Changing or deleting a GPO with defined Software Restriction Policies

Similar Messages

• Software Restriction Policies?

  I have had several SysAdmin's around me state that the CryptoLocker malware has hit them hard. I have been looking into better ways to keep my systems protected and had a few implementation policy questions for those of you running a non-Active Directory environment.
  The first question is regarding Software Restriction Policies. Anyone using this through the GPO inside ZENworks? Any recommendations on how best to deploy this to prevent disasters like Crypto?
  The second question is regarding other areas, security wise, I should be working with? Recommendations on GPO settings that I should be posting? Other security settings outside of a GPO I should be working on?
  I have been rather lucky so far with my Virus issues not being to large but I want to ensure I am doing all I can to ensure I keep the risk to a minimum.
  Thanks.
  Richard

  No, it does not download it to Cache and run from there.
  It runs it from where-ever the app runs it.
  Most Browswers will run from from AppData and TEMP.
  One of the Key item's for Crypto is making sure JAVA is updated and has
  proper security settings.
  You could also have a process that runs on user logon that wipes your
  the HKCU RUN registry key.
  These type of apps always pop themselves there, since they won't have
  rights to write to any system keys.
  Perhaps even have something that revokes the user's write rights to the key.
  On 11/7/2013 12:46 PM, rhuhman wrote:
  >
  > I have a new issue/question regarding policies and how ZENworks
  > functions. I set Software Restrictions on my main Computer GPO so that
  > it doesn't allow EXE execution from AppData, LocalAppData, Temp, and tmp
  > directories. I have one of the staff members show me an error stating
  > the bundle for a website couldn't be executed due to a Group Policy
  > enforcement.
  >
  > I guess I am lost now on how ZENworks launches bundles. I always thought
  > it was downloaded into the cache location and launched from that
  > location. (C:\Program Files\Novell\ZEnworks\cache\zmd)
  >
  > Which location do I need to worry about or is this unrelated to the GPO
  > preventing exe execution.
  >
  > Thanks for the guidance.
  >
  > Richard
  >
  >

• Adobe Pro updater fails after implementing Cryptolocker software restriction policies - need fix

  Hello everyone
  As part of our protection against the fast-spreading Cryptolocker virus, I added a Group Policy Object with Software Restriction Policies against executing files in the temp directories that Cryptolocker uses:
  %appdata%\*.exe
  %appdata%\*\*.exe
  %LocalAppData%\*.exe
  %LocalAppData%\*\*.exe
  e.g. the variable directories %appdata% and %localappdata% and one level down from there
  I also blocked executables from running within various "zip" programs. 
  I learned later (second hand) that Acrobat Pro and Adobe Flash updates have been blocked by this SRP.  They either get an explicit message or fail with another error.  The update downloads successfully but when you try to install it from the system tray icon it fails.   
  If I go and find the downloaded .MSP file (I have Acrobat Pro 10 so mine was in c:\program data\adobe\ARM\Acrobat_10.1.5  ) and click "Install", it installs successfully.
  We have an administrator account that is unrestricted but doing the updates for people is not a good long term solution. 
  Can someone experienced with this please tell me if there is a specific executable or executables that I can "whitelist" by adding to my Software Restriction Policy as an "Unrestricted" file.  The kicker with the "whitelist" is that I need to bless a specific executable (e.g. I can't unrestrict a directory or give wildcards ... it has to be a fully qualified path and file name). 
  NOTE:  We have mostly Windows 7 machines (non Win 7 are Vista so have the same user directory structure) and a mix of Acrobat Pro 9, X, XI
  Many thanks in advance for your assistance. 

  I have the same issue as you.  I notified Adobe that businesses taking action to prevent CryptoLocker are finding themselves unable to update Adobe Acrobat/Reader.  I suggested changing the installer location away from the temp directory.  The response I got?  "We can't change the installer."
  What kind of BS answer is that?  Why not just say "we don't care about you as a customer"  I hope Adobe gets infected with Crypto.

