Re: Prblm: Can't get Software Restrictions Policies to work as expected
From: Ola Theander (ola.theander_at_otsystem.com)
Date: 10/01/04
- Next message: Mike Morgan: "Re: Userenv error EventID: 1000"
- Previous message: Ward Horsfall: "GPO Restrictions on PC administrators"
- In reply to: Steven L Umbach: "Re: Prblm: Can't get Software Restrictions Policies to work as expected"
- Next in thread: Steven L Umbach: "Re: Prblm: Can't get Software Restrictions Policies to work as expected"
- Reply: Steven L Umbach: "Re: Prblm: Can't get Software Restrictions Policies to work as expected"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 1 Oct 2004 16:00:09 +0200
Hi Steven
Thanks for your answer. I'll try and use Filemon to detect the behaviour of
policies. One more thing I wonder though, does a path policy like
"C:\Windows\* work recursivly, i.e. all subfolders are also allowed or is it
only allowing files in that particular directory, in this case the Windows
folder, to be run?
Kind regards, Ola Theander
"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> skrev i meddelandet
news:kw27d.286362$mD.264784@attbi_s02...
> Keep in mind that shortcuts are in the list of files that can be
> restricted by Software Restriction Policies. If the path to the shortcut
> is not in an allowed path then the application will not start via the
> shortcut. If you can go into the program files folder and start the
> executable directly, then it probably is a shortcut restriction problem.
> Your rule allow only the shortcuts in the all users desktop folder to be
> run. If an application needs to call on another restricted executable that
> is restricted to start that can also cause a problem. It might help if you
> use the free filemon tool from SysInternals to see the files involved in
> running an application. --- Steve
>
> http://www.sysinternals.com/ntw2k/source/filemon.shtml
>
> "Ola Theander" <ola.theander@otsystem.com> wrote in message
> news:O$o4Ud0pEHA.2636@TK2MSFTNGP09.phx.gbl...
>> Dear subscribers
>>
>> I have a problem to get Software Restriction Policies (SRP) to work as
>> expected. I'm administering a number of computers at a school and I use
>> SRP
>> to prevent use of disallowed software. My problem is that I find SRP to
>> behave very peculiar; the way that I think would be the obvious way for
>> it
>> to work doesn't at all give the expected result. Of course I may have
>> totally misunderstood things but in that case I hope for a clarification
>> here.
>>
>> Our environment is:
>> - Windows 2000 Server with AD, US version
>> - Windows XP Pro, Swedish version
>>
>> I've read a lot of postings in the Microsoft Usenet groups and it seems
>> like
>> there might exist a bug in Windows XP that was fixed in sp2 that's
>> concerning Netware shares (Q815471). We don't have any such shares, at
>> least
>> not as long as they aren't shared as such by default, so I'm not sure
>> whether this bug applies to us.
>>
>> Now to a description of the problem; the problem is that the user can't
>> run
>> applications that should be runable, i.e. the user gets a message stating
>> that the application was prevented to start due to software restrictions
>> policies.
>>
>> Our default policy configuration is to disallow running of applications,
>> then we specify exactly which applications and in which paths
>> applications
>> are allowed to run. Our policy list is as follows:
>>
>> Name Type Security level
>> %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>> NT\CurrentVersion\SystemRoot%
>> Path Unlimited
>> %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>> NT\CurrentVersion\SystemRoot%\*.exe Path Unlimited
>> %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>> NT\CurrentVersion\SystemRoot%\System32\*.exe Path Unlimited
>> *.js Path Not allowed
>> *.jse Path Not allowed
>> *.vbe Path Not allowed
>> *.vbs Path Not allowed
>> *.wsf Path Not allowed
>> *.wsh Path Not allowed
>> \\c0047\software$\* Path Unlimited
>> \\domain.se\SysVol\* Path Unlimited
>> C:\Documents and Settings\%USERNAME%\Local Settings\Temp\* Path Unlimited
>> C:\Documents and Settings\All Users\Desktop Path Unlimited
>> C:\Program Files\* Path Unlimited
>> C:\WINDOWS\* Path Unlimited
>>
>> The polices are distributed using GPO in the Active Directory.
>>
>> The strange thing is that some applications installed in "Program Files"
>> runs perfectly e.g. Office but other third party applications can't start
>> and I can't figure out why. There are some MS applications, e.g. Notepad,
>> that doesn't start either.
>>
>> I've studied the document "Using Software Restriction Policies to Protect
>> Against Unauthorized Software"
>> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
>> to configure SRP and in the Troubleshooting section it says that a denied
>> SRP should be logged in the system event log but this doesn't occur so I
>> can
>> 't get any information here, at least I can't find any log records. Do I
>> need to do anything special to enable this logging?
>>
>> Any help with this matter would be greatly appreciated.
>>
>> Kind regards, Ola Theander
>>
>>
>>
>
>
- Next message: Mike Morgan: "Re: Userenv error EventID: 1000"
- Previous message: Ward Horsfall: "GPO Restrictions on PC administrators"
- In reply to: Steven L Umbach: "Re: Prblm: Can't get Software Restrictions Policies to work as expected"
- Next in thread: Steven L Umbach: "Re: Prblm: Can't get Software Restrictions Policies to work as expected"
- Reply: Steven L Umbach: "Re: Prblm: Can't get Software Restrictions Policies to work as expected"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
