Re: MSN Messenger Wont Restrict by GPO



I should have lsited it, but the hash and the test computer were taken from
the same program version. So, it must have to do with the program runing from
start up...

"Richard Sweetnam" wrote:

> It may be that the file you hashed is from MSN version 6.x and the desktop
> version is 6.y or 7.x or something like that. Each executable will have a
> unique hash.
>
> The following was taken from
> Restricting Software Access and Protecting Computers
> (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/eca4c4cd-335a-4b33-8f1f-0f139e6024b2.mspx)
> note the final paragraph
> Hash rule
> A cryptographic fingerprint of the file, also called a message digest. When
> you create a hash rule for a program, Software Restriction Policies
> calculates a hash of the program, and then stores the hash securely. When a
> user tries to open a program, a hash of the program is compared to existing
> hash rules for Software Restriction Policies. The hash of a program is
> always the same, regardless of the location of the program on the user's
> computer. However, if a program is altered in any way (by applying a hotfix,
> for example), its hash also changes, and it no longer matches the hash in
> the Software Restriction Policies hash rule.
>
> For example, you can create a hash rule, and then set the security level to
> Disallowed to prevent users from running a certain file. A file can be
> renamed or moved to another folder and still result in the same hash.
> However, if any changes are made to the file itself, they also change its
> hash value and allow it to bypass restrictions
>
>
> HTH
> Richard
>
> "razor" <razor@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:F36DA93D-0CA8-4355-96F5-62F89A8FDC0D@xxxxxxxxxxxxxxxx
> > Hello--
> >
> > I have taken my information on the setup of the Software Restrictions GPO
> > from MS TN article "Using Software Restriction Policies to Protect Against
> > Unauthorized Software" and the MCSE text book for exam 70-298.
> >
> > We are using the default unrestricted GPO for software restrictions and
> > then
> > the exceptions we need is to disallow MSN Messenger from running.
> >
> > I have created a hash of MSN Messenger, AND I have created paths to the
> > following folders: %PROGRAMFILES%\MESSENGER, %STARTMENU%\MESSENGER,
> > %START%\MESSENGER.
> >
> > But the program still runs at start up of the workstation and if launched
> > manually from the programs start menu. If I try to open the .exe file from
> > the host folder, it will be denied. If I try to open the program from the
> > start menu, it will run.
> >
> > Please help. What can I be doing wrong?
>
>
>
.