GPO: Software Restriction Policy

1 minute read

Description:

This was somewhat covered in CryptoPrevention but here is a more generic post on SRP’s

To Resolve:

  1. Create a GPO and go to: Computer Configuration\Policies\WindowsSettings\SecuritySettings\SoftwareRestrictionPolicies

Right click – create a new default

Enforcement – all users

Designated file types – remove url/lnk

Next Security Levels – Disallowed – Set as default – click okay on warning

Right click on additional rules – add path rule

Now just add paths like ‘c:\windows’, ‘c:\program files’, ‘c:\program files (x86)’, and so on. These require admin rights for executable files to run so they should be safe.

Make sure to add any shares to file servers if users run portable programs from them.

As per my post linked, you would also want to blacklist certain paths:
%AppData%*.exe – Disallowed – Prevent programs from running in AppData.
%AppData%**.exe – Disallowed – Prevent virus payloads from executing in subfolders of AppData
%LocalAppData%\Temp\Rar*\.exe – Disallowed – Prevent un-WinRARed executables in email attachments from running in the user space
%LocalAppData%\Temp\7z*\
.exe – Disallowed – Prevent un-7Ziped executables in email attachments from running in the user space
%LocalAppData%\Temp\wz*\*.exe – Disallowed – Prevent un-WinZIPed executables in email attachments from running in the user space
%LocalAppData%\Temp*.zip*.exe – Disallowed – Prevent unarchived executables in email attachments from running in the user space

 

  1. Whitelist any applications going forward. Check event ID 875 for blocked software (windows logs – application)

Categories:

Updated: