the computers or to
individual users. Software restriction policies provide a number of
ways to identify software, and they provide a policy-based
infrastructure to enforce decisions about whether the software can
run. With software restriction policies, users must follow the
guidelines that are set up by administrators when they run programs.
With software restriction policies, you can perform the following
tasks:
Control which programs can run on your computer. For example, you can
apply a policy that does not allow certain file types to run in the
e-mail attachment folder of your e-mail program if you are concerned
about users receiving viruses through e-mail.
Permit users to run only specific files on multiple-user computers.
For example, if you have multiple users on your computers, you can set
up software restriction policies in such a way that users do not have
access to any software except for those specific files that they must
use for their work.
Decide who can add trusted publishers to your computer.
Control whether software restriction policies affect all users or just
certain users on a computer.
Prevent any files from running on your local computer, your
organizational unit, your site, or your domain. For example, if there
is a known virus, you can use software restriction policies to stop
the computer from opening the file that contains the virus.IMPORTANT:
Microsoft recommends that you do not use software restriction policies
as a replacement for antivirus software.
back to the top
How to Start Software Restriction Policies
For the Local Computer Only
Click Start, point to Programs, point to Administrative Tools, and
then click Local Security Policy.
In the console tree, expand Security Settings, and then expand
Software Restriction Policies.
back to the top
For a Domain, a Site, or an Organizational Unit on a Member Server or
a Workstation That Is Joined to a Domain
Open Microsoft Management Console (MMC). To do so, click Start, click
Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in, and then click Add.
Click Group Policy Object Editor, and then click Add.
In Select Group Policy Object, click Browse.
In Browse for a Group Policy Object, either select a Group Policy
object (GPO) in the appropriate domain, site, or organizational unit,
and then click Finish.
Alternatively, you can create a new GPO, and then click Finish.
Click Close, and then click OK.
In the console tree, go to the following location:
Group Policy Object Computer_name Policy/Computer Configuration or
User/Configuration/Windows Settings/Security Settings/Software
Restriction Policies
back to the top
For an Organizational Unit or a Domain on a Domain Controller or a
Workstation That Has the Administration Tools Pack Installed
Click Start, point to All Programs, point to Administrative Tools, and
then click Active Directory Users and Computers.
In the console tree, right-click the domain or organizational unit
that you want to set Group Policy for.
Click Properties, and then click the Group Policy tab.
Click an entry in Group Policy Object Links to select an existing GPO,
and then click Edit.
Alternatively, you can click New to create a new GPO, and then click
Edit.
In the console tree, go to the following location:
Group Policy Object Computer_name Policy/Computer Configuration or
User Configuration/Windows Settings/Security Settings/Software
Restriction Policies
back to the top
For Your Site and on a Domain Controller or a Workstation That Has the
Administration Tools Pack Installed
Click Start, point to All Programs, point to Administrative Tools, and
then click Active Directory Sites and Services.
In the console tree, right-click the site that you want to set Group
Policy for:
Active Directory Sites and Services [ Domain_Controller_Name.
Domain_Name]
Sites
Site
Click Properties, and then click the Group Policy tab.
Click an entry in Group Policy Object Links to select an existing
Group Policy object (GPO), and then click Edit.
Alternatively, click New to create a new GPO, and then click Edit.
In the console tree, go to the following location:
Group Policy Object Computer_name Policy/Computer Configuration or
User Configuration/Windows Settings/Security Settings/Software
Restriction Policies
IMPORTANT: Click User Configuration to set policies that will be
applied to users, regardless of the computer to which they log on.
Click Computer Configuration to set policies that will be applied to
computers, regardless of the users who log on to them.
You can also apply software restriction policies to specific users
when they log on to specific computer by using an advanced Group
Policy setting named loopback.
back to the top
How to Prevent Software Restriction Policies from Applying to Local
Administrators
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In the details pane, double-click Enforcement.
