Software Restriction Policy

[rasdr]

We have some software restriction policies on our domain which disallow
users from running chat software, some of our prohibited software list, as
well as games. We were attempting today to add a hash for the installer
file for Real Player 10, which we don't want users in the domain installing
on their workstations (if they have admin privileges).

We're finding that the hashes for the executable that runs a program (ie:
realplay.exe) work just fine, but we're unable to restrict the installer
file from running. It's as if the has rule is totally ignored.

Does anybody have any suggestions as to what might be the reason for this?

 

[Steven L Umbach]

What you might try to set up a test computer that has very restrictive
settings for Software Restriction Policies such as one with the default
disallowed rule [and you may need to lockdown from there] and then try to
install Real Player on it as a regular user assuming that is what your
general user population is to have a similar user experience. When the
installation fails look in the application log to see the name of the
executable that was denied and try creating a hash rule for that file. One
of my computers is locked down pretty tight so I tried to download and
install Real Player and this is what I found in the application log
indicating that
RealPlayer10-5GOLD_bb[1].exe may be a file to try and restrict. --- Steve

Event Type: Warning
Event Source: Software Restriction Policies
Event Category: None
Event ID: 866
Date: 11/2/2005
Time: 8:00:28 PM
User: N/A
Computer: STEVE-XP
Description:
Access to D:\Documents and Settings\Steve\Local Settings\Temporary Internet
Files\Content.IE5\6789SBCV\RealPlayer10-5GOLD_bb[1].exe has been restricted
by your Administrator by location with policy rule
{dd369e61-f6f5-4e21-8ce3-58c8257ddc15} placed on path D:\Documents and
Settings\

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

[rasdr]

Thanks for the suggestion....I'll give it a shot at work tomorrow.

What you might try to set up a test computer that has very restrictive
settings for Software Restriction Policies such as one with the default
disallowed rule [and you may need to lockdown from there] and then try to
install Real Player on it as a regular user assuming that is what your
general user population is to have a similar user experience. When the
installation fails look in the application log to see the name of the
executable that was denied and try creating a hash rule for that file. One
of my computers is locked down pretty tight so I tried to download and
install Real Player and this is what I found in the application log
indicating that
RealPlayer10-5GOLD_bb[1].exe may be a file to try and restrict. --- Steve

Event Type: Warning
Event Source: Software Restriction Policies
Event Category: None
Event ID: 866
Date: 11/2/2005
Time: 8:00:28 PM
User: N/A
Computer: STEVE-XP
Description:
Access to D:\Documents and Settings\Steve\Local Settings\Temporary
Internet Files\Content.IE5\6789SBCV\RealPlayer10-5GOLD_bb[1].exe has been
restricted by your Administrator by location with policy rule
{dd369e61-f6f5-4e21-8ce3-58c8257ddc15} placed on path D:\Documents and
Settings\

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

We have some software restriction policies on our domain which disallow
users from running chat software, some of our prohibited software list,
as well as games. We were attempting today to add a hash for the
installer file for Real Player 10, which we don't want users in the
domain installing on their workstations (if they have admin privileges).

We're finding that the hashes for the executable that runs a program (ie:
realplay.exe) work just fine, but we're unable to restrict the installer
file from running. It's as if the has rule is totally ignored.

Does anybody have any suggestions as to what might be the reason for
this?

 

[Rhonda Rasmussen]

I didn't have a chance to attempt this at work until today. It seems
that I left one very important thing out of the equation. We are still
running SP1 on our corporate desktops. Software restriction events for
SP1 systems are logged in the system events, so if a non-admin user was
attempting to run a restricted package, there are no events logged in
the system events because non-admins are unable to write there.

Since I had an SP2 system in my lab, I attempted the SRP on that system
and found that it works just fine under SP2 when hashing the installer
itself. It seems to be an issue isolated to SP1 only.

If you can think of anything else that we might try, I'd appreciate
hearing about it. We do have MS Premier support, so at some point this
week, we'll likely open an incident with them anyways. Thanks for all
your help Steven.

