Now that we have managing applications that we want to run out of the way, let’s take a look at managing applications we don’t want to run. One of the methods we can use to restrict the software running in our environments is using a software restriction policy, also known as an SRP. While this is normally done through Active Directory and Group Policy, we will set up an SRP on our local machine.
Software restriction policies are applied to machines and not to users. In order to create a policy open the Group Policy Management Editor and navigate to:
Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies
The first thing you need to do is actually create a policy by right clicking and choosing New Software Restriction Policies.
Then head into Security Levels. There are 3 security levels.
- Disallowed – No software runs by default, only software you explicitly allow can run.
- Basic User – Allows all software that doesn’t require admin privileges to run.
- Unrestricted – All software runs, except software that you explicitly deny.
Then right click on Unrestricted and make it the default.
Now we need to switch over to the rules section and add a new rule. There are 4 kinds of rules.
- Hash – Checks an executable against a list of banned hashes
- Certificate – Uses digital certificates to stop applications from running
- Path – Bans applications based on a fully qualified path
- Zone – Uses alternate data streams to view where the file was downloaded from, and bans it banned on this information.
For this example a hash rule will do just fine.
Then click the Browse button and select:
Once you have applied the rule, try to launch Paint.
Stopping Applications From Just Starting Up
One of the most common methods used by script kiddie virus developers is to make malicious code automatically execute at startup. One easy way to manage startup items is using a utility called MSConfig. To launch it press the Windows + R keyboard combination to bring up a run box then type msconfig and hit enter.
When MSConfig opens, switch over to the Startup tab. Here you can easily disable programs that are starting up automatically by unchecking them.
Recently though, developers have found ways to hide items from MSConfig and have them only appear in the registry. There is two locations in the registry where Windows allows you to add startup items:
The difference being that entries in the HKEY_LOCAL_MACHINE hive are executed for all users on the machine while entries in HKEY_CURRENT_USER are only executed for the current user.
- Why are 16-bit applications not supported on x64 versions of Windows 7?
Be sure to stay tuned for our next Geek School article on Monday, where we’ll cover how to manage IE settings from the administrator point of view.
If you have any questions you can tweet me @taybgibb, or just leave a comment.