Software Restriction Policies in Win7

Similar Messages

• Software Restriction Policies?

  I have had several SysAdmin's around me state that the CryptoLocker malware has hit them hard. I have been looking into better ways to keep my systems protected and had a few implementation policy questions for those of you running a non-Active Directory environment.
  The first question is regarding Software Restriction Policies. Anyone using this through the GPO inside ZENworks? Any recommendations on how best to deploy this to prevent disasters like Crypto?
  The second question is regarding other areas, security wise, I should be working with? Recommendations on GPO settings that I should be posting? Other security settings outside of a GPO I should be working on?
  I have been rather lucky so far with my Virus issues not being to large but I want to ensure I am doing all I can to ensure I keep the risk to a minimum.
  Thanks.
  Richard

  No, it does not download it to Cache and run from there.
  It runs it from where-ever the app runs it.
  Most Browswers will run from from AppData and TEMP.
  One of the Key item's for Crypto is making sure JAVA is updated and has
  proper security settings.
  You could also have a process that runs on user logon that wipes your
  the HKCU RUN registry key.
  These type of apps always pop themselves there, since they won't have
  rights to write to any system keys.
  Perhaps even have something that revokes the user's write rights to the key.
  On 11/7/2013 12:46 PM, rhuhman wrote:
  >
  > I have a new issue/question regarding policies and how ZENworks
  > functions. I set Software Restrictions on my main Computer GPO so that
  > it doesn't allow EXE execution from AppData, LocalAppData, Temp, and tmp
  > directories. I have one of the staff members show me an error stating
  > the bundle for a website couldn't be executed due to a Group Policy
  > enforcement.
  >
  > I guess I am lost now on how ZENworks launches bundles. I always thought
  > it was downloaded into the cache location and launched from that
  > location. (C:\Program Files\Novell\ZEnworks\cache\zmd)
  >
  > Which location do I need to worry about or is this unrelated to the GPO
  > preventing exe execution.
  >
  > Thanks for the guidance.
  >
  > Richard
  >
  >

• Changing or deleting a GPO with defined Software Restriction Policies

  Why is it so hard to delete or update the Software Restriction Policies section of a GPO?
  What has an exlusive lock on
  \\domain\SYSVOL\domain\{GUID}\Macine\windowsnt\SecEdit\GptTmpl.inf?

  Hi,
  >>Why is it so hard to delete or update the Software Restriction Policies section of a GPO?
  Regarding how to remove a package deployed by group policy, we can follow
  Remove a package section in the article below to do this.
  How to use Group Policy to remotely install software in Windows Server 2008 and in Windows Server 2003
  http://support.microsoft.com/kb/816102
  >>What has an exlusive lock on \\domain\SYSVOL\domain\{GUID}\Macine\windowsnt\SecEdit\GptTmpl.inf?
  Were you trying to delete the security settings file in the GPO? If you want to delete a GPO, you can follow the article below to do this.
  Delete a Group Policy Object
  https://technet.microsoft.com/en-us/library/cc770893.aspx
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Adobe Pro updater fails after implementing Cryptolocker software restriction policies - need fix

  Hello everyone
  As part of our protection against the fast-spreading Cryptolocker virus, I added a Group Policy Object with Software Restriction Policies against executing files in the temp directories that Cryptolocker uses:
  %appdata%\*.exe
  %appdata%\*\*.exe
  %LocalAppData%\*.exe
  %LocalAppData%\*\*.exe
  e.g. the variable directories %appdata% and %localappdata% and one level down from there
  I also blocked executables from running within various "zip" programs. 
  I learned later (second hand) that Acrobat Pro and Adobe Flash updates have been blocked by this SRP.  They either get an explicit message or fail with another error.  The update downloads successfully but when you try to install it from the system tray icon it fails.   
  If I go and find the downloaded .MSP file (I have Acrobat Pro 10 so mine was in c:\program data\adobe\ARM\Acrobat_10.1.5  ) and click "Install", it installs successfully.
  We have an administrator account that is unrestricted but doing the updates for people is not a good long term solution. 
  Can someone experienced with this please tell me if there is a specific executable or executables that I can "whitelist" by adding to my Software Restriction Policy as an "Unrestricted" file.  The kicker with the "whitelist" is that I need to bless a specific executable (e.g. I can't unrestrict a directory or give wildcards ... it has to be a fully qualified path and file name). 
  NOTE:  We have mostly Windows 7 machines (non Win 7 are Vista so have the same user directory structure) and a mix of Acrobat Pro 9, X, XI
  Many thanks in advance for your assistance. 

