8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
1/43
Using Software Restriction Policies to Protect Against Unauthorized Software2178 out of 2242 rated this helpful - Rate this topic Published: January 01, 2002 | pdated: !ay 2", 2004http://technet.microsoft.com/en-us/library/bb457006.aspx
Abstract Software restriction policies are a new feature in Microsoft !in"ows #$ an" !in"owsSer%er &00'. (his important feature pro%i"es a"ministrators with a policy-"ri%en mechanism fori"entifyin) software pro)rams runnin) on computers in a "omain* an" controls the ability ofthose pro)rams to execute. Software restriction policies can impro%e system inte)rity an"mana)eability+which ultimately lowers the cost of ownin) a computer.
Introduction
Software restriction policies are a part of Microsoft,s security an" mana)ement strate)y to assistenterprises in increasin) the reliability* inte)rity* an" mana)eability of their computers. Softwarerestriction policies are one of many new mana)ement features in !in"ows #$ an" !in"owsSer%er &00'.(his article pro%i"es an in-"epth loo at how software restriction policies can be use" to:• i)ht %iruses
• e)ulate which cti%e# controls can be "ownloa"e"
• un only "i)itally si)ne" scripts
• 1nforce that only appro%e" software is installe" on system computers
• 2oc"own a machine
Expanded Management Capabilities!in"ows &000 brou)ht si)nificant mana)ement capabilities to the !in"ows platform. 3n!in"ows &000* you coul" mana)e the software for your machines in the followin) ways:• pplication settin)s allowe" you to customie an application once throu)h roup $olicy* an"
then "istribute that customiation to all "omain users who reuire" it.• (he Software 3nstallation snap-in pro%i"e" a means to centrally mana)e software "istribution
in your or)aniation. !hen the user selecte" an application from the Start menu for the firsttime* it set up automatically* an" then opene". ou coul" also publish applications to )roupsof users* main) the application a%ailable for users to install.
• Security settin)s "efine" a security confi)uration within a roup $olicy 8b9ect $8;.
Security confi)uration consiste" of settin)s for: account policies* local policies* e%ent lo)*
re)istry* file system* public ey policies* an" other policies.
Windows XP and Windows Server 2003 expan" the mana)ement capabilities of !in"ows&000 by a""in) the followin) features:
http://technet.microsoft.com/en-us/library/bb457006.aspx#feedbackhttp://technet.microsoft.com/en-us/library/bb457006.aspxhttp://technet.microsoft.com/en-us/library/bb457006.aspx#feedbackhttp://technet.microsoft.com/en-us/library/bb457006.aspx
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
2/43
• Better diagnostic and lanning infor!ation throu)h esultant Set of $olicies S8$;. or
more information* see the article !in"ows &000 roup $olicy• Abilit" to use Windows #anage!ent $nstru!entation %W#$& filtering' 3n !in"ows
&000 you coul" apply policies base" on or)aniational information in cti%e
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
3/43
• $ro%i"in) a way to "efine a list of what is truste" co"e %ersus what is not.
• $ro%i"in) a flexible* policy-base" approach for re)ulatin) scripts* executables* an" cti%e#
controls.• 1nforcin) the policy automatically.
Software Restriction Polic" Arc%itecture
i)ure @ below shows the three components of a software restriction policy:@. n a"ministrator creates the policy by usin) the roup $olicy Microsoft Mana)ement
Aonsole MMA; snap-in for a particular cti%e
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
4/43
(efault Securit" )evel
(here are two ways to use software restriction policies:• $f an ad!inistrator (nows all of the software that should run* then a software restriction
policy can be applie" to control execution to only this list of truste" applications.• $f all the alications that users !ight run are not (nown* then a"ministrators can step in
an" "isallow un"esire" applications or file types as nee"e".
*our Rules Identif" Software
(he purpose of a rule is to i"entify one or more software applications* an" specify whether or notthey are allowe" to run. Areatin) rules lar)ely consists of i"entifyin) software that is an
exception to the "efault rule. 1ach rule can inclu"e "escripti%e text to help communicate why therule was create". software restriction policy supports the followin) four ways to i"entify software:• )ash + crypto)raphic fin)erprint of the file.
