Software Restriction Policies (AKA SAFER) were introduced in Windows XP. The use of SAFER can prevent the installation and execution of unauthorized programs.

An Administrator can deploy SAFER configurations via GPOs (Group Policy Objects), which are stored in the registry at HKEY_LOCAL_MACHINE for computer policy, and HKEY_CURRENT_USER for user policy.

The basic process is:

- Decide on the default rule, Unrestricted or Disallowed.

- Create exceptions (SAFER Rules) to the default, using one of the four rules for identifying software:

  • Hash
  • Certificate
  • Path
  • Zone

A Software Restriction Policy includes the following objects:

  • A pre-defined set of security levels.
  • A default security level.
  • A set of SAFER Rules, to define a program, or set of programs, and an associated security level.
  • Policy options.

NOTE: See How do I use Software Restriction Policies in Windows Server 2003?