Re: I had high hopes for software restriction policy

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Chris McKitterick (cmckit_at_online.microsoft.com)
Date: 02/24/04 

Date: Mon, 23 Feb 2004 18:28:35 -0600

Hi Stewart -

This could be due to the hash. If a program is altered in any way (by
applying a hotfix, for example), its hash also changes, and it no longer
matches the hash in the Software Restriction Policies hash rule.

Give that a whirl; I hope this helps.

Best,
Chris McKitterick
Windows Server UA
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
=====================================================

"Stewart Basterash" <stewartbash@hotmail.com> wrote in message
news:O5no9b%237DHA.1816@TK2MSFTNGP12.phx.gbl...
To all,

I am having serious issues with software restriction policy...

I cannot seem to get anything to function properly... I am attempting to
restrict "All" applications on the desktop except for the ones I wish to
allow for each user.

Here is what I have done:
Created and linked a new GPO on a User OU in AD...
Created a Global Security Group "Restricted Applications Group" and Set
"Apply and Read" to this group (removed Authenticated Users).
Placed test users in this Global Security Group
Edited the Policy and set the Default Software Restriction to "Disallowed".
left all the default "Path" Rules in place.
Added a new "Hash" rule for Adobe Acrobat Reader.
Forced the Policy Update on the workstations several times...
Ran the RSOP on the workstation... several times (Policy is applied, but
Hash rule is not allowing this app to run... nor is Path rule for same
application)...
Although this list is simplified, I tried several applications (Word, Excel,
Powerpoint, etc), and several differnet policies... How the heck is this
thing supposed to work?

Result:
Test User cannot access any appliction from the desktop including "Adobe
Acrobat Reader".

Any thoughts on how this should work

Stew

Relevant Pages

  • Re: MSN Messenger Wont Restrict by GPO
    ... but the hash and the test computer were taken from ... > you create a hash rule for a program, Software Restriction Policies ...
    (microsoft.public.windows.group_policy)
  • RE: Windows 2003 Server - MS Rulez?
    ... Attacking the hash is far more work than is required to "get around" a hash ... software restriction, as I mentioned in my other post. ... software restriction default policy as opposed to ... implement and enforce WLAN security policies to lockdown enterprise WLANs. ...
    (Focus-Microsoft)
  • Software Restriction Policy
    ... I am trying to set up a "user" software restriction policy... ... created and the hash seems to be in place... ... No applications run except for those that are ...
    (microsoft.public.win2000.group_policy)
  • User Software Restriction Policy
    ... I am trying to set up a "user" software restriction policy... ... created and the hash seems to be in place... ... No applications run except for those that are ...
    (microsoft.public.win2000.group_policy)
  • Re: services running in windows domain (winXP clients)
    ... Today it is trojan A tomorrow it may be ... > without even know their name or hash or anything about them. ... Software restriction policies work both in the "allow all but..." ...
    (Focus-Microsoft)