What you might try to set up a test computer that has very restrictive
settings for Software Restriction Policies such as one with the default
disallowed rule [and you may need to lockdown from there] and then try to
install Real Player on it as a regular user assuming that is what your
general user population is to have a similar user experience. When the
installation fails look in the application log to see the name of the
executable that was denied and try creating a hash rule for that file. One
of my computers is locked down pretty tight so I tried to download and
install Real Player and this is what I found in the application log
indicating that
RealPlayer10-5GOLD_bb[1].exe may be a file to try and restrict. --- Steve

Event Type: Warning
Event Source: Software Restriction Policies
Event Category: None
Event ID: 866
Date: 11/2/2005
Time: 8:00:28 PM
User: N/A
Computer: STEVE-XP
Description:
Access to D:\Documents and Settings\Steve\Local Settings\Temporary Internet
Files\Content.IE5\6789SBCV\RealPlayer10-5GOLD_bb[1].exe has been restricted
by your Administrator by location with policy rule
{dd369e61-f6f5-4e21-8ce3-58c8257ddc15} placed on path D:\Documents and
Settings\

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

We have some software restriction policies on our domain which disallow
users from running chat software, some of our prohibited software list, as
well as games. We were attempting today to add a hash for the installer
file for Real Player 10, which we don't want users in the domain
installing on their workstations (if they have admin privileges).

We're finding that the hashes for the executable that runs a program (ie:
realplay.exe) work just fine, but we're unable to restrict the installer
file from running. It's as if the has rule is totally ignored.

Does anybody have any suggestions as to what might be the reason for this?

 

[rasdr]

I didn't have a chance to attempt this at work until today. It seems that
I left one very important thing out of the equation. We are still running
SP1 on our corporate desktops. Software restriction events for SP1 systems
are logged in the system events, so if a non-admin user was attempting to
run a restricted package, there are no events logged in the system events
because non-admins are unable to write there.

Since I had an SP2 system in my lab, I attempted the SRP on that system and
found that it works just fine under SP2 when hashing the installer itself.
It seems to be an issue isolated to SP1 only.

If you can think of anything else that we might try, I'd appreciate hearing
about it. We do have MS Premier support, so at some point this week, we'll
likely open an incident with them anyways. Thanks for all your help Steven.

What you might try to set up a test computer that has very restrictive
settings for Software Restriction Policies such as one with the default
disallowed rule [and you may need to lockdown from there] and then try to
install Real Player on it as a regular user assuming that is what your
general user population is to have a similar user experience. When the
installation fails look in the application log to see the name of the
executable that was denied and try creating a hash rule for that file. One
of my computers is locked down pretty tight so I tried to download and
install Real Player and this is what I found in the application log
indicating that
RealPlayer10-5GOLD_bb[1].exe may be a file to try and restrict. --- Steve

Event Type: Warning
Event Source: Software Restriction Policies
Event Category: None
Event ID: 866
Date: 11/2/2005
Time: 8:00:28 PM
User: N/A
Computer: STEVE-XP
Description:
Access to D:\Documents and Settings\Steve\Local Settings\Temporary
Internet Files\Content.IE5\6789SBCV\RealPlayer10-5GOLD_bb[1].exe has been
restricted by your Administrator by location with policy rule
{dd369e61-f6f5-4e21-8ce3-58c8257ddc15} placed on path D:\Documents and
Settings\

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

We have some software restriction policies on our domain which disallow
users from running chat software, some of our prohibited software list,
as well as games. We were attempting today to add a hash for the
installer file for Real Player 10, which we don't want users in the
domain installing on their workstations (if they have admin privileges).

We're finding that the hashes for the executable that runs a program (ie:
realplay.exe) work just fine, but we're unable to restrict the installer
file from running. It's as if the has rule is totally ignored.

Does anybody have any suggestions as to what might be the reason for
this?

 

[Steven L Umbach]

Interesting. I don't have an SP1 computer right now. Make sure that the hash
has not changed if a new or different version is being access by users and
you could also try a path rule if you know the path that they are using
which probably is what you see in the SRP Event ID you are seeing in the
application log if you are accessing the file that same way as the users
are. The path rule could be for a specific file, a specific extension such
as *.exe, or any file protected by SRP. A more brute force way would be to
disallow users from executing any content in specific folders in their user
profile or their whole user profile. On my home computers I have a path rule
for disallowed to c:\documents and settings\ as another step to help prevent
malware/spyware from being installed on my computer. --- Steve

I didn't have a chance to attempt this at work until today. It seems that
I left one very important thing out of the equation. We are still running
SP1 on our corporate desktops. Software restriction events for SP1
systems are logged in the system events, so if a non-admin user was
attempting to run a restricted package, there are no events logged in the
system events because non-admins are unable to write there.

Since I had an SP2 system in my lab, I attempted the SRP on that system
and found that it works just fine under SP2 when hashing the installer
itself. It seems to be an issue isolated to SP1 only.

If you can think of anything else that we might try, I'd appreciate
hearing about it. We do have MS Premier support, so at some point this
week, we'll likely open an incident with them anyways. Thanks for all
your help Steven.

