Question about Software Restriction Policies

helms20helms20 Member Posts: 60 ■■□□□□□□□□
Hello everyone I was hoping someone could help me to understand how to block a program that is running as a service through GPO and Software Restriction Policies. The catch is I need it to run as the local system account. It needs to be disallowed if ran under the logged in user due to a virus/worm infection. Sorry I am not providing more info, but I don't want to be in violation of Microsoft's policy. If I am please let me know and I will edit the question.
"Our arrows will blot out the sun."
"Then we will fight in the shade."

Comments

  • DMinDMin Member Posts: 18 ■□□□□□□□□□
    I'm going to answer just because I recently finished a software restriction policies project at work, but since this topic is barely covered on the 70-291 I don't think you'll find many replies on this particular forum...

    Your description is a bit vague, but you might be able to pull of what you're asking with software restriction policies. Create a test OU with some users or a test group in it, then create a GPO (linked to your test OU of course) and modify User Configuration \ Windows Settings \ Security \ Software Restriction Policies. Right-click the setting and select New Software Restriction Policy. If every system has the exact same version of the program you're restricting, create a new hash rule disallowing the program in question (you can browse to find the program when creating a hash rule). If you have multiple versions of the same program running but they all have the same name, use a path rule instead. Test it out on a few systems and if it restricts the program (you'll know because your test accounts should see a message when trying to execute the program that "access to [program name] has been disallowed") and still allows access to the local system account. If it works, link the GPO to your domain or just apply the same settings to your Default Domain Policy. If not, well, you can try to tweak the rule a bit. Software restriction policies are particularly sensitive to how a program is executed - for example you can disallow Internet Explorer but a user can still open IE by using the desktop icon or shortcuts if .LNK files are allowed. In the end, I think you might need to consider third party products to accomplish what you need, though.
  • helms20helms20 Member Posts: 60 ■■□□□□□□□□
    DMin wrote:
    In the end, I think you might need to consider third party products to accomplish what you need, though.

    I agree with you, but this is a question I ran into on the 291 so was trying to figure out how to use restrictions to do it. Thank you though for the quick response.
    "Our arrows will blot out the sun."
    "Then we will fight in the shade."
  • DMinDMin Member Posts: 18 ■□□□□□□□□□
    Oh, that makes more sense then...from your post I had thought you were doing this for a job, but that explains the vagueness. :D

    Yes, the MS answer, I think, is somewhere in my reply above. Usually the trick with software restriction policy questions on the 70-291 is knowing when to use a hash, a path, or a certificate, but you should be able to piece that together from the clues in the question.
Sign In or Register to comment.