SEARCH

How-To Geek

Geek School: Learning Windows 7 – Managing Applications

Application Restrictions

Now that we have managing applications that we want to run out of the way, let’s take a look at managing applications we don’t want to run. One of the methods we can use to restrict the software running in our environments is using a software restriction policy, also known as an SRP. While this is normally done through Active Directory and Group Policy, we will set up an SRP on our local machine.

Software restriction policies are applied to machines and not to users. In order to create a policy open the Group Policy Management Editor and navigate to:

Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies

image

The first thing you need to do is actually create a policy by right clicking and choosing New Software Restriction Policies.

image

Then head into Security Levels. There are 3 security levels.

  • Disallowed – No software runs by default, only software you explicitly allow can run.
  • Basic User – Allows all software that doesn’t require admin privileges to run.
  • Unrestricted – All software runs, except software that you explicitly deny.

Then right click on Unrestricted and make it the default.

image

Now we need to switch over to the rules section and add a new rule. There are 4 kinds of rules.

  • Hash – Checks an executable against a list of banned hashes
  • Certificate – Uses digital certificates to stop applications from running
  • Path – Bans applications based on a fully qualified path
  • Zone – Uses alternate data streams to view where the file was downloaded from, and bans it banned on this information.

For this example a hash rule will do just fine.

image

Then click the Browse button and select:

C:\Windows\System32\mspaint.exe

image

Once you have applied the rule, try to launch Paint.

image

Stopping Applications From Just Starting Up

One of the most common methods used by script kiddie virus developers is to make malicious code automatically execute at startup. One easy way to manage startup items is using a utility called MSConfig. To launch it press the Windows + R keyboard combination to bring up a run box then type msconfig and hit enter.

image

When MSConfig opens, switch over to the Startup tab. Here you can easily disable programs that are starting up automatically by unchecking them.

image

Recently though, developers have found ways to hide items from MSConfig and have them only appear in the registry. There is two locations in the registry where Windows allows you to add startup items:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

The difference being that entries in the HKEY_LOCAL_MACHINE hive are executed for all users on the machine while entries in HKEY_CURRENT_USER are only executed for the current user.

 Homework

Be sure to stay tuned for our next Geek School article on Monday, where we’ll cover how to manage IE settings from the administrator point of view.

If you have any questions you can tweet me @taybgibb, or just leave a comment.

    Continue Reading »
  • Prev
  • 1
  • 2

Taylor Gibb is a Microsoft MVP and all round geek, he loves everything from Windows 8 to Windows Server 2012 and even C# and PowerShell. You can also follow him on Google+

  • Published 03/8/13

Comments (6)

  1. indianacarnie

    NOW we’re getting somewhere! Sure appreciate this.

  2. Taylor Gibb

    @indianacarnie i see you have been following along since the first article, be sure to leave some feedback and/or ideas on where you would like to see the future of these articles going!

  3. Bob

    It would be helpful to have a complete article on how to get a Windows 7 ISO and how to make a DVD from the downloaded ISO file. Then how to use the DVD to install Windows 7 on a computer. I think that HTG may have already published an article about this but, it would help if there was a more in depth article with a step by step procedure included.
    Thanks,

  4. Ushindi

    Thanks very much – these articles really help someone on the lower half of the computer knowledge scale, like me.

  5. vineet

    Very good article. this whole series is very useful.
    If only you could tell us about how to connect two different windows 7 laptops/pcs via wired connection (not wifi)… Please :-)

  6. 2-Bits Given

    @ Bob,

    If you want to download a Windows ISO file in order to make an installation disk, you may not find very much out there. That’s because Microsoft frowns on this and tends to view anyone sharing these disks or even ISO’s as being software pirates. In fact, if you happen to have an actual Windows installation disk from Microsoft then you may even see the words on it which specifically say, “DO NOT LEND OR MAKE ILLEGAL COPIES”. Now, I can go into the legalities of why it may still be OK to have an ISO or even a disk and still NOT have a license (which partly involves a legal concept known as “fair use”), but suffice it to say that you really do need to have a license in order to run Windows or else you’d be breaking copyright/patent laws. Microsoft just takes it a step further by assuming you shouldn’t be able to even get a disk (or ISO) if you’re not ALSO purchasing a license. (A rather arrogant assumption which may have more to do with shaking people down for money than anything else.)

    Of course, it is possible to find an ISO out there if you keep digging. However, I think I should warn you that whatever you find may also include anything from viruses, to malware or even root-kits. Some aren’t even Windows! And that’s because these public shared ISO’s usually come from someone who may simply be looking for a way to scam you either during the download or after you’ve actually used it to install. I tend to think of these public shared ISO’s as disease-ridden prostitutes (where Microsoft might even be the police) in a prostitute-legal society. They may get the “job” done but do you really want to consider it?!

    Therefore, my advice would be to find a friend willing to make you a disk copy. You may have some difficulty explaining to him/her that they’re not really breaking any laws – just bending it a little. Good luck.

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!