Software Restiction Policy

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Eye Open (EyeOpen_at_discussions.microsoft.com)
Date: 10/03/04 

Date: Sat, 2 Oct 2004 18:27:01 -0700

Windows Server 2003

Software Restiction Policy

W2k3
Tiny 6.0

REGISTRY RULES DEFAULT
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot%\System32\*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
rentVersion\ProgramFilesDir%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot%\*.exe

I have set specific rules below and delete the registry rules above, I
log-on the computer, after typed the password, "Applying the computer
setting", then "Logging out", and return to the log on screen.

I can not log in and use the computer !!!

There are lots of drivers, device not loaded.

I want to know the reason.

How do I set strict rules, full control of the .exe and can log on use the
computer.
Strict rules only allow .exe can run, so full control of the windows 2003
server.
That is the important point.

Software restrict policy

C:/windows
control.ini
desktop.ini
explorer.exe
NOTEPAD.EXE
regedit.exe
system.ini
win.ini

HASH RULE ALLOW

C:/windows/systems32
$winnt$.inf
alg.exe
calc.exe
compmgmt.msc
cmd.exe
ctfmon.exe
eventvwr.msc
gpedit.msc
lsass.exe
mmc.exe
notepad.exe
ntoskrnl.exe
regedt32.exe
runas.exe
secpol.msc
services.msc
setup.exe
sfc.exe
sigverif.exe
shutdown.exe
smss.exe
taskmgr.exe
verifier.exe
winlogon.exe
wpabaln.exe
write.exe
wuauclt.exe
wupdmgr.exe
raspppoe.sys

HASH RULE ALLOW RUN

REGISTRY RULES DEFAULT
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot%\System32\*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
rentVersion\ProgramFilesDir%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot%\*.exe

IT CAN NOT DELETE
IF DELETE, COMPUTER WILL NEVER START, UNTIL START IN SECURITY MODE.

I try to delete it, and make more restriction in other rules, can you tell
me and discuss it?
Or we can restrict more in the registry rules.

C:/windows/systems32
Telnet and remote registry
HASH RULES NOT ALLOW

FORCE
All software
All users

PUBLISHER
LOCAL ADMINSISTRATOR

SECURITY LEVEL
Not allow

Software restriction
We still need to study the certificate rule.
It is very efficient to set HASH rule - every app and exe access large amout
of registry entries.
It is very difficult to restrict the registry, but it is easier to restrict
the exe.
In addition, set path rule, for the app frequently update.

But I hope you can tell me the use of the internet rules.

MSconfig, we can not check all app by moniter and check the amon monitor.
Someone tell us use the msconfig system.ini win.ini, etc to find out the
start-up .exe and restrict, we hope to get all control of start up, and full
control of app, exe activity!

If we can't control all .exe and strict the entire system file.
We can not know Folder Permision, registry, Applications spawning, DLL
loading, OLE/COM control, Services control, Devices control, System
privileges, EXCEPTIONS.

And this can make great help to prevent system files change.

But it can not prevent get in through Tiny, so, these need help from tiny.

We hope all professionals in Forum assist this.

The Folder Permision
Allow or not allow write and modify the folders.

The registry, it is very difficult to set the registry restrict.

Applications spawning, we still need to know the spawning, codes and
applications.

DLL loading, check the dll, but still easy to be attacked.

OLE/COM control, it is very diffcult to know details of the OLE and COM.

Services control, it will be more easier to learn, but we must know each
services use...

Devices control, we only know it restrict the process to access the device.

System privileges, it will take much time to familiar with the applications.

I want to know the EXCEPTIONS!

The major thing is to check the system, not modified by trojan, virus,
hackers.
Use the sfc, and file verifier, but it take much time, we want to find the
software can check the full system.
To know, what is the file matter, which files had been change and modify.
That cause the system ownership.

Relevant Pages

  • enable kill bits with regedit
    ... You can directly change registry as follows ... Word 2003 crashes or fails to run macros after Windows Update last night ... On XP Pro SP3, the same macro package just stops with run-time error 361, ... The macro application uses an MSFlexGrid control in a form, ...
    (microsoft.public.word.application.errors)
  • RE: LPR Problems
    ... Important This article contains information about modifying the registry. ... Windows NT computer that is running the Line Printing Daemon (LPD) ... The LPD service can be reconfigured to ignore the format control command ... Configuring SimulatePassThrough for all printers in Windows XP Professional ...
    (microsoft.public.win2000.printing)
  • Re: A question of dynamically moving controls (Drag and Drop)
    ... The dropped positions are saved in the registry and when the User opens the ... which is somewhere in the middle of the dialog window. ... However, later when the User restarts, the moved control now appears about ... your information is screen-size dependent. ...
    (microsoft.public.vc.mfc)
  • Re: INCREASE 30 MINUTE REWIND BUFFER!!!!
    ... might even dig out the names of the registry values which control this... ... only to find that MCE 2005 does the same thing! ... > truly never thought they would restrict this. ...
    (microsoft.public.windows.mediacenter)
  • Re: Edit MSConfig "Services" menu
    ... Microsoft Windows XP - SC: ... retrieves and sets control information about services. ... To do this manually (registry editing), ... Registry Backup and Restore for Windows ...
    (microsoft.public.windowsxp.configuration_manage)