Software Restriction Policies - Configurations

Discussion in 'other software & services' started by Tyrizian, May 12, 2016.

  1. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,806
    I am quite new to Software Restriction Policies and currently experimenting with it. I am curious as to what is a tight configuration, which is why I thought it would be a good idea to share our individual configurations with one another, in hopes we can all learn something new.

    Like I said, I am quite new to Software Restriction Policies and am currently experimenting, but for those who have a little more experience in SRP than I do, I would love your feedback on my configuration.

    Does it look good, or could it use a little more tightening?

    My configuration (Windows 10 Pro x64):

    Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies

    Enforcement


    Select > All software files
    Select > All users except local administrators
    Select > Ignore certificate rules

    Designated File Types:

    Remove: LNK, URL
    Add: JSE, JAR, PS1, VBS, JS, SCT, VBE, WS, WSF, WSH

    Security Levels

    Disallowed - Software will not run, regardless of the access rights of the user.

    Additional Rules > New Path Rule... > Disallowed

    %UserProfile%\AppData\*.exe
    %UserProfile%\AppData\*\*.exe
    %UserProfile%\AppData\Local\Temp\Rar*\*.exe
    %UserProfile%\AppData\Local\Temp\7z*\*.exe
    %UserProfile%\AppData\Local\Temp\wz*\*.exe
    %UserProfile%\AppData\Local\Temp\*.zip\*.exe
    %UserProfile%\AppData\Local\Temp\*\*.exe
    %UserProfile%\AppData\Local\*.exe
    %UserProfile%\AppData\Local\*\*.exe
    %UserProfile%\AppData\Local\*.msi
    %UserProfile%\AppData\Local\*\*.msi

    Additional Rules

    Unrestricted by default
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

    Additional Rules > New Path Rule > Unrestricted

    C:\Program Files (x86)\
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    Here is my configuration:

    Security levels: Disallowed
    Enforcement: All software files except libraries; All users; Ignore certificate rules
    Designated file types: removed LNK; added JSE, PS1, SCT, VBE, VBS, WS, WSF, WSH
    Trusted publishers: disabled
    Additional rules:

    upload_2016-5-13_5-33-50.png

    I also block 2 additional exe's using ACL (so that they don't fill up my log of blocked events):
    C:\Users\[User]\AppData\Roaming\uTorrent\updates\3.4.5_41865\utorrentie.exe
    C:\Users\[User]\AppData\Local\Google\Chrome\User Data\SwReporter\6.48.6\software_reporter_tool.exe

    I also created custom view for SRP blocked events and configure a task. This way I get message each time an action is blocked. More here: http://www.ghacks.net/2010/08/30/how-to-create-desktop-notifications-for-windows-events/
     
    Last edited: May 12, 2016
  3. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,806
    Interesting, I learned a few other thing's, thanks.

    Now, as for my question for you...

    Should I add "C:\Program Files" and "C:\Windows" as Unrestricted, considering that these default paths are already added? ...

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

    I'm thinking not, but I figured I would ask anyways.
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    I've had problems with few apps that wouldn't run with default rules but would run with path rules. That's why always replace default rules with paths. You can leave default rules if you don't have any problems.

    * I can't seem to remember which software was not running with default rules :(
     
  5. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,806
    Thank you very much @Minimalist :thumb:
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    You're welcome :)
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    For those that use Chrome browser there is another rule to be added to disallowed rule:
    C:\Program Files (x86)\Google\Chrome\Application\SetupMetrics
    It seems that one of recent updates created this folder (or changed permissions on it).
     
Loading...