Software Restriction Policies Tools and Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Software Restriction Policies Tools and Settings
In this section
Software Restriction Policies Tools
Software Restriction Policies Group Policy Settings
Related Information
Administrators can use command line tools to refresh Group Policy settings, including software restriction policies, and to display the resulting set of policies that were enforced on the computer for a specified user at logon. To assess the policy settings that are in effect for a computer or user, administrators use the Resultant Set of Policy (RSoP) snap-in.
Software Restriction Policies Tools
The following tools are associated with Software Restriction Policies:
Gpupdate.exe
This tool is used for refreshing local and Active Directory policy settings on the computer from which you run the gpupdate command. For more information about this tool, see “Core Group Policy Tools and Settings” in this collection.
Gpresult.exe
This tool enables you to examine the Group Policy settings applied during a policy refresh. For more information about this tool, see “Core Group Policy Tools and Settings” in this collection.
Resultant Set of Policy (RSoP)
This tool polls for existing Group Policy settings and planned policy settings, and then reports the results of those queries. For more information about RSoP, see “What Is Resultant Set of Policy?” in this collection.
Software Restriction Policies Group Policy Settings
The following table lists and describes the Group Policy settings that are associated with software restriction policies.
Software Restriction Policies Security Levels and Additional Rules
| Security Levels | Description |
|---|---|
Disallowed |
Does not allow the specified software to run. |
Unrestricted |
Allows the specified software to run on the computer with the full rights of the currently logged on user. |
Additional Rules
| Security Levels | Description |
|---|---|
Hash Rule |
A series of bytes with a fixed length that uniquely identifies a software program or file. A hash (also called a message digest) is obtained by applying a one-way mathematical function (sometimes called a hash algorithm) to an arbitrary amount of data. If the input data changes, the hash changes. The hash can be used in many operations, including authentication and digital signing. If you create a hash rule for a software program, software restriction policies calculate a hash of the program. When a user tries to open a software program, a hash of the program is compared to existing hash rules for software restriction policies. The hash of a software program is always the same, regardless of where the program is located on the computer. However, if any changes are made to the software program, its hash also changes, and it no longer matches the hash in the hash rule for software restriction policies. |
Path Rule |
Identifies a program according to a folder or its fully qualified path. Both URL and UNC paths are permitted. You can use the following in path rules: environment variables, wildcards (question mark “?” and asterisk “*”), and registry path rules. |
Certificate Rule |
Identifies software based on a signed certificate. You create a certificate rule that identifies software and then specify a security level to either allow or not allow the software to run. |
Internet Zone Rule |
Identifies software from a zone that is specified through Internet Explorer. The zones are Internet, Intranet, Restricted sites, Trusted sites, and My Computer. These rules apply only to Windows Installer packages (.msi files). |
The following table lists the software restriction policy options.
Software Restriction Policy Options
| Options | Description |
|---|---|
Enforcement |
Enforcement enables you to specify whether to turn on dynamic-link library (DLL) checking and skip administrators to prevent the software restriction policies from applying to local administrators. Use the Apply software restriction policies to the following option to select one of the following:
Use the Apply software restriction policies to the following users option to select one of the following:
All users except local administrators. This option prevents software restriction policies from applying to local administrators. This is used when administrators want to prevent most users from running certain programs, but allow local administrators to run any program. |
Designated File Types |
The Designated File Types dialog box lists the file types to which the software restriction policy applies. The list represents the types of files that are considered executable files. The rules you specify in a software restriction policy apply only to the file types listed in the Designated File Types list. If you want to be able to set rules on additional file types, add them to the Designated File Types list. |
Trusted Publishers |
The Trusted Publishers options enable you to configure settings related to ActiveX controls and other signed content. Trusted Publishers includes the following options:
|
For more information about software restriction policies rules and enforcement options, see “How Software Restriction Policies Work” in this Collection.
Related Information
The following resources contain additional information that is relevant to this section.
“What Is Resultant Set of Policy?” in this collection.
“What Is Group Policy Management Console?” in this collection.
For more information about the command-line tools listed in this document, see “Core Group Policy Tools and Settings” in this collection.
For GPMC download information, see the Group Policy Management Console page.