Software restriction policies



Knox
07-09-2005, 11:53 PM
Hi,
I'm trying to understand and implement software restriction policies. One
thing I don't understand is why by default a file type of LNK is considered
executable, or more accurately, a Designated File Type in the Software
restriction policy. That means if I configured path rule so that only the
Windows directory and the Program Files directory can execute, then all the
shortcuts on the desktop would break, perhaps even the ones in the start
menu.

I'm considering either removing the LNK from the Designated File list or
making a path rule that would allow LNK's in certain paths. What is the
best practice for LNK's with software restrictions?

On a related note, is this list of designated file types the same list that
Outlook Express and other programs use to determine if it is a high risk
file to prevent downloading? If so, I wouldn't want remove LNK from the
list, because I don't want to open LNK's to come from outside our network.

Thanks,


Knox

Steven L Umbach
07-09-2005, 11:53 PM
The more secure option would be to use path or hash rules to include the
desktop shortcuts as permitted content, particularly if you are going to use
default unrestricted security level. If you have not seen the link below on
SRP it is a good read. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx

"Knox" <thornNOSPAM99@hotmail.com> wrote in message
news:OQWIIcdZFHA.2768@tk2msftngp13.phx.gbl...
> Hi,
> I'm trying to understand and implement software restriction policies.
> One thing I don't understand is why by default a file type of LNK is
> considered executable, or more accurately, a Designated File Type in the
> Software restriction policy. That means if I configured path rule so that
> only the Windows directory and the Program Files directory can execute,
> then all the shortcuts on the desktop would break, perhaps even the ones
> in the start menu.
>
> I'm considering either removing the LNK from the Designated File list or
> making a path rule that would allow LNK's in certain paths. What is the
> best practice for LNK's with software restrictions?
>
> On a related note, is this list of designated file types the same list
> that Outlook Express and other programs use to determine if it is a high
> risk file to prevent downloading? If so, I wouldn't want remove LNK from
> the list, because I don't want to open LNK's to come from outside our
> network.
>
> Thanks,
>
>
> Knox
>

Knox
07-09-2005, 11:53 PM
Thank you very much. I had seen that article several months ago, but when I
searched recently I only came across inferior information. I plan to
configure the default as disallowed.


Knox


"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:%23OeK2XgZFHA.2756@tk2msftngp13.phx.gbl...
> The more secure option would be to use path or hash rules to include the
> desktop shortcuts as permitted content, particularly if you are going to
> use default unrestricted security level. If you have not seen the link
> below on SRP it is a good read. --- Steve
>
> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
>
> "Knox" <thornNOSPAM99@hotmail.com> wrote in message
> news:OQWIIcdZFHA.2768@tk2msftngp13.phx.gbl...
>> Hi,
>> I'm trying to understand and implement software restriction policies.
>> One thing I don't understand is why by default a file type of LNK is
>> considered executable, or more accurately, a Designated File Type in the
>> Software restriction policy. That means if I configured path rule so
>> that only the Windows directory and the Program Files directory can
>> execute, then all the shortcuts on the desktop would break, perhaps even
>> the ones in the start menu.
>>
>> I'm considering either removing the LNK from the Designated File list or
>> making a path rule that would allow LNK's in certain paths. What is the
>> best practice for LNK's with software restrictions?
>>
>> On a related note, is this list of designated file types the same list
>> that Outlook Express and other programs use to determine if it is a high
>> risk file to prevent downloading? If so, I wouldn't want remove LNK from
>> the list, because I don't want to open LNK's to come from outside our
>> network.
>>
>> Thanks,
>>
>>
>> Knox
>>
>
>

Steven L Umbach
07-09-2005, 11:53 PM
If the default security level will be disallowed then you may simply want to
exempt lnk files if it proves to be problematic configuring the SRP as most
likely any shortcut that does not point to an allowed program will be denied
anyhow. --- Steve


