Administer Software Restriction Policies

Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

This topic for the IT professional contains procedures how to administer application control policies using Software Restriction Policies (SRP) beginning with Windows Server 2008 and Windows Vista.

Introduction

Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run. You use software restriction policies to create a highly restricted configuration for computers, in which you allow only specifically identified applications to run. These are integrated with Microsoft Active Directory Domain Services and Group Policy but can also be configured on stand-alone computers. For more information about SRP, see the Software Restriction Policies.

Beginning with Windows Server 2008 R2 and Windows 7 , Windows AppLocker can be used instead of or in concert with SRP for a portion of your application control strategy.

This topic contains:

For information about how to accomplish specific tasks using SRP, see the following:

To open Software Restriction Policies

For your local computer

Open Local Security Settings.

In the console tree, click Software Restriction Policies.

Where?

• Security Settings/Software Restriction Policies

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority.

For a domain, site, or organizational unit, and you are on a member server or on a workstation that is joined to a domain

Open Microsoft Management Console (MMC).

On the File menu, click Add/Remove Snap-in, and then click Add.

Click Local Group Policy Object Editor, and then click Add.

In Select Group Policy Object, click Browse.

In Browse for a Group Policy Object, select a Group Policy Object (GPO) in the appropriate domain, site, or organizational unit-or create a new one, and then click Finish.

Click Close, and then click OK.

In the console tree, click Software Restriction Policies.

Where?

Group Policy Object [ComputerName] Policy/Computer Configuration or

User Configuration/Windows Settings/Security Settings/Software Restriction Policies

To perform this procedure, you must be a member of the Domain Admins group.

For a domain or organizational unit, and you are on a domain controller or on a workstation that has the Remote Server Administration Tools installed

Open Group Policy Management Console.

In the console tree, right-click the Group Policy Object (GPO) that you want to open software restriction policies for.

Click Edit to open the GPO that you want to edit. You can also click New to create a new GPO, and then click Edit.

In the console tree, click Software Restriction Policies.

Where?

Group Policy Object [ComputerName] Policy/Computer Configuration or

User Configuration/Windows Settings/Security Settings/Software Restriction Policies

To perform this procedure, you must be a member of the Domain Admins group.

For a site, and you are on a domain controller or on a workstation that has the Remote Server Administration Tools installed

Open Group Policy Management Console.

In the console tree, right-click the site that you want to set Group Policy for.

Where?

• Active Directory Sites and Services [Domain_Controller_Name.Domain_Name]/Sites/Site

Click an entry in Group Policy Object Links to select an existing Group Policy Object (GPO), and then click Edit. You can also click New to create a new GPO, and then click Edit.

In the console tree, click Software Restriction Policies.

Where

Group Policy Object [ComputerName] Policy/Computer Configuration or

User Configuration/Windows Settings/Security Settings/Software Restriction Policies

• To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.
• To set policy settings that will be applied to computers, regardless of which users log on to them, click Computer Configuration.
• To set policy settings that will be applied to users, regardless of which computer they log on to, click User Configuration.

To create new software restriction policies

Open Software Restriction Policies.

On the Action menu, click New Software Restriction Policies.

Different administrative credentials are required to perform this procedure, depending on your environment:

• If you create new software restriction policies for your local computer: Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
• If you create new software restriction policies for a computer that is joined to a domain, members of the Domain Admins group can perform this procedure.

If software restriction policies have already been created for a Group Policy Object (GPO), the New Software Restriction Policies command does not appear on the Action menu. To delete the software restriction policies that are applied to a GPO, in the console tree, right-click Software Restriction Policies, and then click Delete Software Restriction Policies. When you delete software restriction policies for a GPO, you also delete all software restriction policies rules for that GPO. After you delete software restriction policies, you can create new software restriction policies for that GPO.

To add or delete a designated file type

Open Software Restriction Policies.

In the details pane, double-click Designated File Types.

Do one of the following:

To add a file type, in File name extension, type the file name extension, and then click Add.

To delete a file type, in Designated file types, click the file type, and then click Remove.

Different administrative credentials are required to perform this procedure, depending on the environment in which you add or delete a designated file type:

• If you add or delete a designated file type for your local computer: Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
• If you create new software restriction policies for a computer that is joined to a domain, members of the Domain Admins group can perform this procedure.

It may be necessary to create a new software restriction policy setting for the Group Policy Object (GPO) if you have not already done so.

The list of designated file types is shared by all rules for both Computer Configuration and User Configuration for a GPO.

To prevent software restriction policies from applying to local administrators

Open Software Restriction Policies.

In the details pane, double-click Enforcement.

Under Apply software restriction policies to the following users, click All users except local administrators.

• Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
• It may be necessary to create a new software restriction policy setting for the Group Policy Object (GPO) if you have not already done so.
• If it is common for users to be members of the local Administrators group on their computers in your organization, you may not want to enable this option.
• If you are defining a software restriction policy setting for your local computer, use this procedure to prevent local administrators from having software restriction policies applied to them. If you are defining a software restriction policy setting for your network, filter user policy settings based on membership in security groups through Group Policy.