• *ertificate + software publisher certificate use" to "i)itally si)n a file.
• Path +(he local or uni%ersal namin) con%ention B=A; path of where the file is store".
• +one +3nternet Done
)ash Rules hash rule is a crypto)raphic fin)erprint that uniuely i"entifies a file re)ar"less of where it isaccesse" or what it is name". n a"ministrator may not want users to run a particular %ersion ofa pro)ram. (his may be the case if the pro)ram has security or pri%acy bu)s* or compromisessystem stability. !ith a hash rule* software can be rename" or mo%e" into another location on a"is* but it will still match the hash rule because the rule is base" on a crypto)raphic calculationin%ol%in) file contents. hash rule consists of three pieces of "ata* separate" by colons:• M-@ hash %alue
• ile len)th
• >ash al)orithm 3<
3t is formatte" as follows:[MD5 or SHA1 hash value]:[file length]:[hash algorithm id]
iles that are "i)itally si)ne" will use the hash %alue containe" in the si)nature* which may beS>-@ or M
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
5/43
,-a!le. (he followin) hash rule matches a file with a len)th of @&6 bytes an" with contentsthat match the M
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
6/43
Registr" Path Rules' Many applications store paths to their installation fol"ers or application"irectories in the !in"ows re)istry. ou can create a path rule that loos up these re)istry eys.or example* some applications can be installe" anywhere on the file system. (hese locationsmay not be easily i"entifiable by usin) specific fol"er paths* such as A:$ro)ram ilesMicrosoft$latform S
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
7/43
•
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
8/43
installe" by a %irus that isalways calle" flcss.exe
flcss.exe* set to ash rule
•
Aertificate rule• $ath rule
• 3nternet one rule
• ash ulesule @ >ash of pa)efileconfi).%bs
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
9/43
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
10/43
•
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
11/43
n a"ministrator may want to "isallow the runnin) of pro)rams for most users* but allowa"ministrators to run anythin). or example* a customer may ha%e a share" machine thatmultiple users connect to usin) (erminal Ser%er. (he a"ministrator may want users to be able torun only specific applications on the machine* but allow members of the local a"ministrators)roup to run anythin). (o "o this* use the S(i Ad!inistrators option.
3f the software restriction policy is create" in a $8 attache" to an ob9ect in cti%e
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
12/43
*igure /- (esignated *ile $"pes dialog box
$rusted Publis%ers
(he (ruste" $ublishers options shown in i)ure 4 below allow you to confi)ure settin)s relate"to cti%e# controls an" other si)ne" content.
http://technet.microsoft.com/en-us/library/Bb457006.rstrp03_big%28l=en-us%29.gif
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
13/43
*igure 0- Setting $rusted Publis%ers options (able ' shows (ruste" $ublisher options relate" to the use of cti%e# controls an" other si)ne"content.$able / $rusted Publis%er $as's and Settings
9as( Setting
(o allow only "omain a"ministrators to mae "ecisions re)ar"in)si)ne" acti%e content
,nterrise
Ad!inistrators
(o allow local machine a"ministrators to mae all "ecisions re)ar"in)si)ne" acti%e content
4ocal co!uterAd!inistrators
(o allow any user to mae "ecisions re)ar"in) si)ne" acti%e content ,nd Users
(o ensure that the certificate use" by the software publisher has not been re%oe".
Publisher
(o ensure that the certificate use" by the or)aniation that time-stampe" the acti%e content has not been re%oe".
9i!esta!
Scope of Software Restriction Policies
Software restriction policies "o not apply to the followin):•
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
14/43
Software Restriction Polic" (esign
(his section co%ers how software restriction policies are a"ministere" usin) roup $olicy snap-ins* thin)s to be concerne" about when e"itin) a policy for the first time* an" what,s in%ol%e" inapplyin) a software restriction policy to a )roup of users.
