software restriction policy question
-
Wednesday, February 22, 2012 11:17 PM
hi all,
we are running windows server 2008 R2 enterprise and AD is 2008 native.
in our RDS servers we want to deny users from running any file type with an exception.
something liket this:
Deny all
Except:
DOC, DOCX, XLS, XLSX, PDF, on and on.
is this possible?
Thanks
Mohsen Almassud
All Replies
-
Thursday, February 23, 2012 1:45 AMModerator
Hi,
We can achieve the target via Software Restriction Policies:
For details:
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies
There is a useful article to understand Software Restriction Policies:
Using Software Restriction Policies to Protect Against Unauthorized Software
http://technet.microsoft.com/en-us/library/cc507878.aspx#EZTAEHope this helps!
If you are TechNet
Subscription user and have any feedback on our support quality, please send your
feedback here.
Best Regards
Elytis Cheng
Elytis Cheng
TechNet Community Support
- Edited by Elytis ChengModerator Thursday, February 23, 2012 2:14 AM
- Proposed As Answer by danovich_ Thursday, February 23, 2012 12:47 PM
- Marked As Answer by Elytis ChengModerator Monday, February 27, 2012 1:08 AM
-
Thursday, February 23, 2012 11:43 AM
Elytis, I'll read through this article today and see if it helps me with the file extension setup and then I'll update you with how things go.
Thanks
MJ
Mohsen Almassud
-
Thursday, February 23, 2012 7:08 PM
very good article, but it doesn't seem to have what I need.
could you please walk me through denying 1 file type and allowing another? say deny .PDF and allow .DOC. or better yet deny all file type except .DOC.
Thanks
Mohsen Almassud
- Edited by Mohsen Almassud Thursday, February 23, 2012 7:09 PM addition.
-
Friday, February 24, 2012 1:57 AMModerator Hi,
Please try to perform the following steps:
1. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies
2. deny all file type except .DOC
>>Additional Rules -> New Path Rule -> Browse -> set the Word.exe application path -> set the Security Level to Unrestricted.
>>Additional Rules -> New Path Rule -> Browse -> set the application which you want to restrict to Disallowed Security Level.
Hope this helps!
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best Regards
Elytis Cheng
Elytis Cheng
TechNet Community Support
- Edited by Elytis ChengModerator Friday, February 24, 2012 2:00 AM
- Marked As Answer by Mohsen Almassud Saturday, February 25, 2012 12:05 AM
-
Friday, February 24, 2012 2:41 AM
I don't think software restriction policy is the way to go for something like this and I just found out from a friend of mine that applocker should do the trick in this case, I am going to check it out tonight or tomorrow morning and then let you know how it went.
Thanks
Mohsen Almassud
-
Friday, February 24, 2012 3:23 AMModerator
Hi Mohsen,
I'd like to confirm you have test the method I mentioned and there is less help. Based on my test, everything is fine.
For AppLocker, there is a related video for your reference to specify the application:AppLocker
http://technet.microsoft.com/en-us/windows/dd320283
AppLocker is the next version of the Software Restriction Policies (SRP) feature. The Software Restriction Policies snap-in is included on computers running Windows 7 for compatibility purposes.
AppLocker includes the following new enhancements:
You can define rules based on attributes derived from a file's digital signature, including the publisher, product name, file name, and file version. SRP supports certificate rules, but they are less specific and more difficult to define.
Only a file that is specified in an AppLocker rule is allowed to run. After a rule is created for a rule collection, if an application is not included in a rule, the application is not allowed to run.
The user interface is accessed through a new Microsoft Management Console (MMC) snap-in extension to the Local Group Policy Editor and the Group Policy Management Console (GPMC).
AppLocker PowerShell cmdlets allow administrators to manage AppLocker rules in the PowerShell console.
An Audit only enforcement mode allows administrators to easily determine which files would be prevented from running if the policy were in effect.
For details:
What Is AppLocker?
http://technet.microsoft.com/en-us/library/dd723689(v=WS.10).aspxHope this helps!
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best Regards
Elytis Cheng
Elytis Cheng
TechNet Community Support
- Edited by Elytis ChengModerator Friday, February 24, 2012 3:27 AM
- Marked As Answer by Elytis ChengModerator Monday, February 27, 2012 1:08 AM
-
Friday, February 24, 2012 11:33 AM
I am using App-V so the applications are not installed on the servers but rather streamed and they normally have different paths, so I am not sure how to perform the test you mentioned.
I'll try though today and let you know the result.
Thanks for the link to the video for the AppLocker.
Mohsen Almassud
-
Saturday, February 25, 2012 12:05 AM
Elytis,
I tried the AppLocket and it turned out to be a pain in the nick so I went back to software restriction policy and followed your instructions that it worked.
I just had to add some exlusion for things that are related to App-V, but that's about it.
Thanks a lot for your help.
MJ
Mohsen Almassud
-
Monday, February 27, 2012 1:07 AMModerator
Hi,
Thanks for your feedback.
Best Regards
Elytis Cheng
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Elytis Cheng
TechNet Community Support
.png)
