What is Software Restriction Policy?
Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run. SRP are part of the Microsoft security and management strategy to assist enterprises in increasing the reliability, integrity, and manageability of their computers.
SRP provide administrators with a Group Policy-driven mechanism to identify software and control its ability to run on the local computer. You can use SRP to create a highly restricted configuration for computers, in which you allow only specifically identified applications to run. SRP are integrated with Microsoft Active Directory and Group Policy.
You can define a default security level of Unrestricted or Disallowed for a Group Policy Object (GPO) so that software is either allowed or not allowed to run by default. You can make exceptions to this default security level by creating software restriction policies rules for specific software.
For more information about SRP, please go to:
1. Whitelisting software with Software Restriction Policies
To create new SRP:
1) Open Group Policy Management
2) Create new GPO called Software Restriction Policies
3) Edit the GPO, navigate to User/Computer Configuration > Policies > Windows Settings > Security Settings
4) Right-click on Software Restriction Policies and click New Software Restriction Policies
To change the default security level of SRP:
1) Open Software Restriction Policies
2)In details pane, navigate to Security Levels to change default security levels of SRP
3) Right-click the security level that you want to set as the default, and then click Set as default. Default security level on all files on your system is set to Unrestricted
To prevent SRP from applying to local administrators:
1) Open Software Restriction Policies
2) In details pane, double-click Enforcement
3) Under Apply software restriction policies to the following users, click All users except local administrators. Click Apply and then OK
2. Create rules to allow software to run
If the default security level is set to Disallowed, you can create rules that allow specific software to run. The types of rules are as follows:
· Certificate rules
· Hash rules
· Internet zone rules
· Path rules
In this guidelines, we will create rules based on Hash and Path rules.
Working with hash rules
A hash is a series of bytes with a fixed length that uniquely identifies a software program or file. The hash is computed by a hash algorithm. When a hash rule is created for a software program, SRP calculate a hash of the program. When a user tries to open a software program, a hash of the program is compared to existing hash rules for SRP. The hash of a software program is always the same, regardless of where the program is located on the computer.
To create a hash rule
1) Open Software Restriction Policies
2) In either the console tree or the details pane, right-click Additional Rules, and then click New Hash Rule.
3) Click Browse to find a file
4) In Securitylevel, click Unrestricted
5) In Description, type a description for this rule, and then click OK
Working with path rules
A path rule identifies software by its file path. For example, if you have a computer that has a default security level of Disallowed, you can still grant unrestricted access to a specific folder for each user. You can create a path rule by using the file path and setting the security level of the path rule to Unrestricted. Some common paths for this type of rule are %userprofile%, %windir%, %appdata%, %programfiles%, and %temp%. You can also create registry path rules that use the registry key of the software as its path.
To create a path rule
1) Open Software Restriction Policies
2) In either the console tree or the details pane, right-click Additional Rules, and then click New Path Rule.
3) In Path, type a path, or click Browse to find a file or folder.
4) In Securitylevel, click Unrestricted
5) In Description, type a description for this rule, and then click OK.