  I have the same issue as you.  I notified Adobe that businesses taking action to prevent CryptoLocker are finding themselves unable to update Adobe Acrobat/Reader.  I suggested changing the installer location away from the temp directory.  The response I got?  "We can't change the installer."
  What kind of BS answer is that?  Why not just say "we don't care about you as a customer"  I hope Adobe gets infected with Crypto.

• Exchange 2010 EMC and EMS errors - BLOCKED by software restriction

  EMC has this message:
  Initialization failed "Execution calling 'GetSteppablePipeline" with "1" arguement: File D:\program files\Microsoft\Exchange Server\V14\RemoteScripts\ConsoleInitialize.ps1 cannot be loaded because its execution is blocked
  by software restriction policies" 
  EMS has this error:
  "There were errors in loading the format data file: D:\Program Files\Microsoft\Exchange 2010\V14\Bin\exchange.format.ps1x
  ml, , D:\Program Files\Microsoft\Exchange 2010\V14\Bin\exchange.format.ps1xml : File skipped because of the following validation exception: File D:\Program Files\Microsoft\Exchange 2010\V14\Bin\exchange.format.ps1xml cannot be loaded because its execution is
  blocked by software restriction policies. For more information, contact your system administrator."
  All other powershell scripts work just fine.  It is not the execution policy.  That is set properly.  Authenticode returns valid on the files. There are no settings it GPO to control or cause this. Email working fine.  It just started
  after a reboot for updates.  Any other thoughts before I spend $500 for a call?
  Server2008 Standard SP2
  Update Rollup 4 v2 for Exchange Server 2010 SP2
  Thank you

  The long and short of it was Microsoft Certificates didn't update and were expired. I was not given a reason why this happened but the final solution after Microsoft spent 2 weeks on this was to first reinstall Exchange Service Pack 3, reboot. Install
  update rollup 8, and reboot.  This fixed the EMC but not the shell.  Then they reinstalled the rollup 8 again and one more reboot.  Everything now works.  I'd say with all the other little tweaks they looked at as possible suspect and "other
  things" they fixed in their efforts to solve this, I defiantly got my money's worth.  Despite not really knowing what really caused the issue in the first place

• Software restriction policy not working correctly

  Ladies and Gents,
  we run a windows server 2008r2 environment.
  we have a software restriction policy in place for quite some time now and it's been working fine until about a week ago. here's how we have it setup:
  Enforce = All Software files except libraries (such as DLLs). + All Users.
  Security Level = Disallowed
  Designated File Types= 
  Defaults
  Additional Rules:
  C:\* = Disallow.
  The rest of the rules are paths for files and folders that we have set as Unrestricted.
  Since about a week ago, our security team discovered that they can open any allowed file type such as text file, and then go to file and click on open. In the open dialog box they would type
  in C:\Windows\System32\drivers\etc\hosts and then click and open it would actually open the hosts file.
  I even tried adding a path rule for C:\Windows\System32\drivers\etc\hosts with Disallow, and it’s still allows opening this file for non admins.
  Any ideas as to why is software restriction policy not blocking access to any files or folders that are not explicitly allowed via a path rule?
  Any help or comments are much appreciated.
  Mohsen Almassud

  You are moving in a wrong way. Software Restriction Policies are designed to prevent users to launch executables/applications. It cannot prevent you from opening TXT file, because it is not an executable. In order to prevent TXT files, you have to block
  notepad.exe executable. It is very different technology.
  You must move to a permission configuration. If there are folders users should not access, remove them from respective folder's ACL. You must be careful with restricting user access to system folders (%systemroot%), because you may block critical applications
  and eventually no one will be able to log on to server, because logon-dependant paths are not accessible due to restrictions in the ACL.
  My weblog: http://en-us.sysadmins.lv
  PowerShell PKI Module: http://pspki.codeplex.com
  Check out new:
  PowerShell FCIV tool.

• Software Restriction Policy help

  This policy was working fine, then all of the sudden it is not working anymore.
  Blocking from
  %AppData%\*.exe
  %AppData%\*\*.exe
  Here is the error I get
  An error has occurred while collecting data for Software Restriction
  Policies.
  This error impacts the following settings:
  Software Restriction Policies
  Software Restriction Policies/Security
  Levels
  Software Restriction Policies/Additional Rules
  The following errors apply to all of the above
  settings:
  A certificate stored by this extension is not valid. Use the Group Policy
  Management Editor to reconfigure the settings in this extension.

