none
Software Restriction Policy not applying to specific users/group

    Question

  • I am having an issue with a software restriction policy not being applied for a specific user group. I have created an OU and placed a couple of computer objects in the OU. I created two users and placed them in a security group as well. These users and the security group are also in the OU mentioned. The purpose of this group policy is to restrict a certain user or user group to run anything but the defined software which in this case is putty and iexplore. I've added a hash rule for iexplore (32 and 64 bit) and putty in the USER section of the GPO. The software restriction default policy is to not allow any users permission to run programs except the included two applications. I want to limit the restriction to only apply to these earlier defined users/SG. I have added the users/SG to the security filtering of the GPO in question and they have read and apply gpo permissions. If I run the modeling wizard it shows that the software restriction policy WILL apply to these users/SG. If I run gpresult on the systems in the OU it shows that the policy is being applied for the computer and user when logging in with one the the user accounts in question. I am at a loss as to why the user software restriction policy is not being applied even though it shows it is being applied.

    If I apply the computer settings for software restriction policy in the same GPO then the settings are applied correctly, but this is system wide regardless of user so that defeats the intended purpose. No other settings except the software restriction policy are set in this GPO. Only two other GPOs are applied to this OU (default domain and another custom GPO) but neither have conflicting settings. No GPOs in the domain in question have loopback enabled. 

    I have exhausted all ideas I can think of to get this simple thing working as intended. I have also tried adding the computer objects in the scope->security filtering and gave them read/apply gpo permissions but this doesn't make a difference.

    As I said before all computers/users/SG are in the OU in question.

    Any ideas?

    Tuesday, January 5, 2016 10:00 PM

All replies

  • I should also state all of the systems in question are 2012 R2 (DCs/client servers). 
    Tuesday, January 5, 2016 10:02 PM
  • Hello Edwin Hubley,

    I could advise you to use GPO Administrative Templates as follows:

    User Configuration\Administrative Templates\System
    "Run only specified Windows applications"
    Here you can configure the list of programs that the user can run by only put the .exe file name i.e:
    iexplore.exe (Internet Explorer)
    putty.exe (Putty)
    calc.exe (Calculator)
    mspaint.exe (Paint)

    If the user tries to execute other program that is not on this list he will receive this message:

    "This operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator."


    This is how this policy it works:

    Limits the Windows programs that users have permission to run on the computer.

    If you enable this policy setting, users can only run programs that you add to the list of allowed applications.

    If you disable this policy setting or do not configure it, users can run all applications.

    This policy setting only prevents users from running programs that are started by the File Explorer process.  It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes.  Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer.

    Note: Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.
    Note: To create a list of allowed applications, click Show.  In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).


    To prevent the access to other tools from which the user could execute other applications:

    User Configuration\Administrative Templates\System
    "Prevent access to the command prompt"

    User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options
    "Remove Task Manager"

    Or you can add the unwanted programs to the "Don't run specified Windows applications" policy.


    I hope this information help you to reach your goal. :D

    5ALU2 !

    Tuesday, January 5, 2016 10:30 PM
  • I'd much rather know why the software restriction policy isn't working when targeting specific user(s).
    Wednesday, January 6, 2016 5:00 PM
  • > I'd much rather know why the software restriction policy isn't working
    > when targeting specific user(s).
     
    Just to make sure - the user logged off and on again? In GP results, the
    user group memberships are listed - is the affected group listed there?
     
    Thursday, January 7, 2016 2:06 PM
  • > I'd much rather know why the software restriction policy isn't working
    > when targeting specific user(s).
     
    Just to make sure - the user logged off and on again? In GP results, the
    user group memberships are listed - is the affected group listed there?
     

    Yes the SG is AMP_Remote_App and here is the gpresult data. GPO is software restriction remote app. 

