Software Restriction Policies: Which directories to open up?

When installing programs, sometime programs write to some locations other that Program files etc during installation.

Which directories should be opened up temporily during installation of new programs?

 

Absolutely right. Install as Admin and make sure your Admin account is excluded from the SRP.

 

Sorry, I deleted my post because I thought I misunderstood the OP.

 

Hmmm...currently I do install as admin, but just before installing introduce a C: allow rule. I guess temporarily excluding admins from SRP is better. Allowing a temp directory would be even better

 

No, I mean always exclude local admins from SRP. Set your SRP up as per http://mechbgon.com/srp/

 

I'm a bit scared to always exclude admins from SRP ...the tighter the SRP policy the better

 

You need to turn it on and off at will.

SrpOff bat

Code:

REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\ /v DefaultLevel /t REG_DWORD /d 0x00040000 /f

SrpOn bat

Code:

REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\ /v DefaultLevel /t REG_DWORD /d 0x00000000 /f

If you have to, place the two bat files in a folder and make an allow rule for the folder or create a hash rule for each bat file. Using the above allows you to keep Admins covered and the only time it's off is when you turn it off. Just don't forget to turn it back on.

 

If you're using LUA, then you shouldn't be scared imo. But if you do, why not set an "installer" directory with a random folder name, not located on system drive and make sure that it's set as a different path from your "downloads" directory. Ensure that no files of dubious nature is located there - leave all your other downloads in your "downloads" directory.

If you're on XP, then it's wise to use that as only a temporary directory, unless you are on LUA and use SuRun. If on Vista/7, then you may set it as a permanent path rule - UAC would prompt you when you try to launch a file, either in admin-approval mode (just click OK) or with credential (if you're on LUA). I think that is a better idea than to fully turn off SRP but that's my own perception of things. So far, I've never needed to turn off SRP to install any programs.

 

That is somewhat i'm attempting to do. The problem is that while installing some programs (occasionally), the program I guess extracts to a tmp directory of its own choosing and trys to run some intermediate installer from there. This iintermediate tmp file whose location I cannot control is what I'm trying to identify.

 

What are you afraid of? If you're in your admin account, the Windows and Program Files directories are wide open anyway. Anyhow, how often are you in your admin account? I think I log on to mine once every two or three months at the most. Try out SuRun, you can avoid your admin account almost entirely.

For your admin account this isn't necessary. Do yourself a favor and set it up the way Scoobs suggested. Works like a charm and you won't be searching for solutions to problems that don't exist.

 

I'm admin only to install programs/do computer management/windows update (somehow windows update has not worked with SuRun).

I like the fact that putting admin under SRP tells me exactly when the admin account is "unprotected".

 

That is a problem if you try to do Windows updates manually. I have it set for automatic updates and it works OK (you can use the SuRun settings to allow update notifications for all users and no automatic reboots).

I don't understand what you are trying to do here. The admin account is inherently unprotected, which is why you are using a limited account to begin with. The idea behind using a software restriction policy (as describe in the link Scoobs posted) is to mitigate user space malware while in your limited account. Using it in your admin account you're just locking the back door while the front door is wide open. At the same time, this restriction for admin accounts is causing the problems that led to your original post. That's why recommendations for SRP say to exclude admins.

If you install software using SuRun you should have very little need to ever log on to your admin account. The results are often better because you're installing the software in your own user environment (with apps that don't give you the option to install for all users). You can also right-click the desktop and get the control panel with admin privileges. The only thing that doesn't work right there that I'm aware of is the user accounts applet.