?
Solved

Software Restriction Policy - shortcuts don't work

Posted on 2007-10-17
2
Medium Priority
?
2,347 Views
Last Modified: 2013-12-04
default security level: Disallowed

Enforcement properties:

Apply software restriction policies to the following:
*all software files except libraries (such as DLLs)

Apply software restriction policies to the following users:
*all users except local administrators

Under trusted file types I have removed .lnk (that "l" as in larry) file extensions.

Though I dont use them, under Trusted Publishers Properties

"allow the following users to select trusted publishers:"
* End users
(all other options in this window are left un-checked)



Following are my path rules are being implemented:

C:\Docuements and Settings\All Users\Start Menu\Programs\Adobe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

And the Following Hash Rule:
6c37ad8c2212d3ddc456bb48a3aa398e:71288:32771
(for Adobe Acrobat 7.0)


Experts,

I am having a problem using shortcuts to allowed programs. all of which have been configured via software restriction policies (for user)

In on particular instance,  my users cannot access adobe acrobat via the shortcut.
located in c:\documents and settings\all users\start menu\programs
The Error log on the local machines report:

Event ID:  865
Type: Warning
Access to C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk has been restricted by your administrator by the default software restriction policy level.

These are my software restriction policy settings:
default security level: Disallowed

Enforcement properties:
Apply software restriction policies to the following:
*all software files except libraries (such as DLLs)
Apply software restriction policies to the following users:
*all users except local administrators

Under trusted file types I have removed .lnk (that "l" as in larry) file extensions so that .lnk extensions are permitted

(Though I dont use them) under Trusted Publishers Properties

"allow the following users to select trusted publishers:"
* End users
(all other options in this window are left un-checked)

The Following are my PATH rules are being implemented:
C:\Docuements and Settings\All Users\Start Menu\Programs\Adobe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

And the Following HASH Rule:
6c37ad8c2212d3ddc456bb48a3aa398e:71288:32771
(for Adobe Acrobat 7.0)

In a nutshell, I don't understand why shortcuts don't work. My understanding was as long as they are exempted from the 'do not allow list' of other file extension types. Is there a HASH for shortcuts?? I don't thnk so. I've tried to bing a HASH rule for a shortcut and Group policy seems to recognize it as the file/program itself.  I hope this is descriptive enough and too misleading or complicated.

Any help is greatly appreciated.

0
Comment
Question by:computerguy79
2 Comments
 
LVL 12

Accepted Solution

by:
StuFox100 earned 1500 total points
ID: 20099608
Try allowing .lnk1
That is the real extension as mentioned in this article:
http://technet2.microsoft.com/windowsserver/en/library/d24bc8c8-27cc-47ba-9b02-78d9d801e9371033.mspx?mfr=true
Cheers
Stu
0
 
LVL 1

Author Comment

by:computerguy79
ID: 20102183
If I slapped myself for every time I overcomplicated things, I'd would put Rick James to shame.

What I have found is that, for any specific shortcut, you have to specify the program's .exe explicitly as well as the shortcut it self. in my case
For example:
PATH Rule - C:\Documents and Settings\All Users\Start Menu\Programs\Games\solitaire.lnk <-specifies the shortcut, while
PATH Rule - %systemroot%\system32\sol.exe <-specifies the program itself.

In solving my adobe acrobat dilemma, adding the Path rule:  c:\Documents and Settings\All Users\Start Menu\Programs\*.lnk   (with the wildcard) allows the shortcut launch of the program as desired. SWEET!
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question