    RSOP data for PMGTEST\remote.app on POLICYTEST01 : Logging Mode
    ----------------------------------------------------------------

    OS Configuration:            Member Server
    OS Version:                  6.3.9600
    Site Name:                   Default-First-Site-Name
    Roaming Profile:             N/A
    Local Profile:               C:\Users\remote.app
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=POLICYTEST01,OU=RemoteApp Restricted,DC=test,DC=pmglab,DC=local
        Last time Group Policy was applied: 1/7/2016 at 9:24:10 PM
        Group Policy was applied from:      AMPLABDC01.test.pmglab.local
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        PMGTEST
        Domain Type:                        Windows 2008 or later

        Applied Group Policy Objects
        -----------------------------
            Member Server 2012 R2 Modified
            Software Restriction Remote App
            Default Domain Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Users
            System Mandatory Level
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            This Organization
            POLICYTEST01$
            Domain Computers
            Authentication authority asserted identity
            AMP_Remote_App


    USER SETTINGS
    --------------
        CN=remote app,OU=RemoteApp Restricted,DC=test,DC=pmglab,DC=local
        Last time Group Policy was applied: 1/7/2016 at 10:32:51 PM
        Group Policy was applied from:      AMPLABDC01.test.pmglab.local
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        PMGTEST
        Domain Type:                        Windows 2008 or later

        Applied Group Policy Objects
        -----------------------------
            Member Server 2012 R2 Modified
            Software Restriction Remote App

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users
            Everyone
            BUILTIN\Users
            BUILTIN\Administrators
            REMOTE INTERACTIVE LOGON
            NT AUTHORITY\INTERACTIVE
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL
            Authentication authority asserted identity
            AMP_Remote_App
            High Mandatory Level
            PS C:\Windows\system32>

    Here are the GPO settings


    Software Restriction Remote App
    Data collected on: 1/6/2016 3:14:40 PM
    General
    Details
    Domain test.pmglab.local
    Owner PMGTEST\Domain Admins
    Created 12/17/2015 2:08:16 PM
    Modified 1/6/2016 3:14:14 PM
    User Revisions 64 (AD), 64 (SYSVOL)
    Computer Revisions 63 (AD), 63 (SYSVOL)
    Unique ID {71E30EBC-F09C-43CF-80B8-8291A619648E}
    GPO Status Enabled
    Links
    Location Enforced Link Status Path
    RemoteApp Restricted No Enabled test.pmglab.local/RemoteApp Restricted

    This list only includes links in the domain of the GPO.
    Security Filtering
    The settings in this GPO can only apply to the following groups, users, and computers:
    Name
    PMGTEST\AMP_Remote_App
    PMGTEST\remote.app
    PMGTEST\remote.app2
    Delegation
    These groups and users have the specified permission for this GPO
    Name Allowed Permissions Inherited
    NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
    NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
    PMGTEST\AMP_Remote_App Read (from Security Filtering) No
    PMGTEST\Domain Admins Edit settings, delete, modify security No
    PMGTEST\Enterprise Admins Edit settings, delete, modify security No
    PMGTEST\remote.app Read (from Security Filtering) No
    PMGTEST\remote.app2 Read (from Security Filtering) No
    Computer Configuration (Enabled)
    No settings defined.
    User Configuration (Enabled)
    Policies
    Windows Settings
    Security Settings
    Software Restriction Policies
    Enforcement
    Policy Setting
    Apply Software Restriction Policies to the following All software files except libraries (such as DLLs)
    Apply Software Restriction Policies to the following users All users
    When applying Software Restriction Policies Ignore certificate rules
    Designated File Types
    File Extension File Type
    ADE ADE File
    ADP ADP File
    BAS BAS File
    BAT Windows Batch File
    CHM Compiled HTML Help file
    CMD Windows Command Script
    COM MS-DOS Application
    CPL Control panel item
    CRT Security Certificate
    EXE Application
    HLP Help file
    HTA HTML Application
    INF Setup Information
    INS INS File
    ISP ISP File
    LNK Shortcut
    MDB MDB File
    MDE MDE File
    MSC Microsoft Common Console Document
    MSI Windows Installer Package
    MSP Windows Installer Patch
    MST MST File
    OCX ActiveX control
    PCD PCD File
    PIF Shortcut to MS-DOS Program
    REG Registration Entries
    SCR Screen saver
    SHS SHS File
    URL Internet Shortcut
    VB VB File
    WSC Windows Script Component
    Trusted Publishers
    Trusted publisher management Allow all administrators and users to manage user's own Trusted Publishers
    Certificate verification None
    Software Restriction Policies/Security Levels
    Policy Setting
    Default Security Level Disallowed
    Software Restriction Policies/Additional Rules
    Hash Rules
    IEXPLORE.EXE (11.0.9600.17840); iexplore; Internet Explorer; Internet Explorer; Microsoft Corporation
    Security Level Unrestricted
    Description
    Date last modified 12/23/2015 1:39:58 AM
    IEXPLORE.EXE (11.0.9600.17840); iexplore; Internet Explorer; Internet Explorer; Microsoft Corporation
    Security Level Unrestricted
    Description
    Date last modified 12/23/2015 1:40:08 AM
    PuTTY (0.66.0.0); PuTTY; SSH, Telnet and Rlogin client; PuTTY suite; Simon Tatham
    Security Level Unrestricted
    Description
    Date last modified 12/23/2015 1:40:16 AM
    Path Rules
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
    Security Level Unrestricted
    Description
    Date last modified 12/23/2015 1:36:56 AM
    Administrative Templates
    Policy definitions (ADMX files) retrieved from the local computer.
    Start Menu and Taskbar
    Policy Setting Comment

