Question about Software Restriction Policies

Hello everyone I was hoping someone could help me to understand how to block a program that is running as a service through GPO and Software Restriction Policies. The catch is I need it to run as the local system account. It needs to be disallowed if ran under the logged in user due to a virus/worm infection. Sorry I am not providing more info, but I don't want to be in violation of Microsoft's policy. If I am please let me know and I will edit the question.

Find more posts tagged with

Comments

DMin

I'm going to answer just because I recently finished a software restriction policies project at work, but since this topic is barely covered on the 70-291 I don't think you'll find many replies on this particular forum...

Your description is a bit vague, but you might be able to pull of what you're asking with software restriction policies. Create a test OU with some users or a test group in it, then create a GPO (linked to your test OU of course) and modify User Configuration \ Windows Settings \ Security \ Software Restriction Policies. Right-click the setting and select New Software Restriction Policy. If every system has the exact same version of the program you're restricting, create a new hash rule disallowing the program in question (you can browse to find the program when creating a hash rule). If you have multiple versions of the same program running but they all have the same name, use a path rule instead. Test it out on a few systems and if it restricts the program (you'll know because your test accounts should see a message when trying to execute the program that "access to [program name] has been disallowed") and still allows access to the local system account. If it works, link the GPO to your domain or just apply the same settings to your Default Domain Policy. If not, well, you can try to tweak the rule a bit. Software restriction policies are particularly sensitive to how a program is executed - for example you can disallow Internet Explorer but a user can still open IE by using the desktop icon or shortcuts if .LNK files are allowed. In the end, I think you might need to consider third party products to accomplish what you need, though.

helms20

DMin wrote:

In the end, I think you might need to consider third party products to accomplish what you need, though.

I agree with you, but this is a question I ran into on the 291 so was trying to figure out how to use restrictions to do it. Thank you though for the quick response.

DMin

Oh, that makes more sense then...from your post I had thought you were doing this for a job, but that explains the vagueness.

Yes, the MS answer, I think, is somewhere in my reply above. Usually the trick with software restriction policy questions on the 70-291 is knowing when to use a hash, a path, or a certificate, but you should be able to piece that together from the clues in the question.