Under Apply software restriction policies to the following users,
click All users except local administrators.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
Typically, users are members of the local administrator group on their
computers in your organization; therefore, you may not want to turn on
this setting. Software restriction policies do not apply to any users
who are members of their local administrator group.
If you are defining a software restriction policy setting for your
local computer, use this procedure to prevent local administrators
from having software restriction policies applied to them. If you are
defining a software restriction policy setting for your network,
filter user policy settings based on membership in security groups by
using Group Policy.
back to the top
How to Create a Certificate Rule
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In either the console tree or the details pane, right-click Additional
Rules, and then click New Certificate Rule.
Click Browse, and then select a certificate.
Select a security level.
In the Description box, type a description for this rule, and then
click OK.
NOTES:
For information about how to start software restriction policies in
MMC, see "Start software restriction policies" in Related Topics in
the Windows Server 2003 Help file.
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
By default, certificate rules are not turned on. To turn on
certificate rules:
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
In the details pane, double-click AuthenticodeEnabled, and then change
the value data from 0 to 1.
The only file types that are affected by certificate rules are those
that are listed in Designated file types. There is one list of
designated file types that is shared by all rules.
For software restriction policies to take effect, users must update
policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.
back to the top
How to Create a Hash Rule
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In either the console tree or the details pane, right-click Additional
Rules, and then click New Hash Rule.
Click Browse to find a file, or paste a precalculated hash in the File
hash box.
In the Security level box, click either Disallowed or Unrestricted.
In the Description box, type a description for this rule, and then
click OK.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
You can create a hash rule for a virus or a Trojan horse to prevent
the malicious software from running.
If you want other users to use a hash rule so that a virus cannot run,
calculate the hash of the virus by using software restriction
policies, and then e-mail the hash value to other users. Never e-mail
the virus itself.
If a virus has been sent through e-mail, you can also create a path
rule to prevent users from running mail attachments.
A file that is renamed or moved to another folder still results in the
same hash.
Any change to a file results in a different hash.
The only file types that are affected by hash rules are those that are
listed in Designated file types. There is one list of designated file
types that is shared by all rules.
For software restriction policies to take effect, users must update
policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.
back to the top
How to Create an Internet Zone Rule
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In the console tree, click Software Restriction Policies.
In either the console tree or the details pane, right-click Additional
Rules, and then click New Internet Zone Rule.
In Internet zone, click an Internet zone.
In the Security Level box, click either Disallowed or Unrestricted,
and then click OK.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
Zone rules apply to Windows Installer packages only.
The only file types that are affected by zone rules are those that are
listed in Designated file types. There is one list of designated file
types that is shared by all rules.
For software restriction policies to take effect, users must update
policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.
back to the top
How to Create a Path Rule
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In either the console tree or the details pane, right-click Additional
Rules, and then click New Path Rule.
In the Path box, type a path or click Browse to find a file or folder.
In the Security level box, click either Disallowed or Unrestricted.
In the Description box, type a description for this rule, and then
click OK.IMPORTANT: On certain folders, such as the Windows folder,
setting the security level to Disallowed can adversely affect the
operation of your operating system. Make sure that you do not disallow
a crucial component of the operating system or one of its dependent
programs.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
If you create a path rule for a program with a security level of
Disallowed, a user can still run the software by copying it to another
location.
The wildcard characters that are supported by the path rule are the
asterisk (*) and the question mark (?).
You can use environment variables, such as %programfiles% or
%systemroot%, in your path rule.
To create a path rule for software when you do not know where it is
stored on a computer but you have its registry key, you can create a
registry path rule.
To prevent users from running e-mail attachments, you can create a
path rule for your mail program's attachment folder that prevents
users from running e-mail attachments.
The only file types that are affected by path rules are those that are
listed in Designated file types. There is one list of designated file
types that is shared by all rules.
For software restriction policies to take effect, users must update
policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.
back to the top
How to Create a Registry Path Rule
Click Start, click Run, type regedit, and then click OK.
In the console tree, right-click the registry key that you want to
create a rule for, and then click Copy Key Name.