  Hi,
  How is the issue going? Where did the certificate come from?  For this is also related to the certificate, if the issue persists, we can also ask for suggestions in the
  following security forum.
  Security
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Adobe and software restriction policy

  Hello!
  Could you enumerate what other programs are called by acrord32.exe?
  I have to use software restriction policies, to prevent run other programs except adobe readre 9.
  I set up group policy for user's software restriction policy: acrord32.exe
  When I start acrobat reader, the program starts, reader window appears, but I get the following message.
  Software cannot be run due to softwre restriction policies and adobe reader stops.
  My question is what other programs I have to allow to run acrord32.exe?
  Thank's

  When a software restriction policy "goes off," Windows creates event-log entries that describe what happened.  In many cases, you must be an Administrator to view the contents of this log.
  Here's a page that might be useful.  (I Googled "software restriction policy" "event viewer" ):
  http://technet.microsoft.com/en-us/library/cc737011.aspx
  Although it is tedious to set up restriction policies, it can be worth it.  (But also make sure that you are observing all the other prudent security practices, most especially making sure that the end-users are not "administrators.")
  Realistically, the event log is the only way to determine "what runs what."  It is also important that you run your tests from every flavor of user-account that will be affected by the policy, and that you periodically review the event logs to proactively detect errors that end users did not bother to report.

• Software Restriction Policy block zipped js file.

  Trying to block zipped js files from running. Have applied the following path rule under our software restriction policies.
  *.zip\*.js
  *\*.zip\*.js
  *.zip\test.js
  Neither works to block.
  Using "test.js" as path rule works fine.
  Am I missing something here?
  Also I have added JS as a file type in software restriction policies.

  Hi  Allister Wade 2,
  Here is a link for reference of Software Restriction Policies.
  Software Restriction Policies
  https://technet.microsoft.com/en-us/library/hh831534.aspx
  All the failed rules including the letter "*", I am afraid this policy will not support the fuzzy query. Considering test.js will work well ,we would add an exact file path to be forbidden .
  What is the purpose of this operation ?If it is used to forbid the ZIP software from running the js file .
  As a work around ,we can change the js file association to have a check.(Control Panel\All Control Panel Items\Default
  Programs)
  Best regards
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Software Restriction Policy

  Hi,
  We have applied Software restriction policies on a Test LAB to restrict the unwanted applications from running. We have made exception path, hash rules for genuine applications and software.
  We have observed that if the exception list grows large then we cannot open or change GPO's and clients also cannot apply policy. Once we restore it back from Backup it works fine again.
  I wanted to know is there any limitation to the exception list after which we should consider creating additional policy.
  Thanks

  Hi Sukhwin08,
  Based on my knowledge, there is no limited about the amount of the Software restriction policy.
  Please help to enable the GPSVC debug logging on problematic client machine if the SRP cannot apply successfully, this log records the detailed information about the group policy applying
  process which is very useful for troubleshooting the group policy related issues. To do so, add the following registry entry:
  Sub-key:HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
  Entry:      GPSvcDebugLevel
  Type:      REG_DWORD
  Value:     30002 (HEX)
  After you make this change, run
  gpupdate /force on the computer to reproduce the issue. After that, compress the %SystemRoot%\Debug\UserMode\ folder and check of there are any errors about the issue.
  Please note: the registry key Diagnostics does not exist by default, we need to add it first. In addition, we can disable the debug logging after the troubleshooting.
  Regards,
  Lany Zhang

• Software Restriction Policy/AppLocker Restricting Process by Parameters

  Is there any way with Software Restriction Policy or AppLocker to restrict the parameters a process is called with? For example we only want to allow: some.exe <this is OK to run>, but block everything else passed to that exe at start-up?

  Hi,
  >>Is there any way with Software Restriction Policy or AppLocker to restrict the parameters a process is called with?
  How is it going? Based on the description, I am afraid that we should not be able to acheive this. As you may already know, both SRP and Applocker use policy rules to restrict or un-restrict softwares. The policy rules of SRP are: Certificate rules, Hash
  rules ,Internet zone rules, Path rules ; the rule conditions of Applocker are: Publisher, Path, File hash.
  Regarding SRP rules and Applocker rules, the following articles can be referred to for more information.
  Work with Software Restriction Policies Rules
  http://technet.microsoft.com/en-us/library/hh994597.aspx
  Understanding AppLocker Rules
  http://technet.microsoft.com/en-us/library/dd759068.aspx
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• How to apply Software Restriction policy for specific user in local group policy object ?

