Presentation is loading. Please wait.

Presentation is loading. Please wait.

Application Support This is an excerpt from a section of the course that explains a new area of group policies called “Software Restricion Policies”

Published byBrooke Higham Modified over 9 years ago

Similar presentations

Presentation on theme: "Application Support This is an excerpt from a section of the course that explains a new area of group policies called “Software Restricion Policies”"— Presentation transcript:

1 Application Support This is an excerpt from a section of the course that explains a new area of group policies called “Software Restricion Policies”

2 Software Restriction Policies n Basically it’s a list of programs that can and can’t run n You pick which ones run and which don’t n But there are thousands of EXEs etc on your system, so you wouldn’t enjoy having to name every single EXE file that your system knows… n … Disabling every EXE would keep your system from booting!

3 How You Control SW Policies n A program is either “disallowed” (you can’t run it) or “unrestricted” (you can run it, assuming that there’s nothing else stopping you) n One rule (“Security Levels”) specifies the default value for all programs – disallowed or unrestricted n Another rule (“Enforcement”) excludes administrators from SW restriction policies n Typically you set the default to “unrestricted” and then restrict particular programs

4 How To Restrict Programs n Four kinds of rules: – Certificates: refer to a code-signing cert to allow (or, I suppose, disallow) an app – Hash: GPEDIT actually computes a “fingerprint” that identifies a particular program and then uses it to allow or disallow an app – Internet Zone: lets you control running apps directly from an URL – File and Directory Path: allow/disallow everything in a directory and its subdirectories, or a particular file or wildcard pattern n Examples coming!

5 Getting Started n First, create a software policy and start from an all-open, “safe” point of view, then lock it down n Open gpedit.msc, look in Computer Configuration/Windows Settings/Security/Software Restriction Policies

6 Initial SW Policy – No Objects

7 Create A Basic Policy n Right-click SW Restrictions Policy, “create new policy” n Now a policy exists, but it basically does not stop anyone from doing anything that they couldn’t do before n First question: disallow all apps by default, or allow all apps by default? In the Security Levels folder; allowed by default

8 Folders Created in SW Policy

9 Now let’s disallow Solitaire n Again, there are four ways to identify an app – its Authenticode cert, its hash, its URL or its filename/location n Let’s disallow Solitaire; rt-click Additional Rules folder and choose “New Path Rule…” n Fill in path %windir%\system32\sol.exe n Choose “disallowed” rather than “allowed”

10 Defining a Path

11 Now turn the screws I mean, let’s apply the rule n gpupdate /force typically isn’t enough n Restrictions seem to need a logoff/logon n Then try to start Solitaire n If it doesn’t work, then reboot; you’ll see

12 But the users aren’t dumb… n So they copy sol.exe to another directory, run it, and they’re back to Solitaire n So let’s try for a better approach – zap sol.exe itself; create a new “Hash” rule n Point to sol.exe and the system will compute a “fingerprint” that will identify sol.exe no matter where it is n Result: Solitaire is dead

13 A Hash Rule

14 We hope that looked useful… We cover that and a WHOLE lot more in the Powerpoint. If you’re interested, visit www.minasi.com/buyxpbook.htm to purchase the entire 279-slide book. Thanks for downloading and examining our sample! www.minasi.com/buyxpbook.htm

Download ppt "Application Support This is an excerpt from a section of the course that explains a new area of group policies called “Software Restricion Policies”"

Similar presentations

Group Policy - Part 2 of 3 Rick Claus IT Pro Advisor Microsoft Canada

Group Policy - Part 2 of 3 Rick Claus IT Pro Advisor Microsoft Canada
Lecture 10 Sharing Resources. Basics of File Sharing The core component of any server is its ability to share files. In fact, the Server service in all.

Lecture 10 Sharing Resources. Basics of File Sharing The core component of any server is its ability to share files. In fact, the Server service in all.
Thomas A. Stewart Literacy Test (OSSLT) Prep Guide 2013

Thomas A. Stewart Literacy Test (OSSLT) Prep Guide 2013
A batch file is a file that contains a number of DOS commands, each of which could be run individually from the command prompt. By putting them into a.

