Software Restriction Policies

Software restriction policies (SRP) allow you to classify applications and restrict their use, preventing users from running unauthorized software applications. Software restriction policies use one of four methods to identify applications:

  • A hash rule, which is a cryptographic hash (or checksum) that uniquely identifies a particular file

  • A certificate rule, which identifies the digital key pair used to sign a particular piece of software

  • A path rule, which identifies software by its location on a computer’s hard drive

  • An Internet zone rule, which identifies software by the Internet domain the software is retrieved from

Software restriction policies can be configured either as part of a local computer’s policies or, for more effective centralized management, as part of a group policy applied to all domain computers and users.

Configuring Software Restriction Policy

By default, enforcement of software restriction policies is disabled. To enable enforcement, you need to modify the appropriate policy. To configure the Group Policy settings that apply to software restriction policies, you should follow this procedure. Note that this procedure uses the Default Domain Policy, but you can apply the policy anywhere in your domain.

  1. Open the Group Policy Management snap-in.

  2. Open the Default Domain Policy Group Policy Object.

  3. Navigate to the Software Restriction Policies node as shown in Figure 6-5, later on in this chapter.

  4. Right-click the Software Restriction Policies ...

Get Securing Windows Server 2003 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.