Software Restriction Policies Technical Overview

Applies To: Windows Server 2008, Windows Vista

Two improvements have been made to software restriction policies for Windows Vista® and Windows Server® 2008:

  • The default hash rule algorithm has been upgraded from MD5 to the stronger SHA256. MD5 is still supported for compatibility with Windows® XP.

  • Certificate rules can now be activated from within the Software Restriction Policies snap-in extension. Previously, certificate rules were activated only from within the Local Security Policies snap-in.

Understanding Software Restriction Policies

Viruses and Trojan horses often intentionally misrepresent themselves to trick users into running them. It can be difficult for users to make safe choices about which software they should run.

With software restriction policies, administrators can help protect their computing environment from untrusted or unknown software by identifying and specifying which software is allowed to run. Administrators can define a default security level of Unrestricted or Disallowed for a Group Policy object (GPO) so that software is either allowed or not allowed to run by default. Administrators can make exceptions to this default security level by creating software restriction policy rules for specific software. For example, if the default security level is set to Disallowed, administrators can create rules that allow specific software to run. The types of rules are as follows:

  • Hash rules

  • Certificate rules

  • Path rules (including registry path rules)

  • Internet Zone rules

Software restriction policies consist of the default security level and all the rules that apply to a GPO. Software restriction policies can be applied across a domain, to local computers, or to individual users. Software restriction policies provide a number of ways to identify software, and they provide a policy-based infrastructure to enforce decisions about whether the identified software can run. With software restriction policies, when users run software programs, they must adhere to the guidelines that are created by administrators.

Software restriction policies allow administrators to:

  • Control the ability of software to run on a computer. For example, if administrators are concerned about users receiving viruses through e-mail, they can apply a policy setting that prevents certain file types to run in the e-mail attachment folder of the e-mail program.

  • Permit users to run only specific files on multiuser computers. For example, if multiple users share a computer, administrators can set up software restriction policies so that users can access only the software needed to run specific files that are necessary for their work.

  • Decide who can add trusted publishers to a computer.

  • Control whether software restriction policies affect all users or just certain users on a computer.

  • Prevent files from running on a local computer, organizational unit (OU), site, or domain. For example, if a system has a known virus, you can use software restriction policies to prevent a computer from opening the file that contains the virus.

Important

Software restriction policies should not be used as a replacement for antivirus software. Software restriction policies only restrict whether a program can be run from Windows Explorer, the Run command, a Command Prompt window, or Windows Script Host (wscript.exe). Programs started in other ways, such as by using perl.exe, cannot be restricted through software restriction policies.

  • For more information about software restriction policies, including troubleshooting and step-by-step guides, see Using Software Restriction Policies to Protect Against Unauthorized Software (https://go.microsoft.com/fwlink/?LinkID=17299).