Implementing Software Restriction Policies in Windows .NET

One of the biggest threats to security in any organization is users running unauthorized software. Unauthorized software can increase a companys cost by changing a systems configuration, thus causing down time for the user and help desk expenses for the organization. Likewise, unauthorized software could expose the organization to piracy related litigation or could spread viruses. Fortunately, Windows .NET has a feature called Software Restriction Policies that allow you to control what software that a users machine will run.

You can access the software restriction policies by opening the Domain Security Policy on a Windows .NET domain controller and navigating through the console tree to Console Root | Local Computer Policy | Windows Settings | Security Settings | Software Restriction Policies. Beneath the Software Restriction Policies container are two other containers. The first of these is the Security Levels container. The Security Levels container contains two security level objects; Disallowed and Unrestricted. The disallowed object blocks a software packages ability to run, while the Unrestricted object allows the software to run freely (assuming the user has the necessary rights).

The Additional Rules container is where you create your software restriction policies. The procedure involves selecting the type of policy that you want, associating a software component with the rule, and then assigning a security level to the object. For example, you might create a rule that allows Microsoft office to run unrestricted.

There are four different mechanisms for identifying an application. You can choose which method you want to use by right clicking on the Additional Rules container and selecting the appropriate command. You can create a rule based on a hash, path, certificate rule, or an internet zone. Obviously, having multiple types of rules allows for the possibility of some rule contradictions. In the event of a contradiction, a certificate rule takes precedence, followed by a hash rule, a path rule, and a security zone rule.

A certificate rule only applies to Internet scripts and to Windows installer packages. This type of rule allows you to enter a certificate identification and then either allow or disallow software to run based on that certificate. For example, if a certificate was issued by one of your own servers, youd probably want to allow applications presenting that certificate to run freely.

A hash rule is a rule based on a mathematical hash of the file (using either the SHA-1 or the MD5 algorithm). The advantage of a hash rule is that a files hash will remain the same even if the file is moved or renamed. However, if a file is modified, the hash will change and the rule will become inactive.

A path rule is a rule thats based on a files location. For example, you could deny permission for files in specific folders to run. The problem with doing so is that if someone moves the file, then the rule becomes ineffective.

Finally, Internet zone rules are designed to apply only to Internet based scripts. You can create rules in a way that scripts arent allowed to run if the Web site thats trying to execute the script is found in an untrusted zone.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.