Integration wit% #roup Polic"
Software restriction policies are a"ministere" usin) the followin) roup $olicy snap-ins:
:o!ain Polic" (o set up a "omain policy
@. Alic Start* then unC type "sa.msc an" clic 8G.&. i)ht-clic on "omain or 8B* then clic $roperties U roup $olicy tab U=ew/1"it.
4ocal Securit" Polic" (o set up a security policy
@. Alic Start* then un.&. (ype secol'!sc* then clic 51 .
3f e"itin) a $8* you can set Bser an" Machine software restriction policies as shown in i)ure5 below.
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
15/43
*igure 1- Setting &ser and Mac%ine software restriction policies
3f e"itin) the local security policy* the software restriction policy settin)s are locate" as in"icate"
in i)ure 6 below.
*igure 2- Editing )ocal Securit" Polic"
*irst3time Considerations
(he first time you e"it a policy you will see the messa)e in i)ure 7 (he messa)e is warnin) youthat creatin) a policy will "efine "efault %alues. (hese "efault %alues can o%erri"e settin)s fromother software restriction policies.
http://technet.microsoft.com/en-us/library/Bb457006.rstrp06_big%28l=en-us%29.gifhttp://technet.microsoft.com/en-us/library/Bb457006.rstrp05_big%28l=en-us%29.gif
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
16/43
*igure 4- !arning message w%en creating a new polic"
(o create a policy:• Select *reate 6ew Policies from the ction menu.
Appl"ing a Software Restriction Polic" to a #roup of &sers
software restriction policy is "eli%ere" throu)h roup $olicy to a site* "omain* oror)aniational unit. >owe%er* an a"ministrator may want to apply a software restriction policy toa )roup of users within a "omain. (o "o this* the a"ministrator can use $8 filterin).
or more information on $8 filterin) see the article !in"ows &000 roup $olicy athttp://www.microsoft.com/win"ows&000/techinfo/howitwors/mana)ement/)rouppolwp.asp
$erminal Servers
Software restriction policies are an inte)ral part of securin) a !in"ows Ser%er &00' terminalser%er. (erminal ser%er a"ministrators can now thorou)hly loc "own software access on aterminal ser%er. Software restriction policies are e%en more imperati%e on a terminal ser%er because of the potentially %ast number of users on a sin)le machine. 8n a sin)le-user !in"ows#$ client* runnin) a ba" application incon%eniences only one user* whereas runnin) the sameapplication on a terminal ser%er coul" incon%enience more than @00 users. Software restriction
policies pre%ent this problem. (his ser%ice also remo%es the nee" for such applications asappsec.exe to )o%ern software execution on a !in"ows Ser%er &00' terminal ser%er.3n a""ition* Microsoft recommen"s that you %iew &7E&F5 >ow to 2oc
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
17/43
example* a law firm hosts its applications across a farm of terminal ser%ers. (he ser%ers all ha%ethe same software installe". (he access rules to the software are as follows:• ny employee can use Microsoft 8ffice an" 3nternet 1xplorer. ll employees are members
of the ll1mployees )roup.• ny accountin) employee can use the ccountin) Software. ccountin) employees are
members of the ccountin)1mployees )roup.• ny 2awyer can use the 2aw esearch software. 2awyers are members of the 2awyers
)roup.• ny mailroom employee can use the Mail oom $rocessin) software. Mailroom employees
are members of the Mailoom1mployees )roup.• ny executi%e can access all software a%ailable to all other employees. 1xecuti%es are
members of the 1xecuti%es )roup.• $8s "o not affect "ministrators.
(o achie%e this software access* the a"ministrator creates fi%e roup $olicy ob9ects withcustomie" software restriction policies. 1ach $8 is filtere" so that only the users in thell1mployees* ccountin)1mployees* 2awyers* Mailoom1mployees* an" 1xecuti%es )roupsrecei%e the $8 inten"e" for them.
