tp-it-team
asked on
Software Restriction Policiy starts playing up
Hi
I've been using Software Restriction Policy successfully for over 3 years and so far there were no problems with it but recently, for some reason, users started complaining about an app not opening - specifically, Foxit Reader. First thing to check was of course if the proper path is added to 'Additional Rules', and it was. Still, after doing gpupdate, I could still see that exact path blocked. I found the fix but it didn't make any sense - logging as admin - uninstalling the software - installing again and letting user log in - and then it worked. While it worked for most users, it didn't for few. I found other strange problem with java based app - it had small executable and the main java app, and trying to run it as intended with that small app didn't work - again throwing an error for something already whitelisted.
Other than that, there are many other apps whitelisted and running happily, just few odd examples.
No other errors on workstations (Windows 10) or DCs.
I must admit the whole thing is a bit clunky to use and I would rather prefer using some other method but the fact this thing is playing up makes me really nervous.
What could be the reason for it ? Any similar experiences ?
I would really like to understand the root cause of it but also, I would appreciate a better alternative for it.
Thanks
I've been using Software Restriction Policy successfully for over 3 years and so far there were no problems with it but recently, for some reason, users started complaining about an app not opening - specifically, Foxit Reader. First thing to check was of course if the proper path is added to 'Additional Rules', and it was. Still, after doing gpupdate, I could still see that exact path blocked. I found the fix but it didn't make any sense - logging as admin - uninstalling the software - installing again and letting user log in - and then it worked. While it worked for most users, it didn't for few. I found other strange problem with java based app - it had small executable and the main java app, and trying to run it as intended with that small app didn't work - again throwing an error for something already whitelisted.
Other than that, there are many other apps whitelisted and running happily, just few odd examples.
No other errors on workstations (Windows 10) or DCs.
I must admit the whole thing is a bit clunky to use and I would rather prefer using some other method but the fact this thing is playing up makes me really nervous.
What could be the reason for it ? Any similar experiences ?
I would really like to understand the root cause of it but also, I would appreciate a better alternative for it.
Thanks
ASKER
Hi
Yes, I checked and it is allowed.
Yes, I checked and it is allowed.
Delete the registry key for SRP and start over.
ASKER
Delete it on what ? It is windows 10 domain joined PC and I manage SRP through Group Policy.
Yes, the SRP GPOs write themselves into the registry at
HLKM\Software\Policies\Mic
Delete the safer branch and do a gpupdate /force on a test client.
HLKM\Software\Policies\Mic
Delete the safer branch and do a gpupdate /force on a test client.
ASKER
Unfortunatelly, the two examples I had today werent good for this troubleshooting - one fixed itself (probably by updating gpo in the background) and other one worked when I just did gpupdate /force.
I looked at this location you mentioned but it is not populated with any entries which are present in GPO.
Am I right that this location is for SRP applied at computer level ? I also checked the user branch, same structure, and again, I could see few values, but nothing which would look like a list of allowed apps.
Do you think this could be helpful ?
https://www.itprotoday.com/security/q-how-can-we-verify-software-restriction-policy-srp-rule-we-defined-one-our-applications
I looked at this location you mentioned but it is not populated with any entries which are present in GPO.
Am I right that this location is for SRP applied at computer level ? I also checked the user branch, same structure, and again, I could see few values, but nothing which would look like a list of allowed apps.
Do you think this could be helpful ?
https://www.itprotoday.com/security/q-how-can-we-verify-software-restriction-policy-srp-rule-we-defined-one-our-applications
If you use GPO for SRP, that key is where the config is stored. Please double check.
(You can verify here: https://isc.sans.edu/forums/diary/Software+Restriction+Policy+to+keep+malware+away/8917/ )
(You can verify here: https://isc.sans.edu/forums/diary/Software+Restriction+Policy+to+keep+malware+away/8917/ )
ASKER
OK, there are few things I tried, no luck yet.
First of all, I enabled that logging but its useless, it simply tells me that the executable was blocked.
I temporarily unlinked the GPO so I guess it erased all the settings in PCs registry and Foxit worked fine, however, as soon as I linked it back and asked user to log off and log in again, it is still blocking.
Sure, I can try things like creating the policy from scratch but first, I would like to understand what is going on.
First of all, I enabled that logging but its useless, it simply tells me that the executable was blocked.
I temporarily unlinked the GPO so I guess it erased all the settings in PCs registry and Foxit worked fine, however, as soon as I linked it back and asked user to log off and log in again, it is still blocking.
Sure, I can try things like creating the policy from scratch but first, I would like to understand what is going on.
Search that registry key and see whether it reflects the rules that you expect. That is all you can do, there is no logging or whatever that will make a difference. If that key is (for whatever reason) not in the state that you expect it [=other rule sets]), then you have found something.
So 1st, you should again look for that key. For confirmation, I add a rule on my machine (using domain GPO) and yes, it gets populated, as the screenshot proves:
So 1st, you should again look for that key. For confirmation, I add a rule on my machine (using domain GPO) and yes, it gets populated, as the screenshot proves:
ASKER
OK, so I found the Safer in registry and I could not find that specific rule which would unblock foxit. So I deleted the Safer key and did the gpupdate force. It reappeared but again, without that specific rule (and possibly few others).
Now, the question is - why is that happening and how to fix it ?
Now, the question is - why is that happening and how to fix it ?
What the client side does, is read the GPO and write it to the registry. So your next step is to find out if it fails to write everything to the registry, or if the path to foxit inside the GPO is already somewhat malformed (or missing). So please look at the registry.pol file of your GPO.
ASKER
OK, so first of all, I looked at the file but I have quite extensive SRP so analysing this file would not be fun at all.
Then I opened the path to it on all my DCs and it looks like its 10kb less on one of them. Could that be it ? I test my replication quite often and there is no problem so no idea what happened here. How can I force it to replicate again properly ?
Then I opened the path to it on all my DCs and it looks like its 10kb less on one of them. Could that be it ? I test my replication quite often and there is no problem so no idea what happened here. How can I force it to replicate again properly ?
ASKER
OK, so I found that SYSVOL on that DC is not complete, compared to other DCs
10 KB is 10,000 characters, that's huge.
"analysing this file would not be fun at all" - do as I did. Open it in notepad, search for your foxit path (insert a blank after each character - notepad became n o t e p a d).
"analysing this file would not be fun at all" - do as I did. Open it in notepad, search for your foxit path (insert a blank after each character - notepad became n o t e p a d).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
With your foxit r. problem, you should start by looking at eventvwr ->application log and see that the path the log lists as being blocked are really set as allowed.