What you might try to set up a test computer that has very restrictive
settings for Software Restriction Policies such as one with the default
disallowed rule [and you may need to lockdown from there] and then try to
install Real Player on it as a regular user assuming that is what your
general user population is to have a similar user experience. When the
installation fails look in the application log to see the name of the
executable that was denied and try creating a hash rule for that file.
One of my computers is locked down pretty tight so I tried to download
and install Real Player and this is what I found in the application log
indicating that
RealPlayer10-5GOLD_bb[1].exe may be a file to try and restrict. ---
Steve

Event Type: Warning
Event Source: Software Restriction Policies
Event Category: None
Event ID: 866
Date: 11/2/2005
Time: 8:00:28 PM
User: N/A
Computer: STEVE-XP
Description:
Access to D:\Documents and Settings\Steve\Local Settings\Temporary
Internet Files\Content.IE5\6789SBCV\RealPlayer10-5GOLD_bb[1].exe has been
restricted by your Administrator by location with policy rule
{dd369e61-f6f5-4e21-8ce3-58c8257ddc15} placed on path D:\Documents and
Settings\

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

We have some software restriction policies on our domain which disallow
users from running chat software, some of our prohibited software list,
as well as games. We were attempting today to add a hash for the
installer file for Real Player 10, which we don't want users in the
domain installing on their workstations (if they have admin privileges).

We're finding that the hashes for the executable that runs a program
(ie: realplay.exe) work just fine, but we're unable to restrict the
installer file from running. It's as if the has rule is totally
ignored.

Does anybody have any suggestions as to what might be the reason for
this?

 

[Steven L Umbach]

Another thought is to verify that the settings for SRP have propagated to
the computers where the SRP is not working. The best way would be to run
Resultant Set of Policy in logging mode for the computer/user in question.
This can be done from a Windows 2003 domain controller or on the XP Pro
computer itself. --- Steve

Interesting. I don't have an SP1 computer right now. Make sure that the
hash has not changed if a new or different version is being access by
users and you could also try a path rule if you know the path that they
are using which probably is what you see in the SRP Event ID you are
seeing in the application log if you are accessing the file that same way
as the users are. The path rule could be for a specific file, a specific
extension such as *.exe, or any file protected by SRP. A more brute force
way would be to disallow users from executing any content in specific
folders in their user profile or their whole user profile. On my home
computers I have a path rule for disallowed to c:\documents and settings\
as another step to help prevent malware/spyware from being installed on my
computer. --- Steve

I didn't have a chance to attempt this at work until today. It seems
that I left one very important thing out of the equation. We are still
running SP1 on our corporate desktops. Software restriction events for
SP1 systems are logged in the system events, so if a non-admin user was
attempting to run a restricted package, there are no events logged in the
system events because non-admins are unable to write there.

Since I had an SP2 system in my lab, I attempted the SRP on that system
and found that it works just fine under SP2 when hashing the installer
itself. It seems to be an issue isolated to SP1 only.

If you can think of anything else that we might try, I'd appreciate
hearing about it. We do have MS Premier support, so at some point this
week, we'll likely open an incident with them anyways. Thanks for all
your help Steven.

What you might try to set up a test computer that has very restrictive
settings for Software Restriction Policies such as one with the default
disallowed rule [and you may need to lockdown from there] and then try
to install Real Player on it as a regular user assuming that is what
your general user population is to have a similar user experience. When
the installation fails look in the application log to see the name of
the executable that was denied and try creating a hash rule for that
file. One of my computers is locked down pretty tight so I tried to
download and install Real Player and this is what I found in the
application log indicating that
RealPlayer10-5GOLD_bb[1].exe may be a file to try and restrict. ---
Steve

Event Type: Warning
Event Source: Software Restriction Policies
Event Category: None
Event ID: 866
Date: 11/2/2005
Time: 8:00:28 PM
User: N/A
Computer: STEVE-XP
Description:
Access to D:\Documents and Settings\Steve\Local Settings\Temporary
Internet Files\Content.IE5\6789SBCV\RealPlayer10-5GOLD_bb[1].exe has
been restricted by your Administrator by location with policy rule
{dd369e61-f6f5-4e21-8ce3-58c8257ddc15} placed on path D:\Documents and
Settings\

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


We have some software restriction policies on our domain which disallow
users from running chat software, some of our prohibited software list,
as well as games. We were attempting today to add a hash for the
installer file for Real Player 10, which we don't want users in the
domain installing on their workstations (if they have admin
privileges).

We're finding that the hashes for the executable that runs a program
(ie: realplay.exe) work just fine, but we're unable to restrict the
installer file from running. It's as if the has rule is totally
ignored.

Does anybody have any suggestions as to what might be the reason for
this?