Solved

Software Restrictions

Posted on 2013-12-19
5
244 Views
Last Modified: 2014-08-27
I have software restrictions in place (to try and prevent the crypto virus from running).
However I need some apps to be able to run under the %localappdata% folder structure.

From (http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx) it indicates "When there are multiple matching path rules, the most specific matching rule takes precedence."

However that is not what I am seeing.

I have the following to Software Restrictions policies;
1) %LocalAppData%\<App I want to run folder>\*.exe - Unrestricted
2) %LocalAppData%\*\*.exe - Disallowed

(they appear in this order with in the GPO Policy)

When I run an app in <App I Want to Run Folder> it is stopped by policy 2)

If I change policy 1) to actual specify the full executable name, then it is able to run.

However there are several exe files in the App Folder, and I was hopping not to have to specify each app - based on the above article I found.

What am I missing.

Thanks
0
Comment
Question by:bmcollis
  • 3
  • 2
5 Comments
 
LVL 36

Expert Comment

by:Mahesh
ID: 39731511
Try 2nd rule as below and check if it works
%LocalAppData%\*.exe - Disallowed

If it still giving problem, then it looks like *.exe is more generic term and actual exe path is more specific in 1st rule causing allow you to run exe files

Mahesh
0
 

Author Comment

by:bmcollis
ID: 39732278
Hi MaheshPM
Thanks for responding.

I actually have your suggestion in place as well, to stop exe files within the %LocalAppData% folder from running.

Rule 2) is meant to stop programs in all folders below %localappdata% from running - which it does.

However there are some programs "installed"/placed in folders below %localappdata% that I need to be able to let run.  I was hopping I could just specify the folder and that would be more specific therefore the program would run.

However the error in the event log indicates that rule 2 is stopping the program from running - Have I discovered a bug???

BC
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39732421
What is the default security level for software restriction policy
You can set it to disallowed and then make exceptions as appropriate

Please check below PDF file for detailed configuration

http://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf

Also you can exclude administrators from applying software restrictions policies if wanted to

Just test it 1st prior to deploy in production as it can impact production

Mahesh
0
 

Author Comment

by:bmcollis
ID: 39742488
Hi Mahesh,
Thanks for the link.  I did not see anything in there that referred to my issue, in terms of order and precedence.

I do appreciate you input into this.

But at this point, and without further input I guess I will have to specify the exe files individually rather than just the folder they are in.

BC
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39742516
I have shared that link so that you might set software restriction policy according to link and you will get the required results

The link will not address your existing issue

Mahesh
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question