JSI Tip 8048. Windows Server 2003 Software Restriction Policies.

Software Restriction Policies (AKA SAFER) were introduced in Windows XP. The use of SAFER can prevent the installation and execution of unauthorized programs.

An Administrator can deploy SAFER configurations via GPOs (Group Policy Objects), which are stored in the registry at HKEY_LOCAL_MACHINE for computer policy, and HKEY_CURRENT_USER for user policy.

The basic process is:

- Decide on the default rule, Unrestricted or Disallowed.

- Create exceptions (SAFER Rules) to the default, using one of the four rules for identifying software:

  • Hash
  • Certificate
  • Path
  • Zone

A Software Restriction Policy includes the following objects:

  • A pre-defined set of security levels.
  • A default security level.
  • A set of SAFER Rules, to define a program, or set of programs, and an associated security level.
  • Policy options.

NOTE: See How do I use Software Restriction Policies in Windows Server 2003?

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.