A. Windows Server 2003 introduced Software Restriction policies. A number of software-restriction options are available, such as blocking files based on their hash value (which means renaming a file won't allow it to be run), and restricting based on code-signing levels.
- Start the GPMC, and open a GPO to edit.
- Right-click Software Restrictions, and select New Software Restriction Policies.
- Two nodes will appear under Software Restriction Policies: Security Levels and Additional Rules. Select Security Levels.
- Under Security Levels, three levels are displayed: Disallowed is for default blocking of all software, Basic User is for software that can run but will run without administrator credentials, and Unrestricted allows all software to run. If you right-click any option but Unrestricted, the option to “Set as default” appears, forcing the policy to that mode (Unrestricted is already the default). If you leave Unrestricted as the default, you can then add entries to Disallowed to block certain applications/source. Alternatively, you can set Disallowed as the default, then add exceptions to Basic User/Unrestricted that can run. This is a lot of work but is necessary for a very controlled environment.
- We want to add a disallowed rule, so select Additional Rules.
- Right-click Additional Rules, and the various types of rules appear (i.e., hash, certificate, Network Zone, and Path). Select New Path Rule.
- Enter the path name or filename, and enter a description. You can browse if the path is locally available. Click OK. You can use environment variables as part of path rules. For example, instead of using C:\Program Files, I can use %ProgramFiles%, %ProgramFiles(x86)% (for 64-bit platforms), and %windir%. You can also use a wildcard (*) as part of the path. I could enter %windir%\notepad.exe.
- Click OK, and close the GPO Editor.
After the client refreshes, Group Policy disallows the specified application or any application in the specified path. In my case, I can't run Notepad.