Introduction to Software Restriction Policies - 05 Jun 2008

Microsoft introduced software restriction policies (Safer) in Windows Server 2003 and Windows XP so administrators could block hostile code and dangerous applications. Here is a short introduction to how Safer identifies and shuts out malicious programs.

Russell Smith

June 4, 2008

2 Min Read
ITPro Today logo in a gray background | ITPro Today

SRPs (aka Safer) were designed to let administrators set Group Policy security levels for individual users to secure their desktops from malicious scripts and applications. SRPs respond to threats by using three proactive tools:

  • defining lists of trusted and untrusted code

  • a flexible, policy-based approach to regulate scripts, executables, and ActiveX controls

  • automatic policy enforcement

Administrators use the Group Policy Management Console (GPMC) snap-in to create policies for Active Directory (AD) container sites, domains, and organizational units (OUs). Users' machines download the policies and apply them after the next start-up. When users try to start a program or script, the machine checks the policy and enforces it. You can also use SRPs to secure a computer by taking any of the following actions:

  • fighting viruses

  • regulating downloading of ActiveX controls

  • locking down a machine

An SRP policy consists of default rules about whether programs are allowed to run and exceptions to those rules. The default rules are Unrestricted or Disallowed. Unrestricted lets any program run, and Disallowed prohibits a program from running. An exception to Unrestricted would deny starting an application. An exception to Disallowed would allow that application to run.

If you know all the applications that should be allowed to run, then you should set the policy to Disallowed and set any exceptions. I also recommend setting the policy to Disallowed if you don't know all of the applications the User needs. Just have the user submit a list of needed programs.

An SRP identifies programs by using four characteristics:

  • Hash—a cryptographic file fingerprint that uniquely identifies a file regardless of its name or where it was accessed. Hash works especially well if you're attempting to block earlier program versions.

  • Certificate—a software publisher's digital signature issued from a commercial certificate authority (CA) such as Verisign, a Windows 2000 Server or Windows Server 2003 public key infrastructure (PKI), or a self-signed certificate.

  • Path—a file's local or universal naming convention (UNC) path. When a path rule points to a folder, it matches any programs contained in the folder and any programs in subfolders.

  • Zone—the Internet zone. A rule can identify Windows Installer packages downloaded from any of the Internet Explorer zones, namely, Internet, intranet, restricted sites, trusted sites, and My Computer.

Each rule has a globally unique identifier (GUID) associated with it. Even two identical rules will have different GUIDs to determine the specific rule in the policy being used.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like