Note the value name in the details pane.
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In either the console tree or the details pane, right-click Additional
Rules, and then click New Path Rule.
In Path, paste the registry key name and the value name.
Enclose the registry path in percent signs (%), for example:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PlatformSDK\Directories\InstallDir%
In the Security level box, click either Disallowed or Unrestricted.
In the Description box, type a description for this rule, and then
click OK.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
You must be a member of the Administrators group to perform this
procedure.
Format the registry path as follows:
% Registry Hive\ Registry Key Name\ Value Name%
You must write out the name of the registry hive; you cannot use
abbreviations. For example, you cannot substituted HKCU for
HKEY_CURRENT_USER.
The registry path rule can contain a suffix after the closing percent
sign (%). Do not use a backslash (\) in the suffix. For example, you
can use the following registry path rule:
%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Cache%OLK*
The only file types that are affected by path rules are those that are
listed in Designated file types. There is one list of designated file
types that is shared by all rules.
For software restriction policies to take effect, users must update
policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.
back to the top
How to Add or Delete a Designated File Type
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In the details pane, double-click Designated File Types.
Perform one of the following steps as appropriate:
To add a file type, type the file name extension in the File extension
box, and then click Add.
To delete a file type, click the file type in the Designated file
types box, and then click Remove.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
The designated file types list is shared by all rules for each
configuration. The designated file types list for computer policy
settings is different from the designated file types list for user
policy settings.
back to the top
How to Change the Default Security Level of Software Restriction
Policies
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In the details pane, double-click Security Levels.
Right-click the security level that you want to set as the default,
and then click Set as default.
CAUTION: In certain folders, if you set the default security level to
Disallowed, you can adversely affect your operating system.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
In the details pane, the current default security level is indicated
by a black circle with a check mark in it. If you right-click the
current default security level, the Set as default command does not
appear in the menu.
Rules are created to specify exceptions to the default security level.
When the default security level is set to Unrestricted, rules specify
software that is not allowed to run. When the default security level
is set to Disallowed, rules specify software that is allowed to run.
If you change the default level, you affect all files on the computers
that have software restriction policies applied to them.
At installation, the default security level of software restriction
policies on all files on your computer is set to Unrestricted.
back to the top
How to Set Trusted Publisher Options
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
Double-click Trusted Publishers.
Click the users who you want to decide which certificates will be
trusted, and then click OK.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
You can select who can add trusted publishers, users, administrators,
or enterprise administrators. For example, you can use this tool to
prevent users from making trust decisions about publishers of ActiveX
Controls.
Local computer administrators have the right to specify trusted
publishers on the local computer, but enterprise administrators have
the right to specify trusted publishers on an organizational unit
level.
back to the top
The information in this article applies to:
Microsoft Windows Server 2003, Enterprise Edition
Microsoft Windows Server 2003, Standard Edition
Last Reviewed: 6/6/2003 (4.0)
Keywords: kbMgmtServices kbhowto kbHOWTOmaster KB324036 kbAudITPro
Contact Us
© 2003 Microsoft Corporation. All rights reserved. Terms of use
Security & Privacy Accessibility
questions from my students in recent weeks who are studying for the
upgrade exams.
Apologies to all if this is a re-post.
Sam Sena MCT
********** Moral of the Story ************
The K.B. it exists... use it!!!
Microsoft Knowledge Base Article - 324036
HOW TO: Use Software Restriction Policies in Windows Server 2003
View products that this article applies to.
