Windows XP: Restricted access

Hardly a day goes by without someone receiving the binary equivalent of a landmine in their e-mail, and idly clicking on it to see what happens. System administrators can't hold everyone's hand all the time, but Software Restriction Policies (SRPs) may help by limiting the code that a user can execute.

They're useful as a first line of defence against viruses and malware, and can also prevent users from running software that only administrators should execute, without having to restrict each program individually. However, SRPs can't control code that executes within allowed programs, such as Office macros, nor will they restrict applications that are run by the System, Network Service and Local Service accounts, including hardware drivers and kernel-mode software.

To add an SRP, go to Control Panel, double-click Administrative Tools then the Local Security Policy icon. You'll find the Software Restriction Policies option in the left-hand pane, with branches leading to Security Levels and Additional Rules for policies in effect. Unrestricted is the lowest security level, which allows everything to run bar your exceptions, while Disallowed is the exact opposite. Using the latter as the default security level could have some unintended consequences, so be careful if you decide to follow that route.

The Unrestricted rule is best for stopping certain problematic programs from running. Disallowed is appropriate for a blanket ban on everything apart from certain known applications. On top of this, the Additional Rules let you set the exceptions to the general policy, identifying the software that can or cannot run. There are four different rules, in order of precedence:

Hash rule

A hash is a fixed-length string of characters, unique to the executable being used. When you try to run the executable, SRP checks whether the hash string matches or not. Depending on the outcome of the matching and your logic, the program then will either run or not.

For example, your default security level is Unrestricted and you decide that the ftrace.exe program is evil. Click on Additional Rules, and select New Hash Rule... from the Action menu to bring up the hash rule dialogue. Click on Browse..., find the ftrace.exe file, select it to let Windows XP compute the hash, then pick Disallowed from the Security level listbox and click OK (see here).

Now when you try to run the program, SRP checks the hash and finds that it isn't allowed to execute, even if the executable is renamed or moved. However, if the file is tampered with, the hash will change and the rule no longer applies.

Certificate rule

This rule applies to scripts and Windows installer packages (MSI), but not to executables with .exe and .dll extensions. For instance, administrators can decide that only scripts which carry approved digital certificates will run. A certificate rule is created similarly to hash rules using the Action menu. You'll need the certificates themselves, of course.

Path rule

The Path rule can be very useful, for you can decide that executables cannot run in certain folders - perhaps you don't want people to execute things in My Documents or mail folders. Be careful how you use this: don't be tempted to apply it to system folders, for example.

Internet Zone rule

The Internet Zone rule covers Windows installer packages (MSI) only, and can be confusing. It can identify software from the five different Internet Explorer zones: Local Computer, Intranet, Internet, Restricted Sites and Trusted Sites. It doesn't apply to software downloaded in Internet Explorer, so its usefulness is mainly limited to software distribution.

On the top level of the SRP branch, you'll also find the Enforcement, Designated File Types and Trusted Publishers objects. Tread carefully here. For the Enforcement object, make sure the software restriction policies apply to all software files except libraries, otherwise Windows will go through every DLL that a single executable can call, bogging down your system completely. If the default security level is Disallowed you'd have to go through every library file that the program calls and allow it to run as well.

The Designated File Types object is handy for adding specific files to the policy. These needn't be executables, either. You could just as easily restrict TXT files if you wanted to.

The Trusted Publishers object doesn't allow you to add and remove trusted software publishers. It only decides if normal users of the computer can decide which software publishers to trust, or if the decision should be with computer administrators only. You can also tell the Trusted Publishers to do revocation checks on the certificate publisher and its time-stamp.

Update

Finally, to update the policies affecting the computer, open a CMD box and type gpupdate to refresh them. That program has several options, the descriptions of which you can view with the usual /? switch, but you don't need them normally.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Juha Saarinen

PC World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?