Applying Deny All Software Restriction

  • Thread starter Thread starter Jim
  • Start date Start date
J

Jim

I am creating a new GPO for Software restrictions. I have set the default
rule to "Software will not run, regardless of the access rights of the user."
We are creating a desktop image that we know exactly what applications will
be allowed to run. I figured this was a perfect candidate for blocking all
applications.

I am testing out the GPO. I have created a Hash Rule for Roxio Classic
Creator and set that rule to Unrestricted.

I go to click on the Shortcut for Roxio and I get a message saying that that
Roxio executable is blocked by the SRP. I go to the Event Log and see this:

Event Type: Warning
Event Source: Software Restriction Policies
Event Category: None
Event ID: 865
Date: 2/27/2008
Time: 9:21:08 AM
User: N/A
Computer: BLUEMAX
Description:
Access to C:\Documents and Settings\pds2\Start Menu\Programs\Roxio Easy
Media Creator 9\Data\Creator Classic.lnk has been restricted by your
Administrator by the default software restriction policy level.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

So I try to create a hash rule for the LNK file, but the hash is the same as
the actual Executable and I still get the same error.

I took the LNK out of the Designated file types and it allowed the Roxio
Classic Creator to run, but it also allowed everything to run.

Is there something wrong I am doing or other documentation on to create a
SRP that will block everything except what I want to run?
 
Jim said:
I am creating a new GPO for Software restrictions. I have set the default
rule to "Software will not run, regardless of the access rights of the user."
We are creating a desktop image that we know exactly what applications will
be allowed to run. I figured this was a perfect candidate for blocking all
applications.

I am testing out the GPO. I have created a Hash Rule for Roxio Classic
Creator and set that rule to Unrestricted.

I go to click on the Shortcut for Roxio and I get a message saying that that
Roxio executable is blocked by the SRP. I go to the Event Log and see this:

Event Type: Warning
Event Source: Software Restriction Policies
Event Category: None
Event ID: 865
Date: 2/27/2008
Time: 9:21:08 AM
User: N/A
Computer: BLUEMAX
Description:
Access to C:\Documents and Settings\pds2\Start Menu\Programs\Roxio Easy
Media Creator 9\Data\Creator Classic.lnk has been restricted by your
Administrator by the default software restriction policy level.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

So I try to create a hash rule for the LNK file, but the hash is the same as
the actual Executable and I still get the same error.

I took the LNK out of the Designated file types and it allowed the Roxio
Classic Creator to run, but it also allowed everything to run.

Is there something wrong I am doing or other documentation on to create a
SRP that will block everything except what I want to run?

Deny should only be used when any other option does not work [i.e a last
resort].

You are better off to remove the permission than denying.
 
I've had to put in these Additional Path Rules (as Unrestricted):

*.lnk
C:\Documents and Settings\All Users\Start Menu
c:\Documents and Settings\All Users\Desktop

Kam.
 
Back
Top