GPO: Software Restriction Policy

1 minute read

Description:

This was somewhat covered in CryptoPrevention but here is a more generic post on SRP’s

To Resolve:

  1. Create a GPO and go to: Computer Configuration\Policies\WindowsSettings\SecuritySettings\SoftwareRestrictionPolicies

    • Right click => create a new default
    • Enforcement => all users
    • Designated file types => remove url/lnk
    • Next Security Levels => Disallowed => Set as default => click okay on warning
    • Right click on additional rules => add path rule
    • Now just add paths like c:\windows, c:\program files, c:\program files (x86), and so on. These require admin rights for executable files to run so they should be safe.
    • Make sure to add any shares to file servers if users run portable programs from them.
    • As per my post linked, you would also want to blacklist certain paths:
      • %AppData%\*.exe => Disallowed => Prevent programs from running in AppData.
      • %AppData%\*\*.exe => Disallowed => Prevent virus payloads from executing in subfolders of AppData
      • %LocalAppData%\Temp\Rar\*\\*.exe => Disallowed => Prevent un-WinRARed executables in email attachments from running in the user space
      • %LocalAppData%\Temp\7z\*\\*.exe => Disallowed => Prevent un-7Ziped executables in email attachments from running in the user space
      • %LocalAppData%\Temp\wz\*\\*.exe => Disallowed => Prevent un-WinZIPed executables in email attachments from running in the user space
      • %LocalAppData%\Temp\*.zip\*.exe => Disallowed => Prevent unarchived executables in email attachments from running in the user space
  2. Whitelist any applications going forward. Check event ID 875 for blocked software (windows logs => application)

-----------------------------------------------------------
Spotted a mistake in this article? Why not suggest an edit!
Did you like the article? Donations are always welcome!
-----------------------------------------------------------

Comments