What Are Software Restriction Policies?

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

What Are Software Restriction Policies?

In this section

  • Protecting Computer System Integrity

  • Dependencies on Other Operating System Components

  • Related Information

Software restriction policies provide administrators with a Group Policy-driven mechanism to identify software and control its ability to run on the local computer. These policies can be used to protect computers running Microsoft Windows XP Professional against known conflicts and safeguard the computers against security threats such as malicious viruses and Trojan horse programs. You can also use software restriction policies to create a highly restricted configuration for computers, in which you allow only specifically identified applications to run. Software restriction policies are integrated with Microsoft Active Directory and Group Policy. You can also create software restriction policies on stand-alone computers.

Software restriction policies are trust policies, which are regulations set by an administrator to restrict scripts and other code that is not fully trusted from running.

Protecting Computer System Integrity

Business users collaborate by using e-mail, instant messaging, and peer-to-peer applications. As these collaborations increase, especially with the use of the Internet in business computing, so do the threats from malicious code, such as worms, viruses, and malicious user or attacker threats.

Users might receive hostile code in many forms, ranging from native Windows executable files (.exe files), to macros in documents (such as .doc files), to scripts (such as .vbs files). Malicious users or attackers often use social engineering methods to get users to run code containing viruses and worms. (Social engineering is a term for tricking people into revealing their password or some form of security information.) If such code is activated, it can generate denial-of-service attacks on the network, send sensitive or private data to the Internet, put the security of the computer at risk, or damage the contents of the hard disk drive.

IT organizations and users must be able to determine which software is safe to run and which is not. With the large numbers and forms that hostile code can take, this becomes a difficult task.

To help protect their network computers from both hostile code and unknown or unsupported software, organizations can implement software restriction policies as part of their overall security strategy.

Group Policy-Based Software Restrictions

Administrators can use software restriction policies to define which applications are allowed or not allowed to run on a target computer. The configuration is deployed in Group Policy objects.

To help organizations address the problem of unknown code, administrators can use software restriction policies to perform the following tasks:

  • Fight computer viruses

  • Regulate which ActiveX controls can run

  • Run only digitally signed scripts

  • Enforce that only approved software is run on system computers

  • Create a highly restricted configuration for a computer (for example, stipulate that only specific programs are allowed to run)

Scenarios for Using Software Restriction Policies

Administrators can use software restriction policies for the following tasks:

  • Define what is trusted code

  • Design a flexible Group Policy for regulating scripts, executable files, and ActiveX controls

Software restriction policies are enforced by the operating system and by applications (such as scripting applications) that comply with software restriction policies.

Specifically, administrators can use software restriction policies for the following purposes:

  • Specify which software (executable files) can run on clients

  • Prevent users from running specific programs on shared computers

  • Specify who can add trusted publishers to clients

  • Set the scope of the software restriction policies (specify whether policies affect all users or a subset of users on clients)

  • Prevent executable files from running on the local computer, organizational unit (OU), site, or domain. This would be appropriate in cases when you are not using software restriction policies to address potential issues with malicious users.

Advantages of Software Restriction Policies

Using software restriction policies provides the following advantages:

Administrators can enforce software restriction policies in domains or on the local computer.

The software restriction policies can be implemented in a large enterprise with various types of computers and applications, and can also be applied in a stand-alone environment for computers that are not members of a domain. Software restriction policies leverage Active Directory and Group Policy for manageability. The software restriction policies are stored in a GPO. Administrators create the software restriction policy, and then define which applications are trusted and which are not. The software restriction policy is enforced at run time and users do not receive prompts allowing them to choose whether to run executable files.

Software restriction policies apply to multiple types of files.

Software restriction policies provide control over Microsoft Visual Basic Scripting Edition (VBScript), JScript, and other scripting languages. Software restriction policies also integrate with the Windows Installer feature to provide control over the types of software packages (.msi files) that can be installed on clients. This feature includes an application programming interface (API), which you can use to coordinate the software restriction policy run time with other run times.

Software restriction policies provide flexibility.

Administrators can prohibit unauthorized scripts from running, regulate Microsoft ActiveX controls, or lockdown client computers.

Software restriction policies use strong cryptography to identify software.

Software restriction policies can identify software by using a hash or a certificate.

Dependencies on Other Operating System Components

Software restriction policies rely on the following operating system components:

Active Directory.

The Windows-based directory service, Active Directory, stores information about objects on a network and makes this information available to administrators and users. By using Active Directory, you can view and manage network objects on the network from a single location, and users can access permitted network resources by using a single logon.

Group Policy.

The infrastructure within Active Directory, Group Policy, enables directory-based configuration management of user and computer settings on computers running Windows Server 2003, the Windows 2000 family, and the Microsoft Windows XP Professional operating systems. By using Group Policy, you can define configurations for groups of users and computers, including policy settings for Windows Server 2003 registry-based policies, software installation, scripts, folder redirection, Remote Installation Services, Microsoft Internet Explorer maintenance, and security.

Windows Installer.

Windows Installer is an installation and configuration service that reduces the total cost of ownership. Windows installer is included in Microsoft Windows Server 2003 family, Windows 2000, Windows XP, and Windows Millennium Edition (Windows Me). It is also provided as a service pack to Microsoft Windows NT version 4.0, Windows 98, and Windows 95. Windows Installer version 2.0 is integrated with Software Restriction Policies in Microsoft Windows XP and Windows Server 2003. The Windows Installer version 2.0 only installs packages allowed to run at the unrestricted level.

Patches or transforms must also be allowed to run at the unrestricted level. If a package, patch, or transform is not configured to run fully trusted (unrestricted), the Windows Installer displays an error message and logs an entry in the application event log. Software restriction policy is evaluated the first time an application is installed, when a new patch is applied, and when the installation package is re-cached.

Msiexec.exe is the executable program that interprets packages and installs products.

Authenticode and WinVerifyTrust.

These components are used to process signed executable files. Microsoft Authenticode, which is based on industry standards, allows developers to include information about themselves and their code with their programs through the use of digital signatures. The WinVerifyTrust function performs a trust verification action on a specified object.

The following figure illustrates the interactions of software restriction policies, Active Directory, and Group Policy.

Software Restriction Policies and Related Components

Restriction Policies and Related Components

The following resource contains additional information that is relevant to this section.