• Software Restriction Policies in Win7

  Hi ,I have a problem with this Error message: This program is blocked by group policy,for more...
  How can I remove these restrictions?
  if you want any more data tell me to upload it,please
  Best Regards;

  Hello Mehdi Moayedi,
  Have you try the suggestion as MVP S.Sengupta mentioned?
  What program do you try to run when you receive the error message?
  Please take a look at the following thread similar to this issue.
  http://answers.microsoft.com/en-us/windows/forum/windows_vista-security/programs-being-blocked-by-group-policy-user/a1ea2ec7-82d9-45c6-b87b-ade18755b1cc
  Please remember to back up the registry key before your changing it.
  For more information about how to back up and restore the registry, please refer to the following KB.
  http://support.microsoft.com/en-us/kb/322756
  Best regards,
  Fangzhou CHEN
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Exchange 2010 EMC and EMS errors - BLOCKED by software restriction

  EMC has this message:
  Initialization failed "Execution calling 'GetSteppablePipeline" with "1" arguement: File D:\program files\Microsoft\Exchange Server\V14\RemoteScripts\ConsoleInitialize.ps1 cannot be loaded because its execution is blocked
  by software restriction policies" 
  EMS has this error:
  "There were errors in loading the format data file: D:\Program Files\Microsoft\Exchange 2010\V14\Bin\exchange.format.ps1x
  ml, , D:\Program Files\Microsoft\Exchange 2010\V14\Bin\exchange.format.ps1xml : File skipped because of the following validation exception: File D:\Program Files\Microsoft\Exchange 2010\V14\Bin\exchange.format.ps1xml cannot be loaded because its execution is
  blocked by software restriction policies. For more information, contact your system administrator."
  All other powershell scripts work just fine.  It is not the execution policy.  That is set properly.  Authenticode returns valid on the files. There are no settings it GPO to control or cause this. Email working fine.  It just started
  after a reboot for updates.  Any other thoughts before I spend $500 for a call?
  Server2008 Standard SP2
  Update Rollup 4 v2 for Exchange Server 2010 SP2
  Thank you

  The long and short of it was Microsoft Certificates didn't update and were expired. I was not given a reason why this happened but the final solution after Microsoft spent 2 weeks on this was to first reinstall Exchange Service Pack 3, reboot. Install
  update rollup 8, and reboot.  This fixed the EMC but not the shell.  Then they reinstalled the rollup 8 again and one more reboot.  Everything now works.  I'd say with all the other little tweaks they looked at as possible suspect and "other
  things" they fixed in their efforts to solve this, I defiantly got my money's worth.  Despite not really knowing what really caused the issue in the first place

• Software Restriction Policy

  Hi,
  We have applied Software restriction policies on a Test LAB to restrict the unwanted applications from running. We have made exception path, hash rules for genuine applications and software.
  We have observed that if the exception list grows large then we cannot open or change GPO's and clients also cannot apply policy. Once we restore it back from Backup it works fine again.
  I wanted to know is there any limitation to the exception list after which we should consider creating additional policy.
  Thanks

  Hi Sukhwin08,
  Based on my knowledge, there is no limited about the amount of the Software restriction policy.
  Please help to enable the GPSVC debug logging on problematic client machine if the SRP cannot apply successfully, this log records the detailed information about the group policy applying
  process which is very useful for troubleshooting the group policy related issues. To do so, add the following registry entry:
  Sub-key:HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
  Entry:      GPSvcDebugLevel
  Type:      REG_DWORD
  Value:     30002 (HEX)
  After you make this change, run
  gpupdate /force on the computer to reproduce the issue. After that, compress the %SystemRoot%\Debug\UserMode\ folder and check of there are any errors about the issue.
  Please note: the registry key Diagnostics does not exist by default, we need to add it first. In addition, we can disable the debug logging after the troubleshooting.
  Regards,
  Lany Zhang

• Software restriction policy not working correctly

  Ladies and Gents,
  we run a windows server 2008r2 environment.
  we have a software restriction policy in place for quite some time now and it's been working fine until about a week ago. here's how we have it setup:
  Enforce = All Software files except libraries (such as DLLs). + All Users.
  Security Level = Disallowed
  Designated File Types= 
  Defaults
  Additional Rules:
  C:\* = Disallow.
  The rest of the rules are paths for files and folders that we have set as Unrestricted.
  Since about a week ago, our security team discovered that they can open any allowed file type such as text file, and then go to file and click on open. In the open dialog box they would type
  in C:\Windows\System32\drivers\etc\hosts and then click and open it would actually open the hosts file.
  I even tried adding a path rule for C:\Windows\System32\drivers\etc\hosts with Disallow, and it’s still allows opening this file for non admins.
  Any ideas as to why is software restriction policy not blocking access to any files or folders that are not explicitly allowed via a path rule?
  Any help or comments are much appreciated.
  Mohsen Almassud

