Windows XP: Restricted access

Hardly a day goes by without someone receiving the binary equivalent of a landmine in their e-mail, and idly clicking on it to see what happens. System administrators can't hold everyone's hand all the time, but Software Restriction Policies (SRPs) may help by limiting the code that a user can execute.

They're useful as a first line of defence against viruses and malware, and can also prevent users from running software that only administrators should execute, without having to restrict each program individually. However, SRPs can't control code that executes within allowed programs, such as Office macros, nor will they restrict applications that are run by the System, Network Service and Local Service accounts, including hardware drivers and kernel-mode software.

To add an SRP, go to Control Panel, double-click Administrative Tools then the Local Security Policy icon. You'll find the Software Restriction Policies option in the left-hand pane, with branches leading to Security Levels and Additional Rules for policies in effect. Unrestricted is the lowest security level, which allows everything to run bar your exceptions, while Disallowed is the exact opposite. Using the latter as the default security level could have some unintended consequences, so be careful if you decide to follow that route.

The Unrestricted rule is best for stopping certain problematic programs from running. Disallowed is appropriate for a blanket ban on everything apart from certain known applications. On top of this, the Additional Rules let you set the exceptions to the general policy, identifying the software that can or cannot run. There are four different rules, in order of precedence:

Hash rule

A hash is a fixed-length string of characters, unique to the executable being used. When you try to run the executable, SRP checks whether the hash string matches or not. Depending on the outcome of the matching and your logic, the program then will either run or not.

For example, your default security level is Unrestricted and you decide that the ftrace.exe program is evil. Click on Additional Rules, and select New Hash Rule... from the Action menu to bring up the hash rule dialogue. Click on Browse..., find the ftrace.exe file, select it to let Windows XP compute the hash, then pick Disallowed from the Security level listbox and click OK (see here).

Now when you try to run the program, SRP checks the hash and finds that it isn't allowed to execute, even if the executable is renamed or moved. However, if the file is tampered with, the hash will change and the rule no longer applies.

Certificate rule

This rule applies to scripts and Windows installer packages (MSI), but not to executables with .exe and .dll extensions. For instance, administrators can decide that only scripts which carry approved digital certificates will run. A certificate rule is created similarly to hash rules using the Action menu. You'll need the certificates themselves, of course.

Path rule

The Path rule can be very useful, for you can decide that executables cannot run in certain folders - perhaps you don't want people to execute things in My Documents or mail folders. Be careful how you use this: don't be tempted to apply it to system folders, for example.

Internet Zone rule

The Internet Zone rule covers Windows installer packages (MSI) only, and can be confusing. It can identify software from the five different Internet Explorer zones: Local Computer, Intranet, Internet, Restricted Sites and Trusted Sites. It doesn't apply to software downloaded in Internet Explorer, so its usefulness is mainly limited to software distribution.

On the top level of the SRP branch, you'll also find the Enforcement, Designated File Types and Trusted Publishers objects. Tread carefully here. For the Enforcement object, make sure the software restriction policies apply to all software files except libraries, otherwise Windows will go through every DLL that a single executable can call, bogging down your system completely. If the default security level is Disallowed you'd have to go through every library file that the program calls and allow it to run as well.

The Designated File Types object is handy for adding specific files to the policy. These needn't be executables, either. You could just as easily restrict TXT files if you wanted to.

The Trusted Publishers object doesn't allow you to add and remove trusted software publishers. It only decides if normal users of the computer can decide which software publishers to trust, or if the decision should be with computer administrators only. You can also tell the Trusted Publishers to do revocation checks on the certificate publisher and its time-stamp.

Update

Finally, to update the policies affecting the computer, open a CMD box and type gpupdate to refresh them. That program has several options, the descriptions of which you can view with the usual /? switch, but you don't need them normally.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Juha Saarinen

PC World
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?