This article was previously published under Q324036
IN THIS TASK
SUMMARY
How to Start Software Restriction Policies
For the Local Computer Only
For a Domain, a Site, or an Organizational Unit on a Member Server or
a Workstation That Is Joined to a Domain
For an Organizational Unit or Domain on a Domain Controller or a
Workstation That Has the Administration Tools Pack Installed
For Your Site and a Domain Controller or a Workstation That Has the
Administration Tools Pack Installed
How to Prevent Software Restriction Policies from Applying to Local
Administrators
How to Create a Certificate Rule
How to Create a Hash Rule
How to Create an Internet Zone Rule
How to Create a Path Rule
How to Create a Registry Path Rule
How to Add or Delete a Designated File Type
How to Change the Default Security Level of Software Restriction
Policies
How to Set Trusted Publisher Options
SUMMARY
This article describes how to use software restriction policies in
Windows Server 2003. When you use software restriction policies, you
can identify and specify the software that is allowed to run so that
you can protect your computer environment from untrusted code. When
you use software restriction policies, you can define a default
security level of Unrestricted or Disallowed for a Group Policy object
(GPO) so that software is either allowed or not allowed to run by
default. To create exceptions to this default security level, you can
create rules for specific software. You can create the following types
of rules:
Hash rules
Certificate rules
Path rules
Internet zone rules
A policy is made up of the default security level and all of the rules
applied to a GPO. This policy can apply to all of the computers or to
individual users. Software restriction policies provide a number of
ways to identify software, and they provide a policy-based
infrastructure to enforce decisions about whether the software can
run. With software restriction policies, users must follow the
guidelines that are set up by administrators when they run programs.
With software restriction policies, you can perform the following
tasks:
Control which programs can run on your computer. For example, you can
apply a policy that does not allow certain file types to run in the
e-mail attachment folder of your e-mail program if you are concerned
about users receiving viruses through e-mail.
Permit users to run only specific files on multiple-user computers.
For example, if you have multiple users on your computers, you can set
up software restriction policies in such a way that users do not have
access to any software except for those specific files that they must
use for their work.
Decide who can add trusted publishers to your computer.
Control whether software restriction policies affect all users or just
certain users on a computer.
Prevent any files from running on your local computer, your
organizational unit, your site, or your domain. For example, if there
is a known virus, you can use software restriction policies to stop
the computer from opening the file that contains the virus.IMPORTANT:
Microsoft recommends that you do not use software restriction policies
as a replacement for antivirus software.
back to the top
How to Start Software Restriction Policies
For the Local Computer Only
Click Start, point to Programs, point to Administrative Tools, and
then click Local Security Policy.
In the console tree, expand Security Settings, and then expand
Software Restriction Policies.
back to the top
For a Domain, a Site, or an Organizational Unit on a Member Server or
a Workstation That Is Joined to a Domain
Open Microsoft Management Console (MMC). To do so, click Start, click
Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in, and then click Add.
Click Group Policy Object Editor, and then click Add.
In Select Group Policy Object, click Browse.
In Browse for a Group Policy Object, either select a Group Policy
object (GPO) in the appropriate domain, site, or organizational unit,
and then click Finish.
Alternatively, you can create a new GPO, and then click Finish.
Click Close, and then click OK.
In the console tree, go to the following location:
Group Policy Object Computer_name Policy/Computer Configuration or
User/Configuration/Windows Settings/Security Settings/Software
Restriction Policies
back to the top
For an Organizational Unit or a Domain on a Domain Controller or a
Workstation That Has the Administration Tools Pack Installed
Click Start, point to All Programs, point to Administrative Tools, and
then click Active Directory Users and Computers.
In the console tree, right-click the domain or organizational unit
that you want to set Group Policy for.
Click Properties, and then click the Group Policy tab.
Click an entry in Group Policy Object Links to select an existing GPO,
and then click Edit.
Alternatively, you can click New to create a new GPO, and then click
Edit.
In the console tree, go to the following location:
Group Policy Object Computer_name Policy/Computer Configuration or
User Configuration/Windows Settings/Security Settings/Software
Restriction Policies
back to the top
For Your Site and on a Domain Controller or a Workstation That Has the
Administration Tools Pack Installed
Click Start, point to All Programs, point to Administrative Tools, and
then click Active Directory Sites and Services.
In the console tree, right-click the site that you want to set Group
Policy for:
Active Directory Sites and Services [ Domain_Controller_Name.
Domain_Name]
Sites
Site
Click Properties, and then click the Group Policy tab.
