For Windows Group Policy, perhaps everyone is using more of the features in the "Administrative Templates". For the "software restriction strategy", I believe that there are not many used packages.
If the software restriction strategy is good, I believe it can be compared with some HIPS software. If you combine NTFS permissions and registry permissions, you can fully implement the system's full security configuration. At the same time, because this is a built-in function of the system, it seamlessly integrates with the system, and does not occupy additional CPU and memory resources. The incompatibility phenomenon, because it is located at the bottom of the system, its interception capability is unmatched by other software. The downside is that its settings are not flexible and intelligent, and will not ask the user. Let's take a comprehensive look at the software restriction strategy.
This series of articles will focus on the following aspects:
·Overview
·Additional rules and security levels
·Software restriction policy Priority
· Rule Assignment and Inheritance
·How to Write Rules
·Example Rules
Today we introduce Windows Group Policy An overview of software restriction policies, additional rules, and security levels.
1. Overview
Use the Software Restriction Policy to protect your computer environment from untrusted code by identifying and specifying which applications are allowed to run. With hash rules, certificate rules, path rules, and Internet zone rules, programs can be identified in policies. By default, the software can run on two levels: "unrestricted" and "not allowed". In this paper, we mainly use path rules and hash rules, while path rules are the most flexible in these rules, so if there is no special description in the following text, all rules refer to path rules.
2, Additional Rules and Security Levels
Additional Rules
When using software restriction policies, use the following rules to identify the software:
· Certificate Rules
Software restriction policies can identify files by their signed certificates. Certificate rules cannot be applied to files with an .exe or .dll extension. They can be applied to scripts and Windows Installer packages. You can create a certificate that identifies the software and then decide whether to allow the software to run based on the security level settings.
·Path Rules
Path rules are identified by the file path of the program. Since this rule is specified by path, the path rule will be invalid after the program moves. Environment variables such as %programfiles% or %systemroot% can be used in path rules. Path rules also support wildcards. The supported wildcards are * and ? .
·Hash Rules
A hash is a series of fixed-length bytes that uniquely identify a program or file. The hash is calculated by the hash algorithm. Software restriction policies can be identified by SHA-1 (Secure Hash Algorithm) and MD5 Hash Algorithm based on the hash of the file. Renamed files or files moved to other folders will produce the same hash.
For example, you can create a hash rule and set the security level to "not allowed" to prevent users from running certain files. Files can be renamed or moved to other locations and still produce the same hash. However, any tampering with the file will change its hash value and allow it to bypass the limit. The software restriction policy will only identify those hashes that have been calculated using the software restriction policy.
·Internet Zone Rules
Zone Rules apply only to Windows Installer packages. Regional rules can identify software from a designated area of Internet Explorer. These areas are the Internet, local computers, local intranets, restricted sites, and trusted sites.
The file types affected by the above rules are only those listed in "Assigned File Types". The system has a list of specified file types that are shared by all rules.
Default
The file types in the following list are: ADE ADP BAS BAT CHM CMD COM CPL CRT EXE HLP HTA INF INS ISP LNK MDB MDE MSC MSI MSP MST OCX PCD PIF REG SCR SHS URL VB WSC , so for normal non-executable files, such as TXT JPG GIF, these are not affected. If you think there are any extended files that are threatening, you can also add them here, or which extensions do you think? There is no threat, you can also delete it.
The Administrator account in WinXP is the default and is a hidden system administrator account. If y
XP users can easily see the cumulative time of the network connection through a local connection wit
This method in Windows XP does not change the property to hidden, nor does it change the properties
No local connection or loss of local connection is a common type of computer failure. There is no lo
Why XP SP3 does not support Windows XP
Explain the common BIOS short sentence
Disabling Windows 98 to automatically run applications
14 strokes security settings to prevent hacker attacks (2)
WinXP opens two methods of screen keyboard
There is a desktop background but can't enter the system to solve
What method can enhance the system startup password
Expert advice Check and handle computer ARP spoofing methods
Fault: The file name in the computer is garbled file
Frequently Asked Questions about XP SP3 (2)
How to implement password deletion in Windows XP system
Windows drawing program to draw pixel little girl avatar (1)
Win8 app store can not open Win8 app store can not connect to the network solution
Detailed linux command: disk check repair command e2fsck
Win7 open web page prompt error code ERR_EMPTY_RESPONSE how to solve?
Sublime Text 3 Beta 3019 Features Overview
Win7 uses Tudou to watch video and can't see how to solve the problem.
Those Windows processes that have to know
How to place web shortcuts on the Windows 8 desktop
Windows 7 play magic CD turned into flash
How to cancel the previously scheduled Win10?win10 upgrade booking cancellation introduction