Hecause only executi%es shoul" be able to access any software on their local worstations* aswell as on the terminal ser%ers* the a"ministrator uses the loopbac feature of roup $olicy. (heloopbac feature allows an a"ministrator to apply policy to a user base" on the computer the user is lo))in) onto. 3n loopbac replace mo"e* the computer $8 settin)s are reapplie" "urin) userlo)in* an" the user $8 settin)s are i)nore". See the roup $olicy white paper for more
information on how to confi)ure loopbac.
User
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
18/43
permission
:efault Securit" 4evel
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
19/43
• $olicy options
• 2inin) the policy to a site* "omain* or or)aniational unit
Stepping $%roug% t%e Process
Ste =' ' Additional Rules 3"entify the applications you choose to allow or "isallow usin) the four rule types outline" in theSoftware estriction $olicy rchitecture section abo%e.• (o see which rules mae sense for your policy* refer to (able @. !hen to Bse 1ach ule*
abo%e.• (o create a""itional rules* refer to the Step-by-step ui"e for Areatin) ""itional ules*
below.
Ste ?' Polic" 5tions (here are se%eral policy options:• 3f you are usin) a local security policy* an" "o not want the policy to apply to a"ministrators
on the machine* set the S(i Ad!inistrators option.• 3f you want to chec
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
20/43
• 3f you want to chan)e who can mae "ecisions about "ownloa"in) cti%e# controls an"
other si)ne" content* set 9rusted Publishers options.
Ste @' 4in(ing the Polic" to a Site :o!ain or 5rganizational Unit (o lin a $8 to a site.@. Bse the cti%e
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
21/43
Ste 3' Record the 8olders Where the Software is $nstalled 2ist the paths where the software is installe". (hree ways to "o this inclu"e:
• ou can loo at the 9arget property of a shortcut to the file.
o ou can start each pro)ram by clicin) Start* un* an" then typin) msinfo'&.exe.
rom msinfo'&* select Software 1n%ironment an" then unnin) (ass.
o ou can use the followin) comman": wmic.exe process )et L1xecutable$ath*$rocess3
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
22/43
Hecause these pro)rams are acceptable to run* we "o not ha%e to chan)e our rules.
Commonl" Overloo'ed Rules
!hen "esi)nin) a policy* consi"er the followin) areas when creatin) rules.
4ogin Scrits 2o)in scripts are store" on a central ser%er. 8ften this central ser%er can chan)e with each lo)in.3f your "efault rule is G1QAB1=(QBS1SoftwareMicrosoft!in"owsAurrent?ersionun
• >G1QAB1=(QBS1SoftwareMicrosoft!in"owsAurrent?ersionun8nce
• >G1Q28A2QMA>3=1SoftwareMicrosoft!in"owsAurrent?ersionun
/irus Scanning Progra!s Most anti-%irus software has a real-time scanner pro)ram that starts when the user lo)s in an"scans all files accesse" by the user* looin) for possible %irus contamination. Mae sure yourrules allow your %irus scannin) pro)rams to run.
Scenarios(his section examines some typical problems an" how software restriction policies can be use"to sol%e them.
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
23/43
5loc' Malicious Scripts
n or)aniation wants to be protecte" from script-base" %iruses. (he 2o%e2etter %irus*technically calle" a worm* was estimate" to ha%e cause" between N6 an" N@0 billion in "ama)e.(his worm* which has more than E0 %ariants* continues to be encountere" freuently.
(he 2o%e2etter worm* written in the ?isual Hasic Script lan)ua)e ?HS;* is encountere" as28?1-21((1-8-8B.(#(.?HS. software restriction policy blocs this worm simply by "isallowin) any .%bs file from runnin).
>owe%er* many or)aniations use ?HS files for systems mana)ement an" lo)on scripts.
Hlocin) all ?HS files from runnin) protects an or)aniation* but a ?HS can no lon)er be use"for le)itimate purposes. software restriction policy o%ercomes this han"icap by blocin) theun"esirable ?HS* while allowin) le)itimate ones to run.
