none
software restriction policy question

    Question

  • hi all,

    we are running windows server 2008 R2 enterprise and AD is 2008 native.

    in our RDS servers we want to deny users from running any file type with an exception.

    something liket this:

    Deny all

    Except:

    DOC, DOCX, XLS, XLSX, PDF, on and on.

    is this possible?

    Thanks


    Mohsen Almassud

    Wednesday, February 22, 2012 11:17 PM

Answers

  • Hi,


    We can achieve the target via Software Restriction Policies:


    For details:


    Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies


    There is a useful article to understand Software Restriction Policies:


    Using Software Restriction Policies to Protect Against Unauthorized Software
    http://technet.microsoft.com/en-us/library/cc507878.aspx#EZTAE

    Hope this helps!

    TechNetSubscriber Support

    If you are TechNet
    Subscription
    user and have any feedback on our support quality, please send your
    feedback
    here.


    Best Regards
    Elytis Cheng


    Elytis Cheng

    TechNet Community Support




    Thursday, February 23, 2012 1:45 AM
    Moderator
  • Hi,

    Please try to perform the following steps:

    1. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies

    2. deny all file type except .DOC

    >>Additional Rules -> New Path Rule -> Browse -> set the Word.exe application path -> set the Security Level to Unrestricted.

    >>Additional Rules -> New Path Rule -> Browse -> set the application which you want to restrict to Disallowed Security Level.

    Hope this helps!

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Best Regards

    Elytis Cheng


    Elytis Cheng

    TechNet Community Support




    Friday, February 24, 2012 1:57 AM
    Moderator
  • Hi Mohsen,


    I'd like to confirm you have test the method I mentioned and there is less help. Based on my test, everything is fine.


    For AppLocker, there is a related video for your reference to specify the application:

     

    AppLocker
    http://technet.microsoft.com/en-us/windows/dd320283


    AppLocker is the next version of the Software Restriction Policies (SRP) feature. The Software Restriction Policies snap-in is included on computers running Windows 7 for compatibility purposes.


    AppLocker includes the following new enhancements:


    You can define rules based on attributes derived from a file's digital signature, including the publisher, product name, file name, and file version. SRP supports certificate rules, but they are less specific and more difficult to define.


    Only a file that is specified in an AppLocker rule is allowed to run. After a rule is created for a rule collection, if an application is not included in a rule, the application is not allowed to run.


    The user interface is accessed through a new Microsoft Management Console (MMC) snap-in extension to the Local Group Policy Editor and the Group Policy Management Console (GPMC).


    AppLocker PowerShell cmdlets allow administrators to manage AppLocker rules in the PowerShell console.


    An Audit only enforcement mode allows administrators to easily determine which files would be prevented from running if the policy were in effect.


    For details:


    What Is AppLocker?
    http://technet.microsoft.com/en-us/library/dd723689(v=WS.10).aspx

     

    Hope this helps!

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Best Regards
    Elytis Cheng


     


    Elytis Cheng

    TechNet Community Support


    Friday, February 24, 2012 3:23 AM
    Moderator

All replies

  • Hi,


    We can achieve the target via Software Restriction Policies:


    For details:


    Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies


    There is a useful article to understand Software Restriction Policies:


    Using Software Restriction Policies to Protect Against Unauthorized Software
    http://technet.microsoft.com/en-us/library/cc507878.aspx#EZTAE

    Hope this helps!

    TechNetSubscriber Support

    If you are TechNet
    Subscription
    user and have any feedback on our support quality, please send your
    feedback
    here.


    Best Regards
    Elytis Cheng


    Elytis Cheng

    TechNet Community Support




    Thursday, February 23, 2012 1:45 AM
    Moderator
  • Elytis, I'll read through this article today and see if it helps me with the file extension setup and then I'll update you with how things go.

    Thanks

    MJ


    Mohsen Almassud

    Thursday, February 23, 2012 11:43 AM
  • very good article, but it doesn't seem to have what I need.

    could you please walk me through denying 1 file type and allowing another? say deny .PDF and allow .DOC. or better yet deny all file type except .DOC.

    Thanks


    Mohsen Almassud


    Thursday, February 23, 2012 7:08 PM
  • Hi,

    Please try to perform the following steps:

    1. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies

    2. deny all file type except .DOC

    >>Additional Rules -> New Path Rule -> Browse -> set the Word.exe application path -> set the Security Level to Unrestricted.

    >>Additional Rules -> New Path Rule -> Browse -> set the application which you want to restrict to Disallowed Security Level.

    Hope this helps!

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Best Regards

    Elytis Cheng


    Elytis Cheng

    TechNet Community Support




    Friday, February 24, 2012 1:57 AM
    Moderator
  • I don't think software restriction policy is the way to go for something like this and I just found out from a friend of mine that applocker should do the trick in this case, I am going to check it out tonight or tomorrow morning and then let you know how it went.

    Thanks


    Mohsen Almassud

    Friday, February 24, 2012 2:41 AM
  • Hi Mohsen,


    I'd like to confirm you have test the method I mentioned and there is less help. Based on my test, everything is fine.


    For AppLocker, there is a related video for your reference to specify the application:

     

    AppLocker
    http://technet.microsoft.com/en-us/windows/dd320283


    AppLocker is the next version of the Software Restriction Policies (SRP) feature. The Software Restriction Policies snap-in is included on computers running Windows 7 for compatibility purposes.


    AppLocker includes the following new enhancements:


    You can define rules based on attributes derived from a file's digital signature, including the publisher, product name, file name, and file version. SRP supports certificate rules, but they are less specific and more difficult to define.


    Only a file that is specified in an AppLocker rule is allowed to run. After a rule is created for a rule collection, if an application is not included in a rule, the application is not allowed to run.


    The user interface is accessed through a new Microsoft Management Console (MMC) snap-in extension to the Local Group Policy Editor and the Group Policy Management Console (GPMC).


    AppLocker PowerShell cmdlets allow administrators to manage AppLocker rules in the PowerShell console.


    An Audit only enforcement mode allows administrators to easily determine which files would be prevented from running if the policy were in effect.


    For details:


    What Is AppLocker?
    http://technet.microsoft.com/en-us/library/dd723689(v=WS.10).aspx

     

    Hope this helps!

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Best Regards
    Elytis Cheng


     


    Elytis Cheng

    TechNet Community Support


    Friday, February 24, 2012 3:23 AM
    Moderator
  • I am using App-V so the applications are not installed on the servers but rather streamed and they normally have different paths, so I am not sure how to perform the test you mentioned.

    I'll try though today and let you know the result.

    Thanks for the link to the video for the AppLocker.


    Mohsen Almassud

    Friday, February 24, 2012 11:33 AM
  • Elytis,

    I tried the AppLocket and it turned out to be a pain in the nick so I went back to software restriction policy and followed your instructions that it worked.

    I just had to add some exlusion for things that are related to App-V, but that's about it.

    Thanks a lot for your help.

    MJ


    Mohsen Almassud

    Saturday, February 25, 2012 12:05 AM
  • Hi,

    Thanks for your feedback.

    Best Regards

    Elytis Cheng

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Elytis Cheng

    TechNet Community Support

    Monday, February 27, 2012 1:07 AM
    Moderator