DaveHope.co.uk

Creating a deny by default SRP

Software Restriction Policies are a way of limiting what can be executed by a user. For more information see this page on technet. Basically, they allow you to limit what a user can run (No games etc). To create a basic Software restriction policy just follow the below guide.

1: Create the policy
Firstly you need to create a default policy from which you can build, to do this follow the below steps:

  1. Create your group policy as per normal
  2. When the policy editor is open (gpedit.msc) navigate to Computer Configuration -> Windows Settings ->Security Settings
  3. Right click “Software Restriction Policies” and click “Create New Policies”

At this point, you have a standard policy with nothing out of the ordinary.

2: Set policy enforcement
Now that you have the policy, you need to set what the policy will apply to.

  1. Click “Software Restriction Policies” if not already selected
  2. double-click “Enforcement”
  3. Choose “All Software files” and “All users except local administrators”

3: Remove links from protection
By removing link files, you’re allowing start menu entries, desktop shortcuts etc to execute. Make sure you prevent users from creating shortcuts then though.

  1. Double click “Designated File Types”
  2. Remove “LNK Shortcut” from the list and click OK
Reseller web host, shared and dedicated server web hosting offered by different companies can be compared with our services. Our cheap web host services include the domain names, seo tools and web site design templates.

4: Enable policy
Now, we need to enable the policy (or rather, change it from unrestricted to restricted)

  1. Expand “Security Levels”
  2. Right click “Disallowed” and choose “Set as default”
  3. Click “Yes” to set the defact action to restrict

If you then need to add exclusions to allow execution of programs etc, you can do that via the “Additional Rules” section.

Leave a Reply