Click an entry in Group Policy Object Links to select an existing
Group Policy object (GPO), and then click Edit.
Alternatively, click New to create a new GPO, and then click Edit.
In the console tree, go to the following location:
Group Policy Object Computer_name Policy/Computer Configuration or
User Configuration/Windows Settings/Security Settings/Software
Restriction Policies
IMPORTANT: Click User Configuration to set policies that will be
applied to users, regardless of the computer to which they log on.
Click Computer Configuration to set policies that will be applied to
computers, regardless of the users who log on to them.
You can also apply software restriction policies to specific users
when they log on to specific computer by using an advanced Group
Policy setting named loopback.
back to the top
How to Prevent Software Restriction Policies from Applying to Local
Administrators
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In the details pane, double-click Enforcement.
Under Apply software restriction policies to the following users,
click All users except local administrators.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
Typically, users are members of the local administrator group on their
computers in your organization; therefore, you may not want to turn on
this setting. Software restriction policies do not apply to any users
who are members of their local administrator group.
If you are defining a software restriction policy setting for your
local computer, use this procedure to prevent local administrators
from having software restriction policies applied to them. If you are
defining a software restriction policy setting for your network,
filter user policy settings based on membership in security groups by
using Group Policy.
back to the top
How to Create a Certificate Rule
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In either the console tree or the details pane, right-click Additional
Rules, and then click New Certificate Rule.
Click Browse, and then select a certificate.
Select a security level.
In the Description box, type a description for this rule, and then
click OK.
NOTES:
For information about how to start software restriction policies in
MMC, see "Start software restriction policies" in Related Topics in
the Windows Server 2003 Help file.
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
By default, certificate rules are not turned on. To turn on
certificate rules:
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
In the details pane, double-click AuthenticodeEnabled, and then change
the value data from 0 to 1.
The only file types that are affected by certificate rules are those
that are listed in Designated file types. There is one list of
designated file types that is shared by all rules.
For software restriction policies to take effect, users must update
policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.
back to the top
How to Create a Hash Rule
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In either the console tree or the details pane, right-click Additional
Rules, and then click New Hash Rule.
Click Browse to find a file, or paste a precalculated hash in the File
hash box.
In the Security level box, click either Disallowed or Unrestricted.
In the Description box, type a description for this rule, and then
click OK.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
You can create a hash rule for a virus or a Trojan horse to prevent
the malicious software from running.
If you want other users to use a hash rule so that a virus cannot run,
calculate the hash of the virus by using software restriction
policies, and then e-mail the hash value to other users. Never e-mail
the virus itself.
If a virus has been sent through e-mail, you can also create a path
rule to prevent users from running mail attachments.
A file that is renamed or moved to another folder still results in the
same hash.
Any change to a file results in a different hash.
The only file types that are affected by hash rules are those that are
listed in Designated file types. There is one list of designated file
types that is shared by all rules.
For software restriction policies to take effect, users must update
policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.
back to the top
How to Create an Internet Zone Rule
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In the console tree, click Software Restriction Policies.
In either the console tree or the details pane, right-click Additional
Rules, and then click New Internet Zone Rule.
In Internet zone, click an Internet zone.
In the Security Level box, click either Disallowed or Unrestricted,
and then click OK.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
Zone rules apply to Windows Installer packages only.
The only file types that are affected by zone rules are those that are
listed in Designated file types. There is one list of designated file
types that is shared by all rules.
For software restriction policies to take effect, users must update
policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.
back to the top
How to Create a Path Rule
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In either the console tree or the details pane, right-click Additional
Rules, and then click New Path Rule.
In the Path box, type a path or click Browse to find a file or folder.
In the Security level box, click either Disallowed or Unrestricted.
In the Description box, type a description for this rule, and then
click OK.IMPORTANT: On certain folders, such as the Windows folder,
setting the security level to Disallowed can adversely affect the
operation of your operating system. Make sure that you do not disallow
a crucial component of the operating system or one of its dependent
programs.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
If you create a path rule for a program with a security level of
Disallowed, a user can still run the software by copying it to another
location.