  I am working on implementing user based software restriction policy programmatically for local group policy object.
  If i create a policy through Domain Controller,i do have option for software restriction policy in user configuration but in local group policy editor i don't have option for that.
  When i look for the changes made by policy applied from Domain Controller in registry, they modifies registry values for specific users on path HKEY_USERS\(SID of User)\Softwares\Policies\Microsoft\Windows\Safer\Codeidentifiers
  They also have registry.pol stored in SYSvol folder in Domain Controller. When i make the same changes in registry to block any other application, application is getting blocked.
  I achieved what i wanted but is it right to modify registry values ?  
  PS:- I am using Igrouppolicyobject API

  I achieved what I wanted but is it right to modify registry values ?
  You also can modify a registry programmatically based policy. Check this:
  http://blogs.msdn.com/b/dsadsi/archive/2009/07/23/working-with-group-policy-objects-programmatically-simple-c-example-illustrating-how-to-modify-a-registry-based-policy.aspx
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Software Restriction Policy batch vs vbs

  Hi there,
  I have recently implemented a Software Restriction Policy on a Computer level with Disallowed level as default.
  I whitelisted the \\mydomain\SysVol so that my Group Policies could run.
  I have a few batch files that run upon user logon. The batch files run but the the commands within them do not, they are being "access denied"
  example of one of the batch files:
  sc start servicexyz, killtask processxyz
  if I were to convert my batch script into a vb script, would vb script be treated as a single file? unlike batch file which makes calls to other executables.
  Thanks,

  What you are trying to do cannot be done with a GP and  cannot be done with a script.  Thisis becsue what you are trying to do makes very little technical sense.  Either delegate the right or use another method.
  ¯\_(ツ)_/¯
  This is how it worked for me just fine before I introduced SRP. 
  When user logged off, a logoff batch script used "sc start service" to start service
  When user logged on, a logon batch script used "sc stop service" to stop a service from running
  Before SRP, all of my users were local administrators of their computers so permissions were not in a way. After the SRP introduction,
  I had to remove all users local admin right and now experience this issue.
  Do you mean it makes little technical sense with SRP or in general? Care to elaborate please?
  Why do you think you have to start and stop the service all of the time?  It sounds like a design issue or an issue with  a bad service.
  You can use SC to give users permissions on a service.  You can give out just start and stop (control) to a group thyne add or remove users from the group.
  The group can be a domain group and GP can change the security on a service.
  ¯\_(ツ)_/¯

• Software Restrictions GPO applying oddly

  I've adjusted a GPO for Windows XP in ConsoleOne
  I added 4 items to be disallowed
  I associated them to a user, waited a few minutes, logged into the workstation as the user, and the 4 programs ARE disallowed.
  I then went into ZEN and created a new GPO that ALLOWED 2 of the 4 programs.
  I then associated THAT GPO to the same user (obviously consoleone pops up that message and removes the user from the "old" GPO and associates them to the new one)
  Waited a few minutes, logged into the workstation.
  The new policy does not take effect.
  We have the GPO set to cache (but not remain in effect on logout), and we only associate to a user object (or a container of users, not the workstation itself).
  I realize that the GPO "software restrictions" is under the "computer" but we have other stuff in there that works just fine when the GPO is associated in ZEN to the USER object.
  However, we do not do the "security" settings in the ZEN GPO (because then it mucks up our AD security settings such as password policies, etc.)
  However, I would think that if THAT was the issue, the GPO would never apply in the first place.
  To further complicate things, if I associate the "allow 2 of 4" GPO FIRST, it works, but then if I associate the "DISALLOW all 4" to the same user, it does not
  (it's like only lets one of them work once).
  BUT, all other settings behave/work normally

  Kevin,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Firefox 8.0.1 bypasses Windows software restriction policy and Windows UAC

  With the release of Firefox 8.0.1, Firefox bypasses Windows Software Restriction Policy (SRP).
  With Firefox 8.0.0 - (and previous), Firefox conformed to the policy set forth in SRP.
  In addition to the fact that Firefox completely ignores Windows SRP, Firefox also ignores Windows User Account Control. Standard, non-admin, accounts are able to install Firefox without administrative privileges. When the user executes the Firefox installer, Windows UAC prompts the user to elevate to install the program. If the user clicks "no" the Firefox installer continues past UAC and installs the program in the user's %appdata%\local folder instead of the %programfiles% (if the user were to elevate). Any other program would have ceased the installation if not elevated.
  I haven't seen any other software ignore SRP and continue to run and/or bypass UAC and continue to install.
  Please advise on what software policy needs to be in place to prevent Firefox from being installed and ran on my domain.

  UAC prevents software from making system-wide changes without an administrator's consent. It's purpose isn't for IT staff to control which software may run, though most installers try to make their software available to all users on the computer.
  Are you checking the hash of the installer instead of the executable? Firefox get's updated frequently enough that maintaining hashes will be a lot of work.
  I haven't tried this, but perhaps populating user profile folders with a read-only path will cause the Firefox installer to fail. You'll also need to consider [http://portableapps.com/apps/internet/firefox_portable portable firefox]