"Knox" <thornNOSPAM99@hotmail.com> wrote in message
news:OXxNldkZFHA.2128@TK2MSFTNGP14.phx.gbl...
> Thank you very much. I had seen that article several months ago, but when
> I searched recently I only came across inferior information. I plan to
> configure the default as disallowed.
>
>
> Knox
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:%23OeK2XgZFHA.2756@tk2msftngp13.phx.gbl...
>> The more secure option would be to use path or hash rules to include the
>> desktop shortcuts as permitted content, particularly if you are going to
>> use default unrestricted security level. If you have not seen the link
>> below on SRP it is a good read. --- Steve
>>
>> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
>>
>> "Knox" <thornNOSPAM99@hotmail.com> wrote in message
>> news:OQWIIcdZFHA.2768@tk2msftngp13.phx.gbl...
>>> Hi,
>>> I'm trying to understand and implement software restriction policies.
>>> One thing I don't understand is why by default a file type of LNK is
>>> considered executable, or more accurately, a Designated File Type in the
>>> Software restriction policy. That means if I configured path rule so
>>> that only the Windows directory and the Program Files directory can
>>> execute, then all the shortcuts on the desktop would break, perhaps even
>>> the ones in the start menu.
>>>
>>> I'm considering either removing the LNK from the Designated File list or
>>> making a path rule that would allow LNK's in certain paths. What is the
>>> best practice for LNK's with software restrictions?
>>>
>>> On a related note, is this list of designated file types the same list
>>> that Outlook Express and other programs use to determine if it is a high
>>> risk file to prevent downloading? If so, I wouldn't want remove LNK
>>> from the list, because I don't want to open LNK's to come from outside
>>> our network.
>>>
>>> Thanks,
>>>
>>>
>>> Knox
>>>
>>
>>
>
>

Knox
07-09-2005, 11:53 PM
I think that's what I will do, since links are spread all over the place,
start menu, desktop, toolbars, all-user desktop, etc.

Thanks for your feedback, Steve


Knox


"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uxfYkBlZFHA.1044@TK2MSFTNGP10.phx.gbl...
> If the default security level will be disallowed then you may simply want
> to exempt lnk files if it proves to be problematic configuring the SRP as
> most likely any shortcut that does not point to an allowed program will be
> denied anyhow. --- Steve
>
>
> "Knox" <thornNOSPAM99@hotmail.com> wrote in message
> news:OXxNldkZFHA.2128@TK2MSFTNGP14.phx.gbl...
>> Thank you very much. I had seen that article several months ago, but
>> when I searched recently I only came across inferior information. I plan
>> to configure the default as disallowed.
>>
>>
>> Knox
>>
>>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:%23OeK2XgZFHA.2756@tk2msftngp13.phx.gbl...
>>> The more secure option would be to use path or hash rules to include the
>>> desktop shortcuts as permitted content, particularly if you are going to
>>> use default unrestricted security level. If you have not seen the link
>>> below on SRP it is a good read. --- Steve
>>>
>>> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
>>>
>>> "Knox" <thornNOSPAM99@hotmail.com> wrote in message
>>> news:OQWIIcdZFHA.2768@tk2msftngp13.phx.gbl...
>>>> Hi,
>>>> I'm trying to understand and implement software restriction policies.
>>>> One thing I don't understand is why by default a file type of LNK is
>>>> considered executable, or more accurately, a Designated File Type in
>>>> the Software restriction policy. That means if I configured path rule
>>>> so that only the Windows directory and the Program Files directory can
>>>> execute, then all the shortcuts on the desktop would break, perhaps
>>>> even the ones in the start menu.
>>>>
>>>> I'm considering either removing the LNK from the Designated File list
>>>> or making a path rule that would allow LNK's in certain paths. What is
>>>> the best practice for LNK's with software restrictions?
>>>>
>>>> On a related note, is this list of designated file types the same list
>>>> that Outlook Express and other programs use to determine if it is a
>>>> high risk file to prevent downloading? If so, I wouldn't want remove
>>>> LNK from the list, because I don't want to open LNK's to come from
>>>> outside our network.
>>>>
>>>> Thanks,
>>>>
>>>>
>>>> Knox
>>>>
>>>
>>>
>>
>>
>
>

lecter
07-09-2005, 11:53 PM
How about let the "documents and settings" directory can be executed?

__
Lecter
- "Trust No One!"

Steven L Umbach
07-09-2005, 11:53 PM
That is generally not a good idea because that is the one place where by
default users have full control permissions and will try to install
applications or copy executables. A path rule to specific folders in their
profile or all users profile folder for *.lnk files may be workable and
maybe that is what you meant. --- Steve


"lecter" <2@2.com> wrote in message
news:jier919gpoa2ocd80uif2tu9cgtgl5fton@4ax.com...
> How about let the "documents and settings" directory can be executed?
>
> __
> Lecter
> - "Trust No One!"

lecter
07-09-2005, 11:53 PM
I have read the link below:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
and start to script my own polices.
Now what I want to do is that forbidding all exe files running under
drive F:
my script is
F:\*.exe Disallowed
but it failed to work!
and the follow line works
F:\Folder\*.exe Disallowed
we can't disallow root directory?

__
Lecter
- "Trust No One!"


Software restriction policies