Hardly a day goes by without someone receiving the binary equivalent of a landmine in their e-mail, and idly clicking on it to see what happens. System administrators can't hold everyone's hand all the time, but Software Restriction Policies (SRPs) may help by limiting the code that a user can execute.
They're useful as a first line of defence against viruses and malware, and can also prevent users from running software that only administrators should execute, without having to restrict each program individually. However, SRPs can't control code that executes within allowed programs, such as Office macros, nor will they restrict applications that are run by the System, Network Service and Local Service accounts, including hardware drivers and kernel-mode software.
To add an SRP, go to Control Panel, double-click Administrative Tools then the Local Security Policy icon. You'll find the Software Restriction Policies option in the left-hand pane, with branches leading to Security Levels and Additional Rules for policies in effect. Unrestricted is the lowest security level, which allows everything to run bar your exceptions, while Disallowed is the exact opposite. Using the latter as the default security level could have some unintended consequences, so be careful if you decide to follow that route.
The Unrestricted rule is best for stopping certain problematic programs from running. Disallowed is appropriate for a blanket ban on everything apart from certain known applications. On top of this, the Additional Rules let you set the exceptions to the general policy, identifying the software that can or cannot run. There are four different rules, in order of precedence:
A hash is a fixed-length string of characters, unique to the executable being used. When you try to run the executable, SRP checks whether the hash string matches or not. Depending on the outcome of the matching and your logic, the program then will either run or not.
For example, your default security level is Unrestricted and you decide that the ftrace.exe program is evil. Click on Additional Rules, and select New Hash Rule... from the Action menu to bring up the hash rule dialogue. Click on Browse..., find the ftrace.exe file, select it to let Windows XP compute the hash, then pick Disallowed from the Security level listbox and click OK (see here).
Now when you try to run the program, SRP checks the hash and finds that it isn't allowed to execute, even if the executable is renamed or moved. However, if the file is tampered with, the hash will change and the rule no longer applies.
This rule applies to scripts and Windows installer packages (MSI), but not to executables with .exe and .dll extensions. For instance, administrators can decide that only scripts which carry approved digital certificates will run. A certificate rule is created similarly to hash rules using the Action menu. You'll need the certificates themselves, of course.
The Path rule can be very useful, for you can decide that executables cannot run in certain folders - perhaps you don't want people to execute things in My Documents or mail folders. Be careful how you use this: don't be tempted to apply it to system folders, for example.
Internet Zone rule
The Internet Zone rule covers Windows installer packages (MSI) only, and can be confusing. It can identify software from the five different Internet Explorer zones: Local Computer, Intranet, Internet, Restricted Sites and Trusted Sites. It doesn't apply to software downloaded in Internet Explorer, so its usefulness is mainly limited to software distribution.
On the top level of the SRP branch, you'll also find the Enforcement, Designated File Types and Trusted Publishers objects. Tread carefully here. For the Enforcement object, make sure the software restriction policies apply to all software files except libraries, otherwise Windows will go through every DLL that a single executable can call, bogging down your system completely. If the default security level is Disallowed you'd have to go through every library file that the program calls and allow it to run as well.
The Designated File Types object is handy for adding specific files to the policy. These needn't be executables, either. You could just as easily restrict TXT files if you wanted to.
The Trusted Publishers object doesn't allow you to add and remove trusted software publishers. It only decides if normal users of the computer can decide which software publishers to trust, or if the decision should be with computer administrators only. You can also tell the Trusted Publishers to do revocation checks on the certificate publisher and its time-stamp.
Finally, to update the policies affecting the computer, open a CMD box and type gpupdate to refresh them. That program has several options, the descriptions of which you can view with the usual /? switch, but you don't need them normally.