How-to: Using Software Restriction Policies

7 Comments

Using SRP is not that common today and what I will write here is a small how-to so that you can start trying it today and maybe even sometime soon apply it in your production environment.

SRP

First thing to notice is that SRP is a very powerful tool so try in a test-environment before you apply it to users in production.

First you need to choose your default level which you do at Security Levels:

SRP2

Default when you start using this, the default level is “Unrestricted” which allows all programs to run. Which means you can use SRP to block specific programs but the power is that you can change this so “Disallowed” is the default level which means you specify which programs you can run (all others are blocked) instead of blocking specific programs.

So to start with change so “Disallowed” is default. Double-click on “Disallowed” and press the button “Set as Default”

SRP3

This means that all clients affected by this policy now would be able to run anything except what you define as exclusions which you do at “Additional rules”:

SRP4

As you can see in the above picture you have two default values already included. These two values are registry paths which makes all programs defined in these two registry paths to unrestricted which of course makes them available to run even if you selected “Disallowed” as your default choice in the above selection at “Security Levels”.

There are four different choices on how to enable/disable programs to run:

  • Hash-rule
  • Path-rule
  • Network zone-rule
  • Certificate-rule

The normal ones to use is HASH or PATH. HASH is always something you should prefer to use since if the user tries to run a program it looks at the hash-value and evaluates if you can run the program or not. Sometimes when you have different versions of a program for example it might be a problem to use HASH, then you use PATH instead. Also if you don’t have the program installed in the same location on each computer but you know somewhere in the registry where it types the path to the program you can use PATH and use the registry location instead.

I will show you the two ways of allowing Windows Live Messenger to run

Hash:

SRP6
As what you can see above is that it takes the values from the executable and stores the hash-value of the file. When someone tries to run the program the system evaluates this hash-value and compare it with the one you defined and then selecting if you can run the program or not.

Path:

SRP5
As you can see above is that you need to select the path to the executable. This path needs to be same on each computer you would like to use this on but of course you can use environment variables as I have done in the above picture. You could also use a registry location if you did know where the path to the program where stored.

You can of course also use this to block programs instead of allowing them. This is not really the preferred method on how to use SRP but fully functional.
On my computer I have “Unrestricted” as my default and I added an application on my desktop named radio.exe as “Disallowed”

SRP7

So the result if I’m trying to run the file is:

SRP8

As conclusion you can see that this is a powerful way of giving your users minimal rights in the system with the result that your users will have a large problem messing up the computer :)

This only covers some parts of SRP. For example local administrators also get these rules but that you can exclude in the “Enforcement” choice and also dll-files are excluded by default but you can change that too. Make sure to try this in a safe environment before applying it to production as you might get a big headache if you have made some wrong turns in setting this up. :)


Technorati Tags: , ,
Share

7 Comments (+add yours?)

  1. Lawrence Malta Windows XP Internet Explorer 7.0
    Jan 10, 2008 @ 13:30:27

    I followed your instructions and as a test, I successfully disabled Windows live messenger from my workstation using the Hash method.
    Now I’m trying to set the same policy on my AD server so the policy will be applied to all workstations. The problem is that I do not have the Live messenger installed on my AD server, so when I try to browse for software location, I will not find it.
    Do I have to install Live messenger on my server, hope note.

    Thanks

  2. G Johansson Sweden Windows Vista Internet Explorer 7.0
    Jan 10, 2008 @ 14:38:11

    Hi Lawrence

    Of course not.
    Either create/modify the GPO from a computer with live messenger installed

    or

    from you AD server browse to the file from your server to a client which has it installed or just copy the executable to somewhere on the AD server while creating the policy and when done you can remove it again.

    I Hope you understand what I mean and that you of course don’t need to install software on your computer to use the rules for SRP.

    Regards G Johansson

  3. Lawrence Malta Windows XP Internet Explorer 7.0
    Jan 11, 2008 @ 12:58:49

    Hi G Johansson,

    Thanks, to be honest, I had already tried that and for some reason it didn’t work. Once you suggested the same thing, I had a go again and this time it has been successfully applied.

    Thanks very much for your help. Hope that users will not find a way around and bypass the policy. Thanks again

    Law

  4. Will Jones United Kingdom Windows XP Mozilla Firefox 3.0.1
    Sep 16, 2008 @ 16:36:34

    Hiya,

    Excellent and informative article. I have used the HASH method to restrict WLM from running on user PC’s. One question though, if Messenger is ever updated will the HASH change and the restrictions have to be updated?

    Many thanks in advance.

    Will J

  5. G Johansson Sweden Windows Vista Internet Explorer 8.0
    Dec 16, 2008 @ 13:45:24

    Hi Will

    Yes, it will require a new HASH rule if the installation puts in a new exe-file.

  6. Robert N United States Windows XP Internet Explorer 7.0
    Jul 16, 2009 @ 22:49:05

    Great article.
    Couple of questions.
    On an existing GP object, I selected ‘create new policies’ for SRP.
    My questions are:
    left as default, will this now hurt anything?

    can this be undone?

    Thanks,
    ROb

  7. G Johansson Sweden Windows 7 Mozilla Firefox 3.5
    Jul 18, 2009 @ 11:15:45

    Hi Robert N
    If you don’t change anything you can leave it as is and it will not do anything.
    If you would like to use SRP some day I would recommend you to create it in it’s own GP so it’s easy to turn off if you run into problems…

    Regards G