Announcement

Collapse
No announcement yet.

GPO Software Restrictions

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO Software Restrictions

    We're running a Terminal Server farm in a Windows 2003 Domain, and I found a problem with the Software Restrictions GPO settings that are being applied to our TS servers. Here are the details of our configuration and the problem:
    All of our servers (Domain Controllers and Terminal Servers) are running Windows Server 2003 SP2 and both the domain and forest are at Windows 2003 level. Our TS servers are in an OU where we have specific GPO's linked and have inheritance blocked, so only the TS specific GPO's are applied to these TS servers. Our users are all remote and do not have workstations joined to our domain, so we don't use loopback policy processing. We take a "whitelist" approach to allowing users to run applications, so only applications that we approve and add as path or hash rules are able to run. We have the Security Level in Software Restrictions set to Disallowed and Enforcement is set to "All software files except libraries".
    What I've found is that if I give a user a shortcut to an application, they're able to launch the application even if it's not in the Additional Rules list of "whitelisted" applications. If I give a user a copy of the main executable for the application and they attempt to launch it, they get the expected "this program has been restricted..." message. It appears that the Software Restrictions are indeed working, except for when the user launches an application using a shortcut as opposed to launching the application from the main executable itself, which seems to contradict the purpose of using Software Restrictions.
    My questions are: Has anyone else seen this behavior? Can anyone else reproduce this behavior? Am I missing something in my understanding of Software Restrictions? Is it likely that I have something misconfigured in Software Restrictions?
    Last edited by joeqwerty; 14th February 2010, 15:31.

  • #2
    Re: GPO Software Restrictions

    Well, the answer is simple. Please review the following guide from MS:

    http://technet.microsoft.com/en-us/l...41(WS.10).aspx

    http://technet.microsoft.com/en-us/l.../bb457006.aspx

    A nice and short guide to create a more useful GPO can be found in:

    http://www.mechbgon.com/srp/
    Best Regards,

    Yuval Sinay

    LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

    Comment


    • #3
      Re: GPO Software Restrictions

      Originally posted by yuval14 View Post
      Well, the answer is simple. Please review the following guide from MS:

      http://technet.microsoft.com/en-us/l...41(WS.10).aspx

      http://technet.microsoft.com/en-us/l.../bb457006.aspx

      A nice and short guide to create a more useful GPO can be found in:

      http://www.mechbgon.com/srp/
      While I appreciate your help, those links (which I've read before) don't explain why I'm seeing the behavior that I described in my OP. Can you elaborate? Thanks.

      Comment


      • #4
        Re: GPO Software Restrictions

        Same kind of issue is written here:
        http://forums.petri.com/showthread.php?t=7303

        Not sure if it would help since the TS never returned...
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: GPO Software Restrictions

          The articles (which I've read before) don't give me a clue as to why I'm seeing the behavior. This excerpt from one of the articles makes me believe that the shortcuts should not be working, as they're in the Designated File Types list, but they are working. We have no wild cards set up, the Security Level is set to Disallowed, Enforcement is set to All software files except libraries.


          Path Rule

          A path rule can specify a folder or fully qualified path to a program. When a path rule specifies a folder, it matches any program contained in that folder and any programs contained in subfolders. Software restriction policies support local and Uniform Naming Convention (UNC) paths.
          The administrator must define all directories for launching a specific application in the path rule. For example, if the administrator creates a shortcut on the desktop to launch an application, then in the path rule, the administrator must also grant the user Read access rights to both the executable file and the shortcut paths to run the application. If all the path information necessary for launching the application in the path rule is not defined, it can trigger the Software Restricted warning when the user attempts to run the application.

          Comment

          Working...
          X