Software Restriction Policies for Vista

Hi there,

How does one set Software Restriction Policies in Vista (Ultimate here), and are there any undesirable consequences?

Thanks.

 

Read this. It is basically the same procedure as in XP

 

Thanks. Do you run as admin and UAC? Does one have to run as 'standard user' in order to implement the SRP?

 

I run as admin. You dont need to be standard user. I havent figured out yet what the difference between admin and standard user in Vista is when you use UAC.
I have tried as standard user but to me the only difference is that I have to enter a password instead of jus OK the UAC prompt in admin mode. It is much more convinient to run admin with only the UAC prompt. But I am sure standard account is more secure (behind the scene so to speak)than admin account even with UAC, but I have gotten lazy lately

I hear that some use SuRun in Vista, I havent tried it yet my self, but if I understand it right it makes the standard account more bareable, there you predefine what software or occations you dont have to enter the password every time.

 

This is exactly what I was wondering too, and I don't want to make my life miserable, by checking continuously on things. I'll certainly try it.

 

Some interesting discussion on this at these URLs:

http://windowsvistablog.com/blogs/w...7/01/23/security-features-vs-convenience.aspx
"Security Features vs. Convenience
" ...
"GP Editor
"As I discussed above, we also wanted to allow users who wanted to be a local administrator to have that flexibility, but at the same time be safer than Windows XP. To do this, we created a mode of UAC called admin approval mode. In this mode (which is on by default for all members of the local administrators group), every user with administrator privileges runs normally as a standard user; but when an application or the system needs to do something that requires administrator permissions, the user is prompted to approve the task explicitly. Unlike the "super user on" function from UNIX that leaves the process elevated until the user explicitly turns it off, admin approval mode enables administrator privileges for just the task that was approved, automatically returning the user to standard user when the task is completed.

" [ ***** ] However, it should be noted that this functionality is primarily a convenience feature for administrators and not an explicit security boundary between processes that can be absolutely isolated. If an administrator performs multiple tasks on the same desktop, then malware may potentially be able to inject or interfere with an elevated process from a non-elevated process. Thus, the most secure configuration for Windows Vista is to run processes in two separate accounts, with only administrator tasks performed using an administrator account and all other tasks performed under the standard user account [ ***** ].

http://technet.microsoft.com/en-us/magazine/cc137811.aspx
"Security Watch The Long-Term Impact of User Account Control
" ...
"Best Practices
"How should you use UAC? Should you run as an administrator in admin approval mode? As noted several times, UAC does not prevent code injection from a lower privileged application into a more privileged application on the same desktop. [ ***** ] This means that neither running in admin approval mode nor as a standard user and elevating within session (over-the-shoulder elevation) provides effective isolation [ ***** ] . However, either solution is far better than running as an administrator under Windows XP or with UAC turned off in Windows Vista. Eventually, however, malware will probably be written to take advantage of elevated applications on the interactive desktop.

"How you decide to run, then, depends on your risk management philosophy. When you run as a standard user and use over-the-shoulder elevation to elevate an application, the elevated application has a different user environment than the regular ones. This lessens the risk of a poisoning attack, where a malicious non-elevated application poisons the user environment for an elevated one, but it does not necessarily remove the ability of a non-elevated application to control an elevated one. While a malicious application that ran weeks ago cannot easily poison an elevated application you run today, a malicious application running now may be able to control an elevated application. You need to consider the risk tradeoff of using admin approval mode or over-the-shoulder elevation in context of the ease of use it provides.

"The best option by far, in my opinion, is also the most complicated. However, for the truly paranoid or exposed, the best option is to run as a standard user and never elevate. In a sense, running as an administrator under Windows XP, once you ran malicious code it was game over. Under Windows Vista, if you run malicious code and then elevate within that session, it is likely game over. You are free to pick whichever approach works best for you and provides a level of protection you are comfortable with.

http://www.microsoft.com/windows/products/windowsvista/features/details/useraccountcontrol.mspx
"User Account Control
" ...
"In Windows Vista, standard users are prohibited from installing most programs, changing system settings, and performing other tasks that are the province of administrators. If, as a standard user, you attempt to do something that requires administrator rights, you'll either be notified that the task is prohibited or that administrative credentials are required to proceed.

"At the same time, Windows Vista extends the range of common, low-risk tasks that standard users can perform (though administrators can still choose to restrict these privileges).

"Administrator privileges are essential if you are, for instance, the owner of a PC, but they can also be a liability. Online threats such as malware (including viruses and spyware) exploit administrator permissions—and they attempt to do it in secret.

" [ ***** ] Even when you use an administrator account, User Account Control provides heightened security. By default, most programs run with the permissions of a standard user, which limits the potential damage they (or malware acting through those programs) can do. [ ***** ]