Solved

Software Restrictions

Posted on 2013-12-19
5
245 Views
Last Modified: 2014-08-27
I have software restrictions in place (to try and prevent the crypto virus from running).
However I need some apps to be able to run under the %localappdata% folder structure.

From (http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx) it indicates "When there are multiple matching path rules, the most specific matching rule takes precedence."

However that is not what I am seeing.

I have the following to Software Restrictions policies;
1) %LocalAppData%\<App I want to run folder>\*.exe - Unrestricted
2) %LocalAppData%\*\*.exe - Disallowed

(they appear in this order with in the GPO Policy)

When I run an app in <App I Want to Run Folder> it is stopped by policy 2)

If I change policy 1) to actual specify the full executable name, then it is able to run.

However there are several exe files in the App Folder, and I was hopping not to have to specify each app - based on the above article I found.

What am I missing.

Thanks
0
Comment
Question by:bmcollis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 39731511
Try 2nd rule as below and check if it works
%LocalAppData%\*.exe - Disallowed

If it still giving problem, then it looks like *.exe is more generic term and actual exe path is more specific in 1st rule causing allow you to run exe files

Mahesh
0
 

Author Comment

by:bmcollis
ID: 39732278
Hi MaheshPM
Thanks for responding.

I actually have your suggestion in place as well, to stop exe files within the %LocalAppData% folder from running.

Rule 2) is meant to stop programs in all folders below %localappdata% from running - which it does.

However there are some programs "installed"/placed in folders below %localappdata% that I need to be able to let run.  I was hopping I could just specify the folder and that would be more specific therefore the program would run.

However the error in the event log indicates that rule 2 is stopping the program from running - Have I discovered a bug???

BC
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39732421
What is the default security level for software restriction policy
You can set it to disallowed and then make exceptions as appropriate

Please check below PDF file for detailed configuration

http://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf

Also you can exclude administrators from applying software restrictions policies if wanted to

Just test it 1st prior to deploy in production as it can impact production

Mahesh
0
 

Author Comment

by:bmcollis
ID: 39742488
Hi Mahesh,
Thanks for the link.  I did not see anything in there that referred to my issue, in terms of order and precedence.

I do appreciate you input into this.

But at this point, and without further input I guess I will have to specify the exe files individually rather than just the folder they are in.

BC
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39742516
I have shared that link so that you might set software restriction policy according to link and you will get the required results

The link will not address your existing issue

Mahesh
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Normally after a failure of Domain Controller, when promoting new DC the DC is renamed, we will discuss the options in Dcpromo to re-create the DC with the same name. Scenario: You are a small IT shop with two Domain Controllers (Domain Contr…
We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question