How Software Restriction Policies Work

By Author: Mike Jones
Total Articles: 256
Comment this article

When a user encounters an application to be run, software restriction Project+ policies must first identify the software. Software can be identified by its
Hash, a series of bytes with a fixed length that uniquely identify a program or file
Certificate, a digital document used for authentication and secure exchange of information on open networks, such as the Internet, extranets, and intranets
Path, a sequence of folder names that specifies the location of the software within the directory tree
Internet zone, a subtree specified through Microsoft Internet Explorer: Internet,
Intranet, Restricted Sites, Trusted Sites, or My Computer

Software restriction policies identify and control the running of software by using rules. There are four types of rules, which correspond to the four ways of identifying software: a hash rule, a certificate rule, a path rule, and an Internet zone Rile. These rules override the default security level. After software is identified by using a rule, you can decide whether or not to allow it to run by setting a security level ...
... (Disallowed or Unre?stricted) for the program associated with the rule.
Hash Rule A hash is a series of bytes with a fixed length that uniquely identify a comptia certification training program or file. The hash is computed by a hash algorithm. Software restriction policies can identify files by their hash, using both the SHA-1 (Secure Hash Algorithm) and the MD5 hash algorithm. For example, you can create a hash rule and set the security level to Disallowed to prevent users from running a certain file. A file can be renamed or moved to another folder and still result in the same hash. However, any change to the file changes its hash value and allows it to bypass restrictions. Software restriction pol?icies recognize only hashes that have been calculated by using such policies.
Certificate Rule A certificate rule identifies software by its signing certificate. For example, you can use certificate rules to automatically trust software from a trusted source in a domain without prompting the user. You can also use certificate rules to run files in disallowed areas of your operating system.
Path Rule A path rule identifies software by its file path. For example, if you have a computer that has a disallowed default policy, you can still grant unrestricted access to a specific folder for each user. Simply create a path rule using the file path and set the security level of the path rule to Unrestricted. Some common paths for this type of rule are %Userprofile%, %Windir%, %Appdata%, %Programfiles%, and %Temp%. Because these rules are specified by path, if a program is moved, the path rule no longer applies. You can also create registry path rules that use the registry key of the software as the path.
Internet Zone Rule Internet zone rules apply only to Linux+ Installer packages. A zone rule can identify software from a zone that is specified through Internet Explorer. These zones are Internet, Intranet, Restricted Sites, Trusted Sites, and My Computer.