Windows XP: Restricted access

Hardly a day goes by without someone receiving the binary equivalent of a landmine in their e-mail, and idly clicking on it to see what happens. System administrators can't hold everyone's hand all the time, but Software Restriction Policies (SRPs) may help by limiting the code that a user can execute.

They're useful as a first line of defence against viruses and malware, and can also prevent users from running software that only administrators should execute, without having to restrict each program individually. However, SRPs can't control code that executes within allowed programs, such as Office macros, nor will they restrict applications that are run by the System, Network Service and Local Service accounts, including hardware drivers and kernel-mode software.

To add an SRP, go to Control Panel, double-click Administrative Tools then the Local Security Policy icon. You'll find the Software Restriction Policies option in the left-hand pane, with branches leading to Security Levels and Additional Rules for policies in effect. Unrestricted is the lowest security level, which allows everything to run bar your exceptions, while Disallowed is the exact opposite. Using the latter as the default security level could have some unintended consequences, so be careful if you decide to follow that route.

The Unrestricted rule is best for stopping certain problematic programs from running. Disallowed is appropriate for a blanket ban on everything apart from certain known applications. On top of this, the Additional Rules let you set the exceptions to the general policy, identifying the software that can or cannot run. There are four different rules, in order of precedence:

Hash rule

A hash is a fixed-length string of characters, unique to the executable being used. When you try to run the executable, SRP checks whether the hash string matches or not. Depending on the outcome of the matching and your logic, the program then will either run or not.

For example, your default security level is Unrestricted and you decide that the ftrace.exe program is evil. Click on Additional Rules, and select New Hash Rule... from the Action menu to bring up the hash rule dialogue. Click on Browse..., find the ftrace.exe file, select it to let Windows XP compute the hash, then pick Disallowed from the Security level listbox and click OK (see here).

Now when you try to run the program, SRP checks the hash and finds that it isn't allowed to execute, even if the executable is renamed or moved. However, if the file is tampered with, the hash will change and the rule no longer applies.

Certificate rule

This rule applies to scripts and Windows installer packages (MSI), but not to executables with .exe and .dll extensions. For instance, administrators can decide that only scripts which carry approved digital certificates will run. A certificate rule is created similarly to hash rules using the Action menu. You'll need the certificates themselves, of course.

Path rule

The Path rule can be very useful, for you can decide that executables cannot run in certain folders - perhaps you don't want people to execute things in My Documents or mail folders. Be careful how you use this: don't be tempted to apply it to system folders, for example.

Internet Zone rule

The Internet Zone rule covers Windows installer packages (MSI) only, and can be confusing. It can identify software from the five different Internet Explorer zones: Local Computer, Intranet, Internet, Restricted Sites and Trusted Sites. It doesn't apply to software downloaded in Internet Explorer, so its usefulness is mainly limited to software distribution.

On the top level of the SRP branch, you'll also find the Enforcement, Designated File Types and Trusted Publishers objects. Tread carefully here. For the Enforcement object, make sure the software restriction policies apply to all software files except libraries, otherwise Windows will go through every DLL that a single executable can call, bogging down your system completely. If the default security level is Disallowed you'd have to go through every library file that the program calls and allow it to run as well.

The Designated File Types object is handy for adding specific files to the policy. These needn't be executables, either. You could just as easily restrict TXT files if you wanted to.

The Trusted Publishers object doesn't allow you to add and remove trusted software publishers. It only decides if normal users of the computer can decide which software publishers to trust, or if the decision should be with computer administrators only. You can also tell the Trusted Publishers to do revocation checks on the certificate publisher and its time-stamp.

Update

Finally, to update the policies affecting the computer, open a CMD box and type gpupdate to refresh them. That program has several options, the descriptions of which you can view with the usual /? switch, but you don't need them normally.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Juha Saarinen

PC World
Show Comments

Brand Post

PC World Evaluation Team Review - MSI GT75 TITAN

"I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it."

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?