Austin Janey

@ajaney

Sysadmin by day and IT consultant by night. I drink lots of coffee and solve lots of problems... hopefully.

austinjaney.com Guestbook

Software Restriction Group Policy

Software Restriction Baseline
A guide for setting up Software Restrictions in Group Policy.

Under Enforcement Properties set "All software files except libraries (such as DLLs)", "All users except local administrators" (which will allow members of the local administrators group to bypass the policy completely) and ignore certificate rules unless you are planning to whitelist software via certificates, this can be handy for allowing user to install some programs to appdata such as slack, and or certain video conferencing software.
Under Designated File Types remove .lnk files, leaving this option enabled can cause start menu items to stop working as well as all shortcuts to exe files which are now prevasive through the windows operating system. This is mentioned in the NSA document but they list making a rule to allow it, other sources reccomend removing it from the designated file types list which seems to be the correct way to do this.
Under Security Levels set the policy to Disallow, this will prevent software from running regaurdless of the access rights of the user.


Paths the NSA reccomends restricting
These have been taken from the NSA document: https://apps.nsa.gov/iaarchive/library/reports/application-whitelisting-using-srp.cfm

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\Debug
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\PCHEALTH\ERRORREP
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\Registration
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\catroot2
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\com\dmp
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\FxsTmp
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\spool\drivers\color
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\spool\PRINTERS
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\spool\SERVERS
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\Tasks
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\SysWOW64\com\dmp
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\SysWOW64\FxsTmp
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\SysWOW64\Tasks
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\Tasks
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\Temp
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\tracing


Paths the NSA reccomends allowing
in the origional document there is an invisable space right before "Windows" to be cautious of the below line has been corrected.

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%

as well as sysvol so any logon scripts you have will still run, not adding this will break any logon scripts you have.

\\%USERDNSDOMAIN%\Sysvol\

An alternate value for the x86 directory might be needed in certain versions of windows, it is not needed for windows 10. to add if the x86 exception listed by the NSA is causing difficulties adding the below line might resolve them. This should not be nesessary in most cases.

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir%


Blocking The Windows Store and Xbox apps in Windows 10.
Windows Store, blocking this will disable users from launching the windows store and thus prevent users from installing apps from it.

%programfiles%\WindowsApps\Microsoft.WindowsStore*

Xbox Apps, Windows 10 ships with a couple different xbox applications, removing these is problematic but blocking them from running is not. This will prevent users from downloading PC games or connecting to and streaming from xbox systems on the network or outside of it. (Microsoft is adding an ability to connect to a home xbox in a future xbox release.)

%programfiles%\WindowsApps\Microsoft.Xbox*


Other Considerations


You'll only receive email when Austin Janey publishes a new post

More from Austin Janey: