Using GPOs to Restrict Software

When you create a Software Restriction Policy, you essentially define a default mode of operation: Either executables are permitted to run (Unrestricted) or they're not (Disallowed). Later, you must create Additional Rules for every program that you want to override this default security level. If you set the default security level to Disallowed, you'll create Additional Rules to allow access to specific programs. If you set the default security level to Unrestricted, you'll create Additional Rules to disallow access to specific programs. Any programs for which you don't specify an Additional Rule will be checked against the default security level to determine whether they can run.

To create your Additional Rules, in the Group Policy Object Editor's left pane, under Software Restriction Policies, click the Additional Rules node. In the right pane, you'll see four preconfigured Additional Rules. These rules are created regardless of which default security level you choose. To create a new rule, right-click the Additional Rules node and click the type of rule you want to create. You can create a new rule defined by a New Certificate Rule, New Hash Rule, New Internet Zone Rule, or New Path Rule. Choose the type of rule that corresponds to the granularity of restriction you want to enforce.

Let's look at an example that will restrict users from running the program cmd.exe. First, set the default security policy to Unrestricted, then create an Additional Rule defined as a New Path Rule. In the New Path Rule dialog box, enter the path (e.g., C:\windows\system32\cmd.exe) or click the Browse button to find it, then set the rule's security level to Disallowed. Optionally, you can enter a description and click OK. Now, when a user establishes a Terminal Server session to this computer (or logs on locally), he or she will be prevented from accessing the program cmd.exe from its default location in the \system32 directory. The user can still run a program named cmd.exe from any other location. To combat this situation, consider creating a new Additional Rule called a New Hash Rule. The Hash Rule isn't based on file location, as the Path rule is. Instead, the Hash rule compares a program file's stored hash and compares it against that of the program currently being run or accessed. A hash is a unique hexadecimal representation (think of a fingerprint) of a larger file. So, in our previous example, the cmd.exe program's hash is f9a0eef6e9b67d91284032df81a68c1c:382976:32771, no matter where the file resides or what it's named. The Hash Additional Rule compares this fingerprint against all accessed files. Those that match must be the file cmd.exe and will be disallowed access. Path and Hash Additional Rules are the most common, but you can also configure Additional Rules based on Internet Zones and Certificates.

Software Restriction Policies are a part of a GPO so you could for example, create a Software Restriction Policy GPO and link that GPO to an OU that contains your Terminal Server computers, thereby restricting users from running administrative tools-such as cmd.exe, ipconfig.exe, among others.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.