Exploring Windows 2003 Security: SID Filtering and Software Restriction Policies Page 2

Software Restrictions Policies

In response to increased threats from various types of software typically introduced via e-mail or Internet browsing, Microsoft implemented an additional set of group policy settings known collectively as Software Restriction Policies.

Although this article describes their functionality, it is possible to include them as part of your Windows 2000 group policy management, as long as you launch a Group Policy Object Editor from a Windows XP workstation (or a Windows 2003 server).

Since Software Restriction Policies are configured on per-computer or per-user basis, their respective nodes are located in both the Computer and User Configuration node in the Group Policy Object Editor MMC snap-in. In both cases, the Software Restriction Policies folder is located under Windows Settings -> Security Settings node. Initially, the folder is empty, but once a new set of Software Restriction Policies is created (from the context-sensitive or Action menu), two subfolders — Security Levels and Additional Rules — are automatically created with it.

The Security Level, which is set to Unrestricted or Disallowed, determines the default software restrictions behavior. If Unrestricted is selected, all software is allowed to run (still being a subject to standard permissions); while the Disallowed setting prevents users from running any software. The exceptions to the default behavior are defined using settings within the Additional Rules folder.

Additional Rules contains settings for rules matched against software that users might attempt executing on the computers or users within the scope of the group policy. If the Security Level is set to Unrestricted, programs matching criteria defined by the rules will not be allowed to run. On the other hand, if the Disallowed Security Level has been selected, users are restricted to running programs that satisfy settings in Additional Rules.

The four definable types of rules are:

1. Hash Rule is used to identify a file (typically an executable) based on its hash. Hash is a sequence of characters (of fixed length) likely to be unique for every file. This rule is especially effective when preventing users from running specific applications.
2. Certificate Rule is used to identify software based on a certificate (implying software programs are digitally signed). Defining such rules requires access to a file containing the same certificate used to sign the relevant software program. By default, certificate rules will not function without additional configuration. Therefore, for the certificate rule to take effect, you must also enable System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies under Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. Keep in mind that the scope of the Software Group Policies should overlap with the scope of the Group Policy Object containing this setting.
3. Path Rule contains a file system or registry path (specified directly or via environment variables, such as %userprofile%, %windir%, %appdata%, %programfiles%, or %temp%), where software program is located.
4. Internet Zone Rule applies only to the Windows Installer packages and takes into consideration Internet zones (local computer, local intranet, trusted sites, restricted sites, and Internet) from which the installation of such package is attempted.

For each type of rule, you can specify security level, which means you can have multiple rules with varying security levels. In case of a conflict between different types of rules, the most specific ones will take precedence (Hash, Certificate, Path, and Internet Zone — from the highest to the lowest). If there are conflicts within the same type of rule, the one with the more specific setting will take effect. Finally, if two rules have identical settings, the most restrictive will prevail.

In addition to options described above, there are also three settings located directly in the Software Restriction Policies folder:

1. Enforcement setting determines whether the defined rules apply to each individual file or whether library files (such as DLLs) are excluded. The second option, which is the default, is the more sensible one, since it does not force you to investigate every single file involved in the applications’ execution. In addition, another set of options grouped under the Enforcement setting allows the exclusion of local administrators from software restrictions imposed by the policy.
2. Designated File Types setting allows the specification of file extensions that will be considered as executable by the Software Restriction policies.
3. Trusted Publishers setting includes options for managing certificates (used when defining Certificate Rules). You can limit rights to modify list of trusted publishers to local or enterprise administrators. In addition, you can specify the properties to be verified when checking for revoked certificates (Publisher and Timestamp are the only options).