To change the default security level of software restriction policies

Open Software Restriction Policies.

In the details pane, double-click Security Levels.

Right-click the security level that you want to set as the default, and then click Set as default.

In certain directories, setting the default security level to Disallowed can adversely affect your operating system.

• Different administrative credentials are required to perform this procedure, depending on the environment for which you change the default security level of software restriction policies.
• It may be necessary to create a new software restriction policy setting for this Group Policy Object (GPO) if you have not already done so.
• In the details pane, the current default security level is indicated by a black circle with a check mark in it. If you right-click the current default security level, the Set as default command does not appear in the menu.
• Software restriction policies rules are created to specify exceptions to the default security level. When the default security level is set to Unrestricted, rules can specify software that is not allowed to run. When the default security level is set to Disallowed, rules can specify software that is allowed to run.
• At installation, the default security level of software restriction policies on all files on your system is set to Unrestricted.

To apply software restriction policies to DLLs

Open Software Restriction Policies.

In the details pane, double-click Enforcement.

Under Apply software restriction policies to the following, click All software files.

• To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.
• By default, software restriction policies do not check dynamic-link libraries (DLLs). Checking DLLs can decrease system performance, because software restriction policies must be evaluated every time a DLL is loaded. However, you may decide to check DLLs if you are concerned about receiving a virus that targets DLLs. If the default security level is set to Disallowed, and you enable DLL checking, you must create software restriction policies rules that allow each DLL to run.

Troubleshoot Software Restriction Policies

Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

This topic describes common problems and their solutions when troubleshooting Software Restriction Policies (SRP) beginning with Windows Server 2008 and Windows Vista.

Introduction

Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run. You use software restriction policies to create a highly restricted configuration for computers, in which you allow only specifically identified applications to run. These are integrated with Microsoft Active Directory Domain Services and Group Policy but can also be configured on stand-alone computers. For more information about SRP, see the Software Restriction Policies.

Beginning with Windows Server 2008 R2 and Windows 7 , Windows AppLocker can be used instead of or in concert with SRP for a portion of your application control strategy.

Windows cannot open a program

Users receive a message that says «Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.» Or, on the command line, a message says «The system cannot execute the specified program.»

Cause: The default security level (or a rule) was created so that the software program is set as Disallowed, and as a result it will not start.

Solution: Look in the event log for an in-depth description of the message. The event log message indicates what software program is set as Disallowed and what rule is applied to the program.

Modified software restriction policies are not taking effect

Cause: Software restriction policies that are specified in a domain through Group Policy override any policy settings that are configured locally. This might imply that there is a policy setting from the domain that is overriding your policy setting.

Cause: Group Policy might not have refreshed its policy settings. Group Policy applies changes to policy settings periodically; therefore, it is likely that the policy changes that were made in the directory have not yet been refreshed.

Solutions:

The computer on which you modify software restriction policies for the network must be able to contact a domain controller. Ensure the computer can contact a domain controller.

Refresh policy by logging off of the network and then logging on to the network again. If any policy is applied through Group Policy, logging back in will refresh those policies.

You can refresh policy settings with the command-line utility gpupdate or by logging off from and then logging back on to your computer. For best results, run gpupdate, and then log off from and log back on to your computer. Generally, the security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. The settings are also refreshed every 16 hours, whether or not there are any changes. These are configurable settings so refresh intervals might be different in each domain.

Check which policies apply. Check domain level policies for No Override settings.

Software restriction policies that are specified in a domain through Group Policy override any policies that are configured locally. Use Gpresult command-line tool to determine what the net effect of the policy is. This might imply that there is a policy from the domain that is overriding your local setting.

If SRP and AppLocker policy settings are in the same GPO, AppLocker settings will take precedence on Windows 7 , Windows Server 2008 R2 , and later. It is recommended to put SRP and AppLocker policy settings in different GPOs.

After adding a rule through SRP, you cannot log on to your computer

Cause: Your computer accesses many programs and files when it starts. You might have inadvertently set one of these programs or files to Disallowed. Because the computer cannot access the program or file, it cannot start properly.

Solution: Start the computer in Safe Mode, log on as a local administrator, and then change software restriction policies to allow the program or file to run.

A new policy setting is not applying to a specific file name extension

Cause: The filename extension is not in the list of supported file types.

Solution: Add the filename extension to the list of file types supported by SRP.

Software restriction policies address the problem of regulating unknown or untrusted code. Software restriction policies are security settings to identify software and control its ability to run on a local computer, in a site, domain, or OU and can be implemented through a GPO.

A default rule is not restricting as expected

Cause: Rules which are applied in a particular order which can cause default rules to be overridden by specific rules. SRP applies rules in the following order (most specific to general):

Internet Zone rules

Solution: Evaluate the rules restricting the application and, if appropriate, remove all but the Default rule.

Unable to discover which restrictions are applied

Cause: There is no apparent cause for the unexpected behavior, and GPO refresh has not solved the issue so further investigation is necessary.

Solutions:

Investigate the System Event Log, filtering on source of «Software Restriction Policy.» The entries explicitly state which rule is implemented for each application.