(his policy can be create" usin) the rules in (able 4.$able 0 Rules for 5loc'ing Malicious Scripts
ost from runnin)*except those that are "i)itally si)ne" by the 3(
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
24/43
Manage Software Installation
ou can confi)ure your or)aniation,s machines so that only appro%e" software can be installe".
or software that uses !in"ows 3nstaller technolo)y* this can be accomplishe" by the policyshown in (able 5.
$able 1 Rules for Managing Software Installation
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
25/43
$ath ules
I!3=
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
26/43
• ny computer science stu"ent can use the Microsoft ?isual AXX compiler+computer
science stu"ents are members of the ASStu"ents )roup.(o achie%e the ob9ecti%es of the abo%e scenario* the a"ministrator creates three roup $olicyob9ects with customie" software restriction policies. 1ach $8 is filtere" so that only the usersin llStu"ents* 1n)Stu"ents* an" ASStu"ents recei%e the $8 inten"e" for them.
Hecause the a"ministrator wants the stu"ents to recei%e the policy when lo))e" on to the labcomputers* but not when the stu"ents lo) on to their personal computers* he uses the roup$olicy loopbac feature. (he loopbac feature allows an a"ministrator to apply policy to a user base" on the computer the user is lo))in) on to. 3n loopbac replace mo"e* the machine $8sare reapplie" "urin) user lo)on* sippin) the normal user policies.
efer to (ables E* F an" @0* an" i)ure E below.
or more information on how to confi)ure loopbac* see the article !in"ows &000 roup $olicyat http://www.microsoft.com/win"ows&000/techinfo/howitwors/mana)ement/)rouppolwp.asp$able 7 A+ )in'ed wit% )ab Resource (omain
Bser $8: @ 2ine" with 2ab esource
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
27/43
*igure 7- #roup Polic" Organi8ation for Computer )ab $able 9 A, )in'ed wit% )ab Resource (omain
Bser $8: & 2ine" with 2ab esource
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
28/43
• (ypin) mistaes* or incorrectly entere" information* can result in a policy settin) that "oes
not perform as expecte". (estin) new policy settin)s before applyin) them can pre%entunexpecte" beha%ior.
•
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
29/43
Mixed (omain (eplo"ments
3t is possible to use software restriction policies in a mixe"-mo"e "eployment. (hat is* you "onot ha%e to up)ra"e your !in"ows &000 "omain controllers to tae a"%anta)e of softwarerestriction policies. ou can use a !in"ows #$ $rofessional computer to e"it the roup $olicyob9ect an" confi)ure your software restriction policy. !in"ows #$ an" !in"ows Ser%er &00'computers that "ownloa" the $8 will enforce the software restriction policy. Aomputersrunnin) !in"ows &000 will i)nore the settin)s.
Merging Semantics for Multiple Software Restriction Policies
!hene%er two or more roup $olicy ob9ects apply to a user or machine* the policies are mer)e".!hen two or more software restriction policies are mer)e"* the followin) occurs:
• (he $8 with the hi)hest prece"ence sets the followin) %alues:o
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
30/43
o pply to Bsers: ll users
• ""itional ules: none
•
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
31/43
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
32/43
Date: !2!2#001
)ime: #:50:#% .M
3ser: bob
/om*uter: &4A-1
Descri*tion:
Access to /:6.rogram iles6Messenger6msmsgs8e9e has been restricted b( (our
Administrator b( location ,ith *olic( rule 7%d#f5e5d%$1$"%!0"
ddeafc"ac!;
*laced on *ath /:6.rogram iles6Messenger6msmsgs8e9e
)his event is logged ,hen a user starts a *rogram that is disallo,ed b( a *ath
rule8
)he rule
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
33/43
Advanced )ogging
!hen creatin) rules or troubleshootin) a machine "isplayin) problems* an a"ministrator may
want a lo) of e%ery software restriction policy e%aluation. (his can be "one by enablin)a"%ance" lo))in).(o enable a"%ance" lo))in):• Areate the followin) re)istry ey:
G1Q28A2QMA>3=1S8(!1$oliciesMicrosoft!in"owsSaferAo"e3"entifiersStrin) ?alue: 2o)ile=ame* Ypath to a lo) fileU
,nabling and :isabling 4ogging 8ro! the *o!!and 4ine
(he followin) comman"s can be use" to enable an" "isable lo))in) from the comman" line.• 1nable lo))in):
re).exe a""L>G1Q28A2QMA>3=1S8(!1$oliciesMicrosoft!in"owsSaferAo"e3"entifiersL /% 2o)ile=ame /" saferlo).txt
•
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
34/43
#roup Polic" $roubles%ooting
(he followin) tools are use" to troubleshoot roup $olicy problems.