The wildcard characters that are supported by the path rule are the
asterisk (*) and the question mark (?).
You can use environment variables, such as %programfiles% or
%systemroot%, in your path rule.
To create a path rule for software when you do not know where it is
stored on a computer but you have its registry key, you can create a
registry path rule.
To prevent users from running e-mail attachments, you can create a
path rule for your mail program's attachment folder that prevents
users from running e-mail attachments.
The only file types that are affected by path rules are those that are
listed in Designated file types. There is one list of designated file
types that is shared by all rules.
For software restriction policies to take effect, users must update
policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.
back to the top
How to Create a Registry Path Rule
Click Start, click Run, type regedit, and then click OK.
In the console tree, right-click the registry key that you want to
create a rule for, and then click Copy Key Name.
Note the value name in the details pane.
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In either the console tree or the details pane, right-click Additional
Rules, and then click New Path Rule.
In Path, paste the registry key name and the value name.
Enclose the registry path in percent signs (%), for example:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PlatformSDK\Directories\InstallDir%
In the Security level box, click either Disallowed or Unrestricted.
In the Description box, type a description for this rule, and then
click OK.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
You must be a member of the Administrators group to perform this
procedure.
Format the registry path as follows:
% Registry Hive\ Registry Key Name\ Value Name%
You must write out the name of the registry hive; you cannot use
abbreviations. For example, you cannot substituted HKCU for
HKEY_CURRENT_USER.
The registry path rule can contain a suffix after the closing percent
sign (%). Do not use a backslash (\) in the suffix. For example, you
can use the following registry path rule:
%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Cache%OLK*
The only file types that are affected by path rules are those that are
listed in Designated file types. There is one list of designated file
types that is shared by all rules.
For software restriction policies to take effect, users must update
policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.
back to the top
How to Add or Delete a Designated File Type
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In the details pane, double-click Designated File Types.
Perform one of the following steps as appropriate:
To add a file type, type the file name extension in the File extension
box, and then click Add.
To delete a file type, click the file type in the Designated file
types box, and then click Remove.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
The designated file types list is shared by all rules for each
configuration. The designated file types list for computer policy
settings is different from the designated file types list for user
policy settings.
back to the top
How to Change the Default Security Level of Software Restriction
Policies
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In the details pane, double-click Security Levels.
Right-click the security level that you want to set as the default,
and then click Set as default.
CAUTION: In certain folders, if you set the default security level to
Disallowed, you can adversely affect your operating system.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
In the details pane, the current default security level is indicated
by a black circle with a check mark in it. If you right-click the
current default security level, the Set as default command does not
appear in the menu.
Rules are created to specify exceptions to the default security level.
When the default security level is set to Unrestricted, rules specify
software that is not allowed to run. When the default security level
is set to Disallowed, rules specify software that is allowed to run.
If you change the default level, you affect all files on the computers
that have software restriction policies applied to them.
At installation, the default security level of software restriction
policies on all files on your computer is set to Unrestricted.
back to the top
How to Set Trusted Publisher Options
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
Double-click Trusted Publishers.
Click the users who you want to decide which certificates will be
trusted, and then click OK.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
You can select who can add trusted publishers, users, administrators,
or enterprise administrators. For example, you can use this tool to
prevent users from making trust decisions about publishers of ActiveX
Controls.
Local computer administrators have the right to specify trusted
publishers on the local computer, but enterprise administrators have
the right to specify trusted publishers on an organizational unit
level.
back to the top
The information in this article applies to:
Microsoft Windows Server 2003, Enterprise Edition
Microsoft Windows Server 2003, Standard Edition
Last Reviewed: 6/6/2003 (4.0)
Keywords: kbMgmtServices kbhowto kbHOWTOmaster KB324036 kbAudITPro
Contact Us
© 2003 Microsoft Corporation. All rights reserved. Terms of use
Security & Privacy Accessibility