Introduction to Software Restriction Policies - 05 Jun 2008
Microsoft introduced software restriction policies (Safer) in Windows Server 2003 and Windows XP so administrators could block hostile code and dangerous applications. Here is a short introduction to how Safer identifies and shuts out malicious programs.
June 4, 2008
SRPs (aka Safer) were designed to let administrators set Group Policy security levels for individual users to secure their desktops from malicious scripts and applications. SRPs respond to threats by using three proactive tools:
defining lists of trusted and untrusted code
a flexible, policy-based approach to regulate scripts, executables, and ActiveX controls
automatic policy enforcement
Administrators use the Group Policy Management Console (GPMC) snap-in to create policies for Active Directory (AD) container sites, domains, and organizational units (OUs). Users' machines download the policies and apply them after the next start-up. When users try to start a program or script, the machine checks the policy and enforces it. You can also use SRPs to secure a computer by taking any of the following actions:
fighting viruses
regulating downloading of ActiveX controls
locking down a machine
An SRP policy consists of default rules about whether programs are allowed to run and exceptions to those rules. The default rules are Unrestricted or Disallowed. Unrestricted lets any program run, and Disallowed prohibits a program from running. An exception to Unrestricted would deny starting an application. An exception to Disallowed would allow that application to run.
If you know all the applications that should be allowed to run, then you should set the policy to Disallowed and set any exceptions. I also recommend setting the policy to Disallowed if you don't know all of the applications the User needs. Just have the user submit a list of needed programs.
An SRP identifies programs by using four characteristics:
Hash—a cryptographic file fingerprint that uniquely identifies a file regardless of its name or where it was accessed. Hash works especially well if you're attempting to block earlier program versions.
Certificate—a software publisher's digital signature issued from a commercial certificate authority (CA) such as Verisign, a Windows 2000 Server or Windows Server 2003 public key infrastructure (PKI), or a self-signed certificate.
Path—a file's local or universal naming convention (UNC) path. When a path rule points to a folder, it matches any programs contained in the folder and any programs in subfolders.
Zone—the Internet zone. A rule can identify Windows Installer packages downloaded from any of the Internet Explorer zones, namely, Internet, intranet, restricted sites, trusted sites, and My Computer.
Each rule has a globally unique identifier (GUID) associated with it. Even two identical rules will have different GUIDs to determine the specific rule in the policy being used.
About the Author
You May Also Like