Share via


Software Restriction Policies Tools and Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Software Restriction Policies Tools and Settings

In this section

  • Software Restriction Policies Tools

  • Software Restriction Policies Group Policy Settings

  • Related Information

Administrators can use command line tools to refresh Group Policy settings, including software restriction policies, and to display the resulting set of policies that were enforced on the computer for a specified user at logon. To assess the policy settings that are in effect for a computer or user, administrators use the Resultant Set of Policy (RSoP) snap-in.

Software Restriction Policies Tools

The following tools are associated with Software Restriction Policies:

Gpupdate.exe

This tool is used for refreshing local and Active Directory policy settings on the computer from which you run the gpupdate command. For more information about this tool, see “Core Group Policy Tools and Settings” in this collection.

Gpresult.exe

This tool enables you to examine the Group Policy settings applied during a policy refresh. For more information about this tool, see “Core Group Policy Tools and Settings” in this collection.

Resultant Set of Policy (RSoP)

This tool polls for existing Group Policy settings and planned policy settings, and then reports the results of those queries. For more information about RSoP, see “What Is Resultant Set of Policy?” in this collection.

Software Restriction Policies Group Policy Settings

The following table lists and describes the Group Policy settings that are associated with software restriction policies.

Software Restriction Policies Security Levels and Additional Rules

Security Levels Description

Disallowed

Does not allow the specified software to run.

Unrestricted

Allows the specified software to run on the computer with the full rights of the currently logged on user.

Additional Rules

Security Levels Description

Hash Rule

A series of bytes with a fixed length that uniquely identifies a software program or file. A hash (also called a message digest) is obtained by applying a one-way mathematical function (sometimes called a hash algorithm) to an arbitrary amount of data. If the input data changes, the hash changes. The hash can be used in many operations, including authentication and digital signing.

If you create a hash rule for a software program, software restriction policies calculate a hash of the program. When a user tries to open a software program, a hash of the program is compared to existing hash rules for software restriction policies. The hash of a software program is always the same, regardless of where the program is located on the computer. However, if any changes are made to the software program, its hash also changes, and it no longer matches the hash in the hash rule for software restriction policies.

Path Rule

Identifies a program according to a folder or its fully qualified path. Both URL and UNC paths are permitted. You can use the following in path rules: environment variables, wildcards (question mark “?” and asterisk “*”), and registry path rules.

Certificate Rule

Identifies software based on a signed certificate. You create a certificate rule that identifies software and then specify a security level to either allow or not allow the software to run.

Internet Zone Rule

Identifies software from a zone that is specified through Internet Explorer. The zones are Internet, Intranet, Restricted sites, Trusted sites, and My Computer. These rules apply only to Windows Installer packages (.msi files).

The following table lists the software restriction policy options.

Software Restriction Policy Options

Options Description

Enforcement

Enforcement enables you to specify whether to turn on dynamic-link library (DLL) checking and skip administrators to prevent the software restriction policies from applying to local administrators.

Use the Apply software restriction policies to the following option to select one of the following:

  • All software files except libraries (such as DLLs). This option specifies that the rules will not affect DLLs.

  • All software files. This option applies software restriction policies to all files, including DLLs. This option turns on DLL checking.

Use the Apply software restriction policies to the following users option to select one of the following:

  • All users. This option specifies that all the rules you define apply to all users.

All users except local administrators. This option prevents software restriction policies from applying to local administrators. This is used when administrators want to prevent most users from running certain programs, but allow local administrators to run any program.

Designated File Types

The Designated File Types dialog box lists the file types to which the software restriction policy applies. The list represents the types of files that are considered executable files. The rules you specify in a software restriction policy apply only to the file types listed in the Designated File Types list. If you want to be able to set rules on additional file types, add them to the Designated File Types list.

Trusted Publishers

The Trusted Publishers options enable you to configure settings related to ActiveX controls and other signed content. Trusted Publishers includes the following options:

  • Enterprise Administrators: Use this option to allow only domain administrators to make decisions regarding signed active content.

  • Local computer Administrators: Use this option to allow local computer administrators to make all decisions regarding signed active content.

  • End Users: Use this option to allow any user to make decisions regarding signed active content.

  • Publisher: Use this option to ensure that the certificate used by the software publisher has not been revoked.

  • Timestamp: Use this option to ensure that the certificate used by the organization that time-stamped the active content has not been revoked.

For more information about software restriction policies rules and enforcement options, see “How Software Restriction Policies Work” in this Collection.

The following resources contain additional information that is relevant to this section.