Software Restriction Policies

In a modern computing environment, a wide variety of software applications are available to users from many sources. Documents and Web pages can contain executable code in scripts, and e-mail messages can contain executable code in attachments. Both Viruses and Trojan horses that might be present in the executable code can cause security breaches and damage to network files. In Windows XP and Windows Server 2003, software restriction policies have been developed to identify and control the running of software.

Use the buttons below to navigate through the lesson


Software restriction policies allow you to apply security settings to a GPO to identify software and control its ability to run on a local computer, site, domain, or OU. Software Restriction Policies control the ability of programs to run on your system. For example, you can apply a policy that does not allow certain file types to run in the e-mail attachment directory of your e-mail program. When a user encounters an application to be run, software restriction policies must first identify the software. Software can be identified by one of the following:

  • Hash: A hash is computed by a hash algorithm,  Software restriction policies can identify files by their hash, using both the SHA-1 (Secure Hash Algorithm) and the MD5 hash algorithm. For example, you can create a hash rule and set the security level to Disallowed to prevent users from running a certain file. A file can be renamed or moved to another folder and still result in the same hash. However, any change to the file changes its hash value and allows it to bypass restrictions.
  • Certificate Rule: A certificate rule identifies software by its signing certificate. For example, you can use certificate rules to automatically trust software from a trusted source in a domain without prompting the user.
  • Internet Zone Rule: Internet zone rules apply only to Windows Installer packages. A zone rule can identify software from a zone that is specified through Internet Explorer. These zones are Internet, Local Intranet, Restricted Sites, Trusted Sites, and Local Computer.
  • Path Rule: A path rule identifies software by its file path. For example, if you have a computer that has a disallowed default policy, you can still grant unrestricted access to a specific folder for each user. Some common paths for this type of rule are %Userprofile%, %Windir%, %Appdata%, %Program-files%, and %Temp%. Because these rules are specified by path, if a program is moved, the path rule no longer applies.

You can apply several rules to the same application. The rules are applied in the following order of precedence, from highest to lowest: Hash, Certificate, Path and Internet.

The decision to use the different rules depends mainly on two factors:

  1. If the program will regularly change then a hash rule will not work since every time a modification is made to the file the file’s hash will change ( A hash is generated using the contents of the file).
  2. Although using certificates is a secure method you will need a working CA on the domain.

To configure a software restriction policy open the Group Policy Object Editor for either the local computer, domain, OU or site and expand Windows Settings for the Computer Configuration node. Expand Security Settings. Expand Software Restriction Policies. Right-click on Additional Rules to create a new rule. Select the type of rule, e.g. New Path Rule… Specify the full path of the folder containing the applications. Any applications inside the “c:\myviruses” folder will be prevented from running. Click OK to continue. The new rule has now been created. You will need to refresh the policy on the relevant machines before it can take effect. N.B. Software restriction policies will not work on Windows 2000. All applications within the “c:\myviruses” folder will not run.