locked
Software restriction policy problem in Vista RRS feed

  • Question

  • I am having problems with a software restriction policy on Vista Ultimate. I have it set up as follows:

    Enforcement:
    All software files
    All users except local administrators
    Ignore certificate rules
    Designated file types:
    All default ones except .lnk
    Trusted publishers:
    None
    Security Levels:
    Disalowwed by default
    Additional rules
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% Path Unrestricted
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% Path Unrestricted

    What I find is that it blocks things it should not. If I have Word or pdf documents on a CD or USB drive they will not open when I double click on them. If I turn on logging I get lines like:

    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.dll as Disallowed using default rule
    C:\Program Files\Microsoft Office\Office12\wwlib.dll as Disallowed using default rule

    It all works fine if the documents are on my main C drive.

    Can anyone help me please? Is this a known bug?

    Theo
    Friday, January 25, 2008 7:13 PM

Answers

  • Hi Theo,

     

    I have performed a further test. If the program is installed on other drives instead of system drive C on Windows XP, the PDF/DOC also cannot be opened with the same GPO setting. It seems the DLL files on the system drive will be allowed by design. However, Windows Vista enhance security on this point. If the program on system drive, the application on other drives will not call the necessary DLL files automatically which is different from Windows XP. Thus, since many applicatin will call needed DLL when running, we recommend to configure "All software files excepte libraries" setting to avoid this. Also, if you do not want to do this, you can copy these PDF/DOC files on the system drive as a work around.

     

    Hope this helps.

    Sunday, February 3, 2008 4:08 PM

All replies

  • Hi Theo,

     

    Please change the All software files in the enforcement setting to the All software files excepte libraries. Then, try to see if it works.

     

    Hope this helps.

    Thursday, January 31, 2008 10:43 AM

  • This does stop it blocking the documents, thank you. Unfortunately, this is not what I want. I want to be able to stop all unwanted software including dlls. The dlls it blocked should not be blocked as they are on an allowed path.

    Theo
    Saturday, February 2, 2008 9:54 AM
  • Hi Theo,

     

    Please try to set rules for all the dll file used by program in order to use PDF or DOC program?  Based on my test, if  these programs are installed on the other drive rather than C, the program cannot be run regardless the disk partition. It seems the dll files on the C main drive is allowed which need to load Windows Vista.

     

    Hope this helps.

    Saturday, February 2, 2008 12:59 PM

  • The rules appear to be correctly set. All the programs and DLL files are on the C drive. If I open a PDF document on the C drive it works. If I open a PDF document on the E drive then the DLL files on the C drive, that worked before, are blocked. The same happens with Word files. Ordinary text files on the E drive open correctly in notepad. The same settings work on my XP computer at work. I only have a problem on Vista.
    Saturday, February 2, 2008 1:35 PM
  • Hi Theo,

     

    I have performed a further test. If the program is installed on other drives instead of system drive C on Windows XP, the PDF/DOC also cannot be opened with the same GPO setting. It seems the DLL files on the system drive will be allowed by design. However, Windows Vista enhance security on this point. If the program on system drive, the application on other drives will not call the necessary DLL files automatically which is different from Windows XP. Thus, since many applicatin will call needed DLL when running, we recommend to configure "All software files excepte libraries" setting to avoid this. Also, if you do not want to do this, you can copy these PDF/DOC files on the system drive as a work around.

     

    Hope this helps.

    Sunday, February 3, 2008 4:08 PM

  • I suppose that explains it. However, it is very inconvenient and against the spirit of the software restriction policy. I wish Microsoft would fix this.

    If the software restriction policy was easy to set up, did not have these problems and was available to home users it could be a very useful defence against malware.

    Thank you,


    Sunday, February 3, 2008 8:20 PM
  • Hi,

     

    Thanks for your update and I will forward your suggestion to product team for consideration in the future.

     

     

    Monday, February 4, 2008 8:25 AM