  You are moving in a wrong way. Software Restriction Policies are designed to prevent users to launch executables/applications. It cannot prevent you from opening TXT file, because it is not an executable. In order to prevent TXT files, you have to block
  notepad.exe executable. It is very different technology.
  You must move to a permission configuration. If there are folders users should not access, remove them from respective folder's ACL. You must be careful with restricting user access to system folders (%systemroot%), because you may block critical applications
  and eventually no one will be able to log on to server, because logon-dependant paths are not accessible due to restrictions in the ACL.
  My weblog: http://en-us.sysadmins.lv
  PowerShell PKI Module: http://pspki.codeplex.com
  Check out new:
  PowerShell FCIV tool.

• Software Restriction Policy block zipped js file.

  Trying to block zipped js files from running. Have applied the following path rule under our software restriction policies.
  *.zip\*.js
  *\*.zip\*.js
  *.zip\test.js
  Neither works to block.
  Using "test.js" as path rule works fine.
  Am I missing something here?
  Also I have added JS as a file type in software restriction policies.

  Hi  Allister Wade 2,
  Here is a link for reference of Software Restriction Policies.
  Software Restriction Policies
  https://technet.microsoft.com/en-us/library/hh831534.aspx
  All the failed rules including the letter "*", I am afraid this policy will not support the fuzzy query. Considering test.js will work well ,we would add an exact file path to be forbidden .
  What is the purpose of this operation ?If it is used to forbid the ZIP software from running the js file .
  As a work around ,we can change the js file association to have a check.(Control Panel\All Control Panel Items\Default
  Programs)
  Best regards
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Software Restriction Policy/AppLocker Restricting Process by Parameters

  Is there any way with Software Restriction Policy or AppLocker to restrict the parameters a process is called with? For example we only want to allow: some.exe <this is OK to run>, but block everything else passed to that exe at start-up?

  Hi,
  >>Is there any way with Software Restriction Policy or AppLocker to restrict the parameters a process is called with?
  How is it going? Based on the description, I am afraid that we should not be able to acheive this. As you may already know, both SRP and Applocker use policy rules to restrict or un-restrict softwares. The policy rules of SRP are: Certificate rules, Hash
  rules ,Internet zone rules, Path rules ; the rule conditions of Applocker are: Publisher, Path, File hash.
  Regarding SRP rules and Applocker rules, the following articles can be referred to for more information.
  Work with Software Restriction Policies Rules
  http://technet.microsoft.com/en-us/library/hh994597.aspx
  Understanding AppLocker Rules
  http://technet.microsoft.com/en-us/library/dd759068.aspx
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Software Restriction Policy help

  This policy was working fine, then all of the sudden it is not working anymore.
  Blocking from
  %AppData%\*.exe
  %AppData%\*\*.exe
  Here is the error I get
  An error has occurred while collecting data for Software Restriction
  Policies.
  This error impacts the following settings:
  Software Restriction Policies
  Software Restriction Policies/Security
  Levels
  Software Restriction Policies/Additional Rules
  The following errors apply to all of the above
  settings:
  A certificate stored by this extension is not valid. Use the Group Policy
  Management Editor to reconfigure the settings in this extension.

  Hi,
  How is the issue going? Where did the certificate come from?  For this is also related to the certificate, if the issue persists, we can also ask for suggestions in the
  following security forum.
  Security
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Adobe and software restriction policy

  Hello!
  Could you enumerate what other programs are called by acrord32.exe?
  I have to use software restriction policies, to prevent run other programs except adobe readre 9.
  I set up group policy for user's software restriction policy: acrord32.exe
  When I start acrobat reader, the program starts, reader window appears, but I get the following message.
  Software cannot be run due to softwre restriction policies and adobe reader stops.
  My question is what other programs I have to allow to run acrord32.exe?
  Thank's

  When a software restriction policy "goes off," Windows creates event-log entries that describe what happened.  In many cases, you must be an Administrator to view the contents of this log.
  Here's a page that might be useful.  (I Googled "software restriction policy" "event viewer" ):
  http://technet.microsoft.com/en-us/library/cc737011.aspx
  Although it is tedious to set up restriction policies, it can be worth it.  (But also make sure that you are observing all the other prudent security practices, most especially making sure that the end-users are not "administrators.")
  Realistically, the event log is the only way to determine "what runs what."  It is also important that you run your tests from every flavor of user-account that will be affected by the policy, and that you periodically review the event logs to proactively detect errors that end users did not bother to report.

