Server Admin I Unit 8.9 App Restriction Policies Flashcards
Software Restriction Policies
Policies that allow an organization to control the applications that run on the computers in their environment.
Default Software Restriction Policies
There are no default policies. .exe files run based on NTFS file permissions.
Three Software Restriction “Security Levels”
- Unrestricted
- Disallowed
- Basic User
Unrestricted “Security Level”
All applications are allowed to run, except those specifically excluded.
Disallowed “Security Level”
All applications are prohibited, except those specifically excluded.
Basic User
All applications that standard users can run are allowed. All apps that require admin priviledge are not allowed .
Four Software Restriction Rules
- Hash
- Certificate
- Network Zone
- Path.
Hash Software Restriction Rule (2)
- Uses digital fingerprint (hash file) to ID and restrict software usage.
- Very narrow in scope, can be defeated by using a different software version.
Certificate Software Restriction Rule (3)
- Uses digital signature (certificate) of the softwares publisher.
- Applies to all applications from specific publisher.
- Considered too broad in scope at times.
Network Zone Software Restriction Rule
Condition specifies where the appilcation originated. Includes: Internet Zone, Intranet Zone, Restricted Sites, Trusted Sites, and Local Computer Zone.
Path Software Restriction Rule (4)
- Condition specifies a folder, file or a wildcard of files to restrict or allow execution.
- Path conditions are least secure of all software restriction conditions.
- When using Path , use NTFS to prevent users from copying .exe’s to locations outside the scope of the path condition.
- If a folder is specificed, restriction applies to all programs within the folder.
Applocker
Application Control Policies introduced with Windows 7 and WinServer’08 R2.
Benefits to Applocker over Software Restictions (5)
- Wizard can recommend rules based on folder contents.
- Polcies can be applied to specific user or groups
- Policies can be applied to all versions of an app.
- Exceptions can be included in policies.
- Allows flexibility in ID software to block.
Applocker Rule Types (4)
- Executable
- Windows Installer
- Script
- Packaged App
Executable Applocker Rule (2)
- Applies to files with .exe and .com extensions.
2. Initial scope of the rule is Everyone.