A batch file is a file that contains a number of DOS commands, each of which could be run individually from the command prompt. By putting them into a.
Microsoft ® Office Access ® 2007 Training Easy Access with templates I: Create a database susanguggenheim-is.com presents:

Microsoft ® Office Access ® 2007 Training Easy Access with templates I: Create a database susanguggenheim-is.com presents:
Getting started with LEGO NXT Mindstorms software This is intended to be a short introduction to the LEGO Mindstorms software and programming the LEGO.

Getting started with LEGO NXT Mindstorms software This is intended to be a short introduction to the LEGO Mindstorms software and programming the LEGO.
V IEW, O RGANISE, AND F IND Y OUR I MAGES V IEW, O RGANISE, AND F IND Y OUR I MAGES E DIT ( ‘D EVELOP ’ ) THEM E DIT ( ‘D EVELOP ’ ) THEM P RINT P RINT.

V IEW, O RGANISE, AND F IND Y OUR I MAGES V IEW, O RGANISE, AND F IND Y OUR I MAGES E DIT ( ‘D EVELOP ’ ) THEM E DIT ( ‘D EVELOP ’ ) THEM P RINT P RINT.
MySQL Installation Guide. MySQL Downloading MySQL Installer.

MySQL Installation Guide. MySQL Downloading MySQL Installer.
Stored procedures and views You can see definitions for stored procedures and views in the demo databases but you can’t change them. For views, expand.

Stored procedures and views You can see definitions for stored procedures and views in the demo databases but you can’t change them. For views, expand.
Microsoft ® Office Outlook ® 2007 Training Retrieve, back up, or share messages ADVANTAGE TALENT, INC. “Professionals Helping Professionals” Candidate.

Microsoft ® Office Outlook ® 2007 Training Retrieve, back up, or share messages ADVANTAGE TALENT, INC. “Professionals Helping Professionals” Candidate.
Getting Git to work with Eclipse: The least fun thing you’ll ever do By Orren Saltzman.

Getting Git to work with Eclipse: The least fun thing you’ll ever do By Orren Saltzman.
04/24/2014April 2014 Chapter Meeting1 Forcing IE 10 & 11 to play nicely with Retail Link™ Dan Batson Sr. Analyst / Category Advisor Fujifilm North America.

04/24/2014April 2014 Chapter Meeting1 Forcing IE 10 & 11 to play nicely with Retail Link™ Dan Batson Sr. Analyst / Category Advisor Fujifilm North America.
ECEU300 Ethics in the Workplace Why talk about Ethics? Everyone is ethical, everyone knows how to behave at work. Everyone gets it about not stealing stuff.

ECEU300 Ethics in the Workplace Why talk about Ethics? Everyone is ethical, everyone knows how to behave at work. Everyone gets it about not stealing stuff.
CREATING USER ACCOUNTS Group accounts simplify administration by organizing user accounts into a single administrative unit. They provide a convenient.

CREATING USER ACCOUNTS Group accounts simplify administration by organizing user accounts into a single administrative unit. They provide a convenient.
LCCC Transfer Workshop Start Here – Go Anywhere !.

LCCC Transfer Workshop Start Here – Go Anywhere !.
Collapsible headings j then press F5 or click Slide Show > From Beginning to start the course. In the message bar, click Enable Editing, If the videos.

Collapsible headings j then press F5 or click Slide Show > From Beginning to start the course. In the message bar, click Enable Editing, If the videos.
Microsoft Server 2008 R2 Group Policies & AD. Group Policies-Refresher  Policies are “all or nothing”  You cannot selectively choose within a policy.

Microsoft Server 2008 R2 Group Policies & AD. Group Policies-Refresher  Policies are “all or nothing”  You cannot selectively choose within a policy.
XP 1 Developing a Basic Web Site Tutorial 2: Web Site Structures & Links.

XP 1 Developing a Basic Web Site Tutorial 2: Web Site Structures & Links.
Understanding Group Policy on Windows Server 2003 Michael J. Murphy TechNet Presenter

Understanding Group Policy on Windows Server 2003 Michael J. Murphy TechNet Presenter
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

Similar presentations

Ads by Google