Restrict Software Using Software Restriction Policies
Software restriction policies are a new feature in Microsoft Windows XP and later versions of Windows. Software Restriction Policies enables you, the administrator, to precisely dictate what software will and will not run on your Windows XP desktops (or, your Windows 7, Windows 8, 8.1 or Windows 10 desktops).
You can restrict software for specific users or for all users on a specific machine. You’ll find Software Restriction Policies in Local Group Policy Editor. Start the Local Group Policy Editor by typing Gpedit.msc into Start Menu search box or into 'Run' dialog box.
You’ll find Software Restriction Policies in Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Software Restriction Policies.
Software Restriction Policies is also available as a node under User Configuration --> Policies --> Windows Settings --> Security Settings --> Software Restriction Policies.
Just right-click over the 'Software Restriction Policies' node, and select New Software Restriction Policies, to get started.
You will typically use the 'Computer Configuration' branch of Software Restriction Policies. That way, all users on a specific machine are restricted from using specific applications.
In the Software Restriction Policies node, you can establish black lists and white lists of software that users can run. These policies can be set for hash rules, path rules, or certificate rules, as well as network zone rules.
The majority of the settings fall under the following two subnodes, although a few policies are located under the main node:
Security Levels The security levels control what level of privilege and which permissions will be adhered to within the software restriction policy. The following three levels can be configured:
Additional Rules The additional rules control whether the software is allowed to run. These rules allow you to be very specific to an application, such as the hash rule, whereas other rules are more generic, such as the path rule. Four rules can be configured:
Software Restriction Policies Rules
To create a new rule, select the Additional Rules folder, and right-click in the right pane to see your choice.
Hash Rule The hash value is a numeric representation, or fingerprint, that can uniquely identify a file should it be renamed. Hash rules are quite useful in containing any application that’s an .EXE or a .DLL.
Path Rule You can specify to open (or restrict) certain applications based on where they reside on the hard drive. You can set up a path rule to specify a specific folder or full path to a program. Most environment variables are valid, such as %HOMEDRIVE%, %HOMEPATH%, %USERPROFILE%, %WINDIR%, %APPDATA%, %PROGRAMFILES%, and %TEMP%. Additionally, path rules can stomp out the running of any file type you desire, say, VBScript files. For example, if you set up a path rule to disallow files named *.vb*, all VBScript file variants will be unable to execute.
Certificate Rule Certificate rules use digitally signed certificates. You can use certificate rules to sign your own applications or scripts and then use a certificate rule to specify your IT department as a Trusted Publisher.
Network Zone Rule With Network Zone Rule you can specify which Internet Explorer zones are allowed for download. You can specify Internet, Intranet, Restricted Sites, Trusted Sites, and My Computer. The bad news about zone rules, however, is that they simply aren’t all that useful. They prevent downloads of applications with the MSI format but nothing else.
As stated, you can craft your Software Restriction Policies in myriad ways. Space doesn’t permit explaining all of them, so I’ll just give you one example. We’ll test our Software Restriction Policies by setting up Path Rules to protect computer from Ransomware malware infection. Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.
1. Open Software Restriction Policies.
2. In either the console tree or the details pane, right-click Additional Rules, and then click New Path Rule.
3. In the Path box, add a Disallowed path rule for each of the items listed below.
%AppData%\*.exe
%AppData%\*\*.exe
%UserProfile%\Local Settings\*.exe
%UserProfile%\Local Settings\*\*.exe
%LocalAppData%\*.exe
%LocalAppData%\*\*.exe
Important: On certain folders, such as the Windows folder, setting the security level to Disallowed can adversely affect the operation of your operating system. Make sure that you do not disallow a crucial component of the operating system or one of its dependent programs.
You can restrict software for specific users or for all users on a specific machine. You’ll find Software Restriction Policies in Local Group Policy Editor. Start the Local Group Policy Editor by typing Gpedit.msc into Start Menu search box or into 'Run' dialog box.
You’ll find Software Restriction Policies in Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Software Restriction Policies.
Software Restriction Policies is also available as a node under User Configuration --> Policies --> Windows Settings --> Security Settings --> Software Restriction Policies.