Resultant Set of Polic" %RS5P& S8$ is an infrastructure an" tool in the form of MMA snap-ins* enablin) a"ministrators to"etermine an" analye the current set of policies in two mo"es: lo))in) mo"e an" plannin)mo"e. 3n lo))in) mo"e* a"ministrators assess what has been applie" to a particular tar)et. 3n plannin) mo"e* a"ministrators can see how policies woul" be applie" to a tar)et* an" thenexamine the results before "eployin) a chan)e to roup $olicy.(o %iew S8$ "ata for the current user • Alic Start* Run* an" type rso'!scgudate'e-e pup"ate is a utility for roup $olicy. 3t can cause a refresh of roup $olicy on the clientmachine an" can be use" for software restriction policies in the followin) ways:• gudate Dtarget.*o!uter ED8orceF (his comman" refreshes the machine-base" software
restriction policy settin)s. (he /orce switch* if present* instructs the machine to reapply allsettin)s* re)ar"less of whether they ha%e chan)e" since the last roup $olicy refresh.
• gudate Dtarget.User ED8orceF (his comman" refreshes the user-base" software restriction
policy settin)s. (he /orce switch* if present* instructs the machine to reapply all settin)s*re)ar"less of whether they ha%e chan)e" since last roup $olicy refresh.
• gudate ED8orceF (his comman" refreshes the user- an" machine-base" software restriction
policy settin)s. (he /orce switch* if present* instructs the machine to reapply all settin)s*re)ar"less of whether they ha%e chan)e" since the last roup $olicy refresh.
fter refreshin) software restriction policy settin)s* only new pro)rams starte" will enforce the policy. Some lon)-li%e" pro)rams lie explorer.exe* the !in"ows shell* will not pic up the new policy. (o force all pro)rams to enforce the policy* the user shoul" lo) in a)ain.
gresult'e-e
presult.exe is a roup $olicy utility for examinin) the settin)s applie" "urin) roup $olicyrefresh. 3t utilies esultant Set of $olicy S8$; "ata. 3t can be use" for software restriction policies in the followin) ways:• gresult' (his comman" "isplays basic user an" machine information. 3t lists the )roup
policies that apply to the lo))e" in user on the current machine.
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
35/43
Command Sample
(he followin) is sample output from the comman": gresult Dscoe user Dv Duser bob.Microsoft +indo,s 4. ?*erating S(stem
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
36/43
Soft,are6.olicies6Microsoft6+indo,s6Safer6/odedentifiers6#!#16.aths6
0%a%$5da#b"
"bea50b0fe$17e%ced;
State: &nabled
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
37/43
@. Bse the roup $olicy snap-in to fix the policy.&. un gudate'e-e.'. estart !in"ows an" lo) in normally.
