Skip navigation

Introduction to Software Restriction Policies - 11 Jun 2008

SRPs (aka Safer) were designed to let administrators set Group Policy security levels for individual users to secure their desktops from malicious scripts and applications. SRPs respond to threats by using three proactive tools:

  • defining lists of trusted and untrusted code
  • a flexible, policy-based approach to regulate scripts, executables, and ActiveX controls
  • automatic policy enforcement

Administrators use the Group Policy Management Console (GPMC) snap-in to create policies for Active Directory (AD) container sites, domains, and organizational units (OUs). Users' machines download the policies and apply them after the next start-up. When users try to start a program or script, the machine checks the policy and enforces it. You can also use SRPs to secure a computer by taking any of the following actions:

  • fighting viruses
  • regulating downloading of ActiveX controls
  • locking down a machine

An SRP policy consists of default rules about whether programs are allowed to run and exceptions to those rules. The default rules are Unrestricted or Disallowed. Unrestricted lets any program run, and Disallowed prohibits a program from running. An exception to Unrestricted would deny starting an application. An exception to Disallowed would allow that application to run.

If you know all the applications that should be allowed to run, then you should set the policy to Disallowed and set any exceptions. I also recommend setting the policy to Disallowed if you don't know all of the applications the User needs. Just have the user submit a list of needed programs.

An SRP identifies programs by using four characteristics:

  • Hash—a cryptographic file fingerprint that uniquely identifies a file regardless of its name or where it was accessed. Hash works especially well if you're attempting to block earlier program versions.
  • Certificate—a software publisher's digital signature issued from a commercial certificate authority (CA) such as Verisign, a Windows 2000 Server or Windows Server 2003 public key infrastructure (PKI), or a self-signed certificate.
  • Path—a file's local or universal naming convention (UNC) path. When a path rule points to a folder, it matches any programs contained in the folder and any programs in subfolders.
  • Zone—the Internet zone. A rule can identify Windows Installer packages downloaded from any of the Internet Explorer zones, namely, Internet, intranet, restricted sites, trusted sites, and My Computer.

Each rule has a globally unique identifier (GUID) associated with it. Even two identical rules will have different GUIDs to determine the specific rule in the policy being used.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.