Just right-click over the 'Software Restriction Policies' node, and select New Software Restriction Policies, to get started.
You will typically use the 'Computer Configuration' branch of Software Restriction Policies. That way, all users on a specific machine are restricted from using specific applications.
In the Software Restriction Policies node, you can establish black lists and white lists of software that users can run. These policies can be set for hash rules, path rules, or certificate rules, as well as network zone rules.
The majority of the settings fall under the following two subnodes, although a few policies are located under the main node:
Security Levels The security levels control what level of privilege and which permissions will be adhered to within the software restriction policy. The following three levels can be configured:
- Disallowed: software will not run, regardless of the user permissions and privilege.
- Basic User: allows applications to execute for users who do not have Administrative privileges, but the application will still access resources as a normal user.
- Unrestricted: the permissions to run the software are determined by the access rights of the user account.
Additional Rules The additional rules control whether the software is allowed to run. These rules allow you to be very specific to an application, such as the hash rule, whereas other rules are more generic, such as the path rule. Four rules can be configured:
- Certificate rule
- Hash rule
- Network zone rule
- Path rule
Software Restriction Policies Rules
To create a new rule, select the Additional Rules folder, and right-click in the right pane to see your choice.
Hash Rule The hash value is a numeric representation, or fingerprint, that can uniquely identify a file should it be renamed. Hash rules are quite useful in containing any application that’s an .EXE or a .DLL.
Path Rule You can specify to open (or restrict) certain applications based on where they reside on the hard drive. You can set up a path rule to specify a specific folder or full path to a program. Most environment variables are valid, such as %HOMEDRIVE%, %HOMEPATH%, %USERPROFILE%, %WINDIR%, %APPDATA%, %PROGRAMFILES%, and %TEMP%. Additionally, path rules can stomp out the running of any file type you desire, say, VBScript files. For example, if you set up a path rule to disallow files named *.vb*, all VBScript file variants will be unable to execute.
Certificate Rule Certificate rules use digitally signed certificates. You can use certificate rules to sign your own applications or scripts and then use a certificate rule to specify your IT department as a Trusted Publisher.
Network Zone Rule With Network Zone Rule you can specify which Internet Explorer zones are allowed for download. You can specify Internet, Intranet, Restricted Sites, Trusted Sites, and My Computer. The bad news about zone rules, however, is that they simply aren’t all that useful. They prevent downloads of applications with the MSI format but nothing else.
How to create a Path Rule
As stated, you can craft your Software Restriction Policies in myriad ways. Space doesn’t permit explaining all of them, so I’ll just give you one example. We’ll test our Software Restriction Policies by setting up Path Rules to protect computer from Ransomware malware infection. Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.
1. Open Software Restriction Policies.
2. In either the console tree or the details pane, right-click Additional Rules, and then click New Path Rule.
3. In the Path box, add a Disallowed path rule for each of the items listed below.
%AppData%\*.exe
%AppData%\*\*.exe
%UserProfile%\Local Settings\*.exe
%UserProfile%\Local Settings\*\*.exe
%LocalAppData%\*.exe
%LocalAppData%\*\*.exe
Important: On certain folders, such as the Windows folder, setting the security level to Disallowed can adversely affect the operation of your operating system. Make sure that you do not disallow a crucial component of the operating system or one of its dependent programs.
- If you create a path rule for a program with a security level of Disallowed, a user can still run the software by copying it to another location.
- The wildcard characters that are supported by the path rule are the asterisk (*) and the question mark (?).
- You can use environment variables, such as %programfiles% or %systemroot%, in your path rule.
- To create a path rule for software when you do not know where it is stored on a computer but you have its registry key, you can create a registry path rule.
- To prevent users from running e-mail attachments, you can create a path rule for your mail program's attachment folder that prevents users from running e-mail attachments.
- The only file types that are affected by path rules are those that are listed in Designated file types. There is one list of designated file types that is shared by all rules.
- For software restriction policies to take effect, users must update policy settings by logging off from and then logging on to their computers.
- When more than one rule is applied to policy settings, there is a precedence of rules for handling conflicts.