Solved

Software Restrictions

Posted on 2013-12-19
5
240 Views
Last Modified: 2014-08-27
I have software restrictions in place (to try and prevent the crypto virus from running).
However I need some apps to be able to run under the %localappdata% folder structure.

From (http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx) it indicates "When there are multiple matching path rules, the most specific matching rule takes precedence."

However that is not what I am seeing.

I have the following to Software Restrictions policies;
1) %LocalAppData%\<App I want to run folder>\*.exe - Unrestricted
2) %LocalAppData%\*\*.exe - Disallowed

(they appear in this order with in the GPO Policy)

When I run an app in <App I Want to Run Folder> it is stopped by policy 2)

If I change policy 1) to actual specify the full executable name, then it is able to run.

However there are several exe files in the App Folder, and I was hopping not to have to specify each app - based on the above article I found.

What am I missing.

Thanks
0
Comment
Question by:bmcollis
  • 3
  • 2
5 Comments
 
LVL 35

Expert Comment

by:Mahesh
ID: 39731511
Try 2nd rule as below and check if it works
%LocalAppData%\*.exe - Disallowed

If it still giving problem, then it looks like *.exe is more generic term and actual exe path is more specific in 1st rule causing allow you to run exe files

Mahesh
0
 

Author Comment

by:bmcollis
ID: 39732278
Hi MaheshPM
Thanks for responding.

I actually have your suggestion in place as well, to stop exe files within the %LocalAppData% folder from running.

Rule 2) is meant to stop programs in all folders below %localappdata% from running - which it does.

However there are some programs "installed"/placed in folders below %localappdata% that I need to be able to let run.  I was hopping I could just specify the folder and that would be more specific therefore the program would run.

However the error in the event log indicates that rule 2 is stopping the program from running - Have I discovered a bug???

BC
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39732421
What is the default security level for software restriction policy
You can set it to disallowed and then make exceptions as appropriate

Please check below PDF file for detailed configuration

http://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf

Also you can exclude administrators from applying software restrictions policies if wanted to

Just test it 1st prior to deploy in production as it can impact production

Mahesh
0
 

Author Comment

by:bmcollis
ID: 39742488
Hi Mahesh,
Thanks for the link.  I did not see anything in there that referred to my issue, in terms of order and precedence.

I do appreciate you input into this.

But at this point, and without further input I guess I will have to specify the exe files individually rather than just the folder they are in.

BC
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39742516
I have shared that link so that you might set software restriction policy according to link and you will get the required results

The link will not address your existing issue

Mahesh
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now