How to make a disallowed-by-default Software Restriction Policy

[Lite]

If you're using a Limited account on Windows XP Professional Edition, or a Standard user account on Windows Vista or Windows 7 Business/Ultimate/Enterprise Editions, consider further enhancing your security by adding a Software Restriction Policy. Setting up a Software Restriction Policy takes just a few minutes, and it can be reversed if necessary. It's a proactive defense that won't need updates or signatures to provide protection, has no noticable performance impact, and protects your other layers of defense from sabotage.

---

Here's the core idea, in visual form (in this picture, "user" is the name of my Limited account). yeah, whatever... just take me to the setup instructions already

A Limited or Standard user account is good basic protection against attacks that depend upon Administrator-level privileges to succeed. A Limited or Standard account also helps protect security software and critical system files & settings from tampering.

With the Software Restriction Policy, you take the fight to the next level. The goal of combining a non-Administrator account with Software Restriction Policy is to prevent execution of unwanted files that might do a "hit-&-run" attack designed to function even within a Limited account. To list some possibilities, an attacker might...

• harvest email addresses from your profile for Spammers
  
• encrypt your documents and hold them for ransom
  
• delete your music, videos & documents, or send copies of them to the bad guys
  
• steal your game CD keys to sell on the black market
  
• ...or other stuff that could be accomplished by running an executable file from within a Limited account.

Software Restriction Policy can also be used to prevent uncooperative computer users from running programs from USB drives, CDs, DVDs or from within their user profile directory. Additionally, it protects the system from malware that auto-plays from infected CDs or USB drives, a tactic that appears to be spreading (example: the Fujacks family of malware).

---

Step 1: Create a Software Restriction Policy

Log on with an Administrator account. Type gpedit.msc into the Run or Search box on your Start menu, click OK, and Group Policy will open.

Go down to Computer Configuration > Windows Settings > Security Settings, as shown in the picture below.

Right-click on "Software Restriction Policies" and create new policies.

Step 2: Apply the Software Restriction Policy to all software, and to all users except Administrators

Double-click Enforcement and set the Enforcement. You could apply the Software Restriction Policy to all users including Administrators, but then you'd run into occasional hangups when installing/removing software.

Step 3: Remove the LNK filetype

In the right panel, double-click Designated File Types. A panel opens. Go down the list to LNK and click it, then click the Delete button. This adjustment allows you to use your desktop shortcuts and Quick Launch icons, which are mostly the LNK filetype.

Step 4: Switch on the protection!

Right-click on Disallowed in the Security Levels folder, and set it as the default security level.

Step 5: For Vista or Windows 7, and/or 64-bit versions of Windows, add some rules

Adjustment for 64-bit Windows 64-bit versions of Windows (both Vista and XP Pro x64 Edition) have an extra Program Files directory named C:\Program Files (x86). Click on Additional Rules and make a new Path Rule that makes that directory Unrestricted, so software that's installed there is allowed to run. Scroll down for an example of how to make a Path Rule.

Adjustment for Vista In Step 2, you made your Administrator account exempt from the Software Restriction Policy, so you can use your Administrator account to install/remove software. But with Windows Vista, even if you're logged on as an Administrator, programs (including software installers) are still launched with non-Administrator privilege levels. So your Software Restriction Policy will stop them.

Easy solution: If you want to run a file that your Software Restriction Policy is preventing, simply right-click the file and choose Run as Administrator. That was easy, wasn't it? : ) Remember that you will need to do this to run setup programs when installing stuff from a CD or DVD, too.

Source (with additional information and pictures)

[HX1]

I must say these guides are great additions to the forums, and much needed if for nothing more than awareness.. I should be repping you on all these.. Great work.. :)

[Lite]

I post them as people always say "Windows is insecure". Its only in-secure if it isn't setup well.

Windows comes with lots of powerful tools by default, its a shame not many people are aware of/ want to use them.

[HX1]

See.. yeah completely agree... I should + rep you again..LOL.. The one that always gets me is that they are settings there with SP2 or a previous SP Package.. they refuse to update their system and want to run or stay settled with an older version of a web browser.. and then complain about it... That really never made any sense to me.. BUT unfortunately that seems to be human nature for all too many people.. ( secretly you want send them all tiara's.. ) :lmao:

[Lite]

Linux is very secure as alot of the things i've posted are enabled by default.

If microsoft enabled these by default there would be outcry...

[HX1]

Yes there would, I think with the users as well; about like the change from XP to Vista.. There actually would be a few that would have to change the daily routine or alter the manner in which they go about things.. which my result in a little dissension even among the regular users.. I think it is good though in many ways as systems need to be configured, people needs to be aware of these settings for their configuration, and the fact that so many different uses and configurations are out there. It really is almost virtually impossible to secure a system in every way AND have it be compatible for everything from large networks to the average home user.. the Developer to the 8 year old who likes to play 'Purple Place' on Windows 7.. then package it for everyone and shove it out the door. I think these things should be open to configure.. as they are now.

In a way the way people learn to use a computer is usually backward. They sit down at a friend system and use IE or something.. listen to a CD, watch a movie.. Then they go out and purchase a system.. BEFORE learning the basics and main considerations for keeping it secure, and what factors should be dynamically considered. ( Big selling point though )