• My imessages have been hacked and recovery email changed and I can't delete it! (with pic)

  My iMessages have been hacked and the hacker entered his email as the recovery email with security questions I can't answer. I contacted Apple support and went through the 24 hour process of changing my info so that I could get into the account, but his email address is still the recovery address and it does not give me the option to delete it. I've added alternate emails that can be deleted, but it will not let me change or delete the recovery email. I can change phones and passwords a million times, but if he can just recover my password what am I supposed to do? I have turned iMessage off on my phone (as well as the gps) but I would really like help in deleting that recovery email if anyone has any bright ideas! The pic below shows the only place in all of the settings that his email address shows up anywhere! Any help is very very very appreciated.

  Hi,
  I don't think that can be solved by any advice the regular posters could post here.
  I would go back to Apple and explain the situation (again).
  I would also consider closing the account (Apple rarely seem to do this as accounts are never deleted but just closed).
  I understand this may cause issues for things purchased in iTunes and the App Store which my include Restoring the OS at some point.
  8:20 pm      Tuesday; September 16, 2014
  ​  iMac 2.5Ghz i5 2011 (Mavericks 10.9)
   G4/1GhzDual MDD (Leopard 10.5.8)
   MacBookPro 2Gb (Snow Leopard 10.6.8)
   Mac OS X (10.6.8),
   Couple of iPhones and an iPad

• On my windows Itunes I changed computers and ended up with two of every song. How do I delete the duplicates without doing it one at a time?

  I have duplicates of all the songs on my windows 7 computer.  I changed computers and ended up with duplicates of all of my songs. How can I delete them all without having to do it one at a time? thanks!

  Apple's official advice is here... HT2905 - How to find and remove duplicate items in your iTunes library. It is a manual process and the article fails to explain some of the potential pitfalls.
  Use Shift > View > Show Exact Duplicate Items to display duplicates as this is normally a more useful selection. You need to manually select all but one of each group to remove. Sorting the list by Date Added may make it easier to select the appropriate tracks, however this works best when performed immediately after the dupes have been created.  If you have multiple entries in iTunes connected to the same file on the hard drive then don't send to the recycle bin.
  Use my DeDuper script if you're not sure, don't want to do it by hand, or want to preserve ratings, play counts and playlist membership. See this thread for background and please take note of the warning to backup your library before deduping.
  (If you don't see the menu bar press ALT to show it temporarily or CTRL+B to keep it displayed)
  tt2

• I changed companies and had icloud with my old company - now i want to just use my personal id and can't change any icloud info to match my personal ipad id - i can't delete the icloud without the old company id and password which is not available to me

  i changed companies and had icloud with my old company - now i want to just use my personal id and can't change any icloud info to match my personal ipad id - i can't delete the icloud without the old company id and password which is not available to me - it probably doesn't even exist anymore!
  Because I can't delete the icloud account, I keep getting view terms to accept and it wants to go to the old company account.  I can't do anything to get rid of this - when I try to delete the icloud it wants me to delete find my ipad and asks for the old co. id and password - it's a vicious circle and i just want to get rid of it and start fresh with my regular personal email id and password!!!  Help!

  You will need that old Apple ID and password, which does indeed still exist. Apple doesn't delete Apple IDs, though if this ID was in the control of your company they may have changed the password. If so, you will need your former company to log into the iCloud account using that ID and password and erase the iPad or remove it from iCloud:
  http://support.apple.com/kb/TS4515?viewlocale=en_US
  Until that's done you cannot change those settings, and if you try to restore the iPad will have it locked with Activation Lock and thereafter be unusable.
  Regars.

• How can I change the itunes store from Swiss to the Italian one on my ipad2 with new software ios6? Thanks

  How can I change the itunes store from Swiss to the Italian one on my ipad2 with new software ios6? Thanks

  See More Like This to the right of this post!