Information Technology Reference
In-Depth Information
The Security Levels folder contains three rules explained in the following list, one of which
you select as the default rule for the policy. You can then create exceptions to the default rule.
•
Disallowed
—No software can run, regardless of the user's security access.
•
Basic User
—All software can run with access rights of a normal user, regardless of the
user's actual rights on the system. This rule prevents users with administrative access from
running programs that could cause harm with that level of access.
•
Unrestricted
—This is the default setting on a new policy. All programs can run according
to the user's actual access rights. This setting, with no additional rules defined, is the same
as having no software restriction policy assigned.
The Additional Rules folder is where you create exceptions to the default rule by identifying
applications or application locations that are allowed or disallowed. There are four ways to iden-
tify applications designated as exceptions to the default rule:
•
Hash
—A digital fingerprint of the application file is created, based on the file's attributes,
to uniquely identify it.
•
Certificate
—Some software publishers provide a digital certificate to uniquely identify an
application.
•
Path
—The path on the local system or a UNC path to the application file.
•
Network zone
—An Internet zone that defines the Web sites from which applications can run.
For each additional rule you create, you can specify whether applications meeting the rule cri-
teria should be disallowed, run as a basic user, or unrestricted. When you create a new software
restriction policy, two path rules are created automatically to define unrestricted locations pro-
grams can run from: one specifying the default Program Files directory and one specifying the
Windows directory. Three policies can be configured in the Software Restriction Policies folder:
•
Enforcement
—Specifies how restrictions should be enforced. You can exempt members of
the Administrators group, and you can exempt library files, such as DLLs.
•
Designated File Types
—Specifies which file types are to be considered executable files. You
can add your own file types or remove certain types from the list.
•
Trusted Publishers
—Specifies trusted publisher policy options, such as who can manage the
list of trusted publishers (users or administrators) and certificate verification parameters.
Activity 7-18: Creating a Software Restriction Policy
Time Required:
20 minutes
Objective:
Create a software restriction policy and test it.
Description:
You want to begin locking down some computers in your company by restricting
which programs users can run. You want to use settings in the Software Restriction Policies
folder, so you decide to create a simple policy to test this feature.
1. Log on to your server as Administrator, if necessary.
2. Open GPMC. Click to expand the
Group Policy Objects
folder, and then right-click
TestOUGPO
and click
Edit
. In GPME, expand
User Configuration
,
Policies
,
Windows
Settings
,
Security Settings
, and
Software Restriction Policies
. Right-click
Software Restriction
Policies
and click
New Software Restriction Policies
.
3. Click the
Security Levels
folder to see the three default rules in the right pane. The
Unrestricted rule has a small check mark indicating that it's currently selected as the default.
Double-click
Disallowed
to open this rule's Properties dialog box, and click
Set as Default
.
Click
Yes
, and then click
OK
.
4. Click the
Additional Rules
folder. As mentioned, two path rules were created automatically
that refer to a Registry key specifying the Windows directory and the Program Files directory.
Search WWH ::
Custom Search