    If you enable this policy setting, The user will be prevented from opening the Taskbar Properties dialog box.

    If the user right-clicks the taskbar and then clicks Properties, a message appears explaining that a setting prevents the action.


      Enabled



    If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security screen is also available.


    Enabled



    Friday, January 8, 2016 6:58 AM
  • Not sure why the SG AMP_Remote_App or amp.remote/amp.remote2 only shows as having Read permissions for the user settings in the GPO but in the GPO properties they all have read and apply group policy permissions.

    Forgot to mention I also added the two computer accounts I am testing with in the AMP_Remote_App SG after I couldn't get this working just adding the users or user group into security filtering.

    Friday, January 8, 2016 7:03 AM
  • > Not sure why the SG AMP_Remote_App or amp.remote/amp.remote2 only shows
    > as having Read permissions for the user settings in the GPO
     
    It's "Read (From Security Filtering)" to be precise, which translates to
    "Read and Apply".
     
    Looks good so far, cannot see anything wrong. But I admit that my
    personal experience with SRP is limited - we use AppLocker instead, much
    easier to diagnose and configure.
     
    And since SRP has no real "logging" (just a bit of noise afaik in the
    application event log), I cannot really assist in further diagnosis :()
     
    Friday, January 8, 2016 12:33 PM
  • Anyone?
    Tuesday, January 12, 2016 3:16 PM
  • Hi,

    Since the hash is a unique value that is returned for a particular set of bits, each binary in your policy is going to have a different hash. This approach is particularly secure and will only allow the specific binaries in your policy to run.
    Of course, there are some drawbacks to this approach. For instance, your environment could easily have several thousand binaries. It could be difficult to author all of these rules in the software restriction policy UI, and as the number of rules gets particularly large, performance can be affected. In addition, each application update in your environment will require one or more new hash rules to be deployed in the environment. Updating such a large policy as applications are updated can be a huge burden.


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 13, 2016 9:38 AM
    Moderator
  • Hi,

    Since the hash is a unique value that is returned for a particular set of bits, each binary in your policy is going to have a different hash. This approach is particularly secure and will only allow the specific binaries in your policy to run.
    Of course, there are some drawbacks to this approach. For instance, your environment could easily have several thousand binaries. It could be difficult to author all of these rules in the software restriction policy UI, and as the number of rules gets particularly large, performance can be affected. In addition, each application update in your environment will require one or more new hash rules to be deployed in the environment. Updating such a large policy as applications are updated can be a huge burden.


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thanks but that really doesn't help my issue here. I only want to allow IE and putty to run for the selected user(s) so I'm not trying to limit a large set of binaries. Like I stated before the same hash rules applied to the computer object portion of the GPO work fine, but that isn't the purpose as I want the hash rules applied to only x user(s) not computer objects. I know the hash rules themselves for these two applications work fine. It is an issue using security filtering on a user or security group not applying even though the gpo shows as being applied to these users. 
    Tuesday, January 19, 2016 6:46 AM