Path rules match based on the file name and path. If multiple matches are found, then the most specific matching rule is applied. There are four types of rules, each of which uses different criteria for defining a matching file: path, hash, certificate and Internet zone. That would not stop the Python interpreter though, so you'd probably want to create a rule, under Additional Rules, to do that. For example, if you wanted to prohibit Python scripts from executing, you could add *.py as an executable type. To review or modify which files are considered executable, you can edit the Designated File Types policy. Software restriction policies only apply to executable files. Because Windows 7 and Server 2008 are not yet widely deployed in most organizations, we will not discuss AppLocker in this tip.Īs with other GPO items, you can access SRP by launching the Group Policy Editor, gpedit.msc SRP is located under Computer Configuration > Windows Settings > Security Settings. This revised control scheme is more flexible than SRP, but only applies to Windows 7 and Server 2008. Since SRPs are Group Policy Object-based, you can apply policies selectively across your network without having to deploy and maintain additional software.Īs of Windows 7 and Server 2008 R2, SRP has been replaced with AppLocker. Use AppLocker to block the execution of unwanted applications on endpoints.Īdditionally, using software restriction policies will be helpful for preventing the spread of virus and worm outbreaks (as long as the virus or worm does not use random naming to mask itself). Microsoft Windows 7 AppLocker enables administrators to automate rules generation, but proceed slowly to get a feel for its whitelisting capabilities. In environments where cataloging every allowed application is not feasible, you can still use SRP to deny specific software you want to prevent - known malware, P2P file sharing applications and remote control desktop applications such as VNC, for example. In an operating environment with minimal variation, you can configure SRP to only allow the execution of specific software, and every other application will be denied (default deny), even to system administrators.
0 Comments
Leave a Reply. |