Appendix
(his section inclu"es a list of "efault "esi)nate" file types* re)istry formats an" a how-to )ui"efor "i)itally si)nin) files with test certificates*$able ++ (efault (esignated *ile $"pes
8ile ,-tension 8ile :escrition
. (M2 >elp ile
. AM< !in"ows =( Aomman" Script
. A8M MS-2$ !in"ows >elp ile
. >( >(M2 pplications
. 3= Setup 3nformation ile
. 3=S 3nternet Aommunication Settin)s
. 3S$ 3nternet Aommunication Settin)s
. WS WScript ile
. WS1 WScript 1nco"e" Script ile
. 2=G Shortcut
. M
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
38/43
. ?H1 ?HScript 1nco"e" Script ile
. ?HS ?HScript Script ile
. !SA !in"ows Script Aomponent
. !S !in"ows Script ile
. !S> !in"ows Scriptin) >ost Settin)s ile
Registr" *ormat
fter a policy is applie"* the software restriction policy confi)uration is store" in the systemre)istry. (he security access control list A2; protectin) these re)istry eys allows onlya"ministrators an" the SS(1M account to chan)e them.User Polic" Bser policy is store" un"er the followin) ey:
>G1QAB1=(QBS1Software$oliciesMicrosoft!in"ows#achine Polic" Machine policy is store" un"er the followin) ey:>G1Q28A2QMA>3=1S8(!1$oliciesMicrosoft!in"owsRegistr" 8or!at ,-lained
O>GAB or >G2MPS8(!1$oliciesMicrosoft!in"owsSafer
Ao"e3"entifiers
$olicyScope*
2astMo"ifie"* T!8
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
39/43
3temG1Q28A2QMA>3=1S8(!1$oliciesMicrosoftSystemAertificates
O>GAB or >G2MPS8(!1$oliciesMicrosoft!in"owsSystemAertificates
(ruste"$ublishers
6ote. 1ntries un"er this ey are Bnrestricte" rulesAertificates
GAB or >G2MPS8(!1$oliciesMicrosoft!in"owsSafer
Ao"e3"entifiers
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
40/43
1xecutable(ypes* 1QMB2(3QSD !SA*?H*B2*S>S* SA* 1*$3*$A
certificate a)ainst this A. 3f only people in your or)aniation use your "i)itally si)ne" files*you shoul" choose this option.
• *reate a selfGsigned certificate for test uroses' fter "ownloa"in) the uthentico"etools* run the followin) two comman"s:
o maecert.exe -n LcnV(1S( A1(33A(1 8 (1S( $B$8S1S 8=2Z;L -ss
my -eu @.'[email protected].'.'o Setre).exe @ true
(he setre).exe comman" instructs the local computer to trust the (est oot )ency certificatethat issues your test co"e-si)nin) certificate. ou shoul" not trust the test root certificate on pro"uction machines.
http://msdn.microsoft.com/downloads/default.aspxhttp://msdn.microsoft.com/downloads/default.aspxhttp://msdn.microsoft.com/downloads/default.aspx
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
41/43
Ste 3. Signing a 8ile
Areate a test ?H Script file calle" hello.%bs with the followin) contents:• ms)box Lhello worl"L
Si)n an" timestamp this file by runnin) the followin) comman":• si)nco"e.exe -cn L(1S( A1(33A(1 8 (1S( $B$8S1S 8=2Z;L -t
http://timestamp.%erisi)n.com/scripts/timstamp."ll hello.%bs3f the si)nin) an" time stampin) operation is successful* the tool will print LSuccee"e"L at itscompletion. (he script will ha%e a Hase 64 enco"e" "i)ital si)nature section a""e" to it as shownin i)ure @@ below.
*igure ++- ;isual 5asic Script .le wit% a digital signature ou can %erify that the file was si)ne" properly by runnin) the followin) comman":
• chtrust.exe hello.%bs
(he "ialo) box in i)ure @& will appear.
*igure +,- ;erif"ing a signed .le
http://technet.microsoft.com/en-us/library/Bb457006.rstrp15_big%28l=en-us%29.gifhttp://technet.microsoft.com/en-us/library/Bb457006.rstrp14_big%28l=en-us%29.gif
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
42/43
Ste >. *reate *ertificate and Path Rules 1"it the local security policy+secpol.msc. Areate two rules:
• =ew $ath ule: (ype LK.?HSL in the e"it box labele" $ath. Set the security le%el to
8/18/2019 Using Software Restriction Policies to Protect Against Unauthorized Software
43/43
be tailore" to meet the nee"s of a set of users or computers. Software restriction policies promoteimpro%e" system inte)rity an" mana)eability+an" ultimately lower the cost of ownin) acomputer.