How Windows Server 2003's Software Restriction Policies Improve Security
Network administrators fight an ongoing battle against the threats of viruses, malicious scripts, ActiveX controls and other executable code that can create havoc on the network. In addition to taking measures to keep hackers from penetrating the network's firewall and depositing such code, admins also must guard against their own users introducing malicious or problematic programs, often inadvertently.
Many users of the company network have home computers, and often employees run programs at home that they want to be able to use at work, too. Employees may also find software on the Internet that they want to download and install on their company systems. Some of these are games and other time-wasters, but in many cases, the employee genuinely believes that installing a program will help him/her work more efficiently. Employees also install programs without intending to, for instance, by visiting a web site that runs a script or by opening an executable attachment to email.
Allowing any unauthorized software to run on company computers, especially those connected to the network, poses many dangers. Even if the program isn't infested with malicious code, incompatibility problems can result in operating system crashes, or interfere with the operation of other programs, and complicate tech support and troubleshooting - not to mention licensing issues. For this reason, Microsoft includes a new feature with Windows Server 2003 and Windows XP: software restriction policies.
In keeping with the trend toward policy-based security, this feature gives administrators more control over the software that can run on the organization's computers. Sure, there were mechanisms you could use in Windows 2000 to prevent users from installing programs, and you could even control user access to installed programs by removing them from the Start menu or using Group Policy to remove access to the Run command. But software restriction policies do much more.
NOTE: Using software restriction policies doesn't mean you can do away with your anti-virus software; the two should be used in conjunction with one another to better protect your network.
What Software Restriction Policies Do
Software restriction policies address hostile code introduced inadvertently (such as through email or scripts on web pages) as well as unauthorized programs installed by users, by categorizing code as trusted or not trusted. The policies created by administrators specify what programs can or cannot run. These policies, like all group policy, can be applied to local machines, sites, domains or OUs. The policy is created by the administrator, using the Group Policy MMC that applies to the computer, site, domain or OU to which you want the policy to apply.
Software restriction policies can be either user or machine policies. Machine policies are applied when the computer starts and will apply no matter what user is logged onto the computer, whereas user policies are applied when a user logs on and will apply to that user regardless of what machine he/she logs onto. It is also possible to create policies that apply to particular users only when they log onto particular machines. You'll need to use a Group Policy setting called loopback to do this. For more info about the loopback setting, see the Windows Server 2003 Help files.
How Software Restriction Policies Work
Here's how it works: There are two different default rules that you can start from, depending on the security needs of your organization:
- Unrestricted: if you choose this as the default, all programs will be able to run except those that you specify, which will not be allowed to run. This might work in a small organization where you want employees to have a lot of leeway in what they can install, but you want to protect against certain programs that are known to cause problems.
- Disallowed: this default rule means that all programs will be blocked from running unless they are on the list of programs that you have specified to be allowed to run. This is a more secure method, and is best for larger organizations where you have less direct knowledge of what all employees are doing and in environments where you want to more specifically control exactly what programs can be run.
The policy defines rules for identifying programs that are exceptions to the default rule. That is, if the default is unrestricted, the rules identify programs that should not be allowed to run, and if the default is disallowed, the rules identify programs that should be allowed to run. There are four ways that can be used to identify these programs:
- By a hash or cryptographic "fingerprint." This is useful when you want to specify a particular version of a program, since different versions will have different "fingerprints."
- By a digital certificate signed by the publisher of the software. This can define a program regardless of where it is stored.
- By the UNC path or Registry path that defines where the program file is located. The first is useful if the program will always be located in the same path on all machines; the second is used if the program is located in different folder locations on different machines.
- By the Internet Zone from which a program is downloaded. You would use this method if you want users to be able to download and install programs from Internet sites that you've marked as trusted.
If there are multiple rules that a program matches, they're evaluated in the order shown above, with the default rule evaluated last after the four rule types. The most specific match will take precedence.
How to Create a New Policy
It's not easy to find the software restriction policies node in the GPO console at first glance. Remember: you won't find this on Windows 2000 computers. On XP and Windows Server 2003 machines, It's buried deep in the Windows Settings | Security Settings under either Computer Configuration or User Configuration (depending on whether it will be a user or machine policy). The first time you open this node, you'll get a message that says no software restriction policies have been defined.
To create a new policy, click the Action menu, then select New Software Restriction Policies. You'll see five items:
- Security Levels (folder)
- Additional Rules (folder)
- Designated File Types
- Trusted Publishers
Security Levels allows you to select the default rule (Disallowed or Unrestricted). Double click the one you want and click the Set as Default button. This button will be greyed out for the selection that is currently the default, and that item will show an icon with a checkmark to indicate that it is the current default.
The Additional Rules folder contains the exceptions to the default. By right clicking this folder, you can create a new certificate, hash, Internet Zone or Path rule. For example, to set a new Path rule, you'll need to type in or browse to the path for the program that will be an exception to the default, then select either Disallowed or Unrestricted to designate whether you want that program to run or be blocked from running.
NOTE: you'll need to be logged in as a local administrator or domain admin to create software restriction policies, or you'll need to have been delegated the authority to do this.
Policy Enforcement Options
The Enforcement item in the right console pane contains a couple of enforcement options that you can apply to the software restriction policies to modify how they're applied. The first is DLL checking, which causes the policy to also be applied to dynamic link library (DLL) files as well as executable files (by default, DLLs are not checked). You'll need to select the option to Apply software restriction policies to the following > All software files in the Enforcement Options dialog box. The other option is the Skip administrators option, which will make an exception for members of the local administrators group so they can run software that is restricted for other users. To do this, you'll need to select Apply software restriction policies to the following users > All users except local administrators. This one only works for machine policies, not user policies, for obvious reasons.
Designated File Types
The Designated File Types item allows you to specify which file types (based on file extension) are to be considered executable code and thus subject to the software restrictions policies. Common executable file types such as .exe, .inf, .vb, .com, .lnk, .pif, .msi etc. are already in the list. You can remove any of them by highlighting and clicking the Remove button. If you delete a file type, programs with that extension will be able to run unrestricted and your policies will not be applied to them.
You can also add other file types, but entering the file extension in the field at the bottom and clicking the Add button.
The last item in the right pane, Trusted Publishers, lets you designate who can specify which software publishers will be considered trusted: end users, local computer administrators, or enterprise administrators. For best security, only allow administrators to define trusted publishers. You can also specify that before a software publisher is trusted, the system will check the publisher and/or the timestamp to determine that the certificate is valid and has not been revoked.
This article provides an overview of Microsoft's new software restriction policies, what they do, how they work, and how an administrator can create a new policy to be applied to a local computer, site, domain, or OU. Software restriction policy is an addition to Group Policy for Windows Server 2003 and Windows XP that give administrators even more flexibility and control over the software that can be run by network users and/or on network computers, thus putting another level of security between your systems and malicious or unauthorized code.