As the use of the Internet, the Internet, and e-mail in business computing is increasing, users find that they often encounter new software. Users must constantly make decisions about whether to run unknown software. Viruses and Trojan horses often deliberately pretend to deceive users' operations. To make users safer choice to determine the program should be run is very difficult, at this time you need to use software restriction policies in Windows today to explain the magical effect of it for everyone.
1, Overview
use software restriction policies, by identifying which applications are allowed to run and specify, you can protect your computer environment from untrusted intrusion code. Through hash rules, certificate rules, path rules, and Internet zone rules, programs can be identified in policies. By default, the software can run on two levels: "unrestricted" and "not allowed". In this paper, we mainly use path rules and hash rules, while path rules are the most flexible in these rules, so if there is no special description in the following text, all rules refer to path rules.
2, additional rules and security levels
additional rules
when using the software restriction policy, use the following rules to identify software:
certificate rules
software restriction policies can be identified by its file-signed certificate. Certificate rules cannot be applied to files with an .exe or .dll extension. They can be applied to scripts and Windows installation packages. You can create a certificate that identifies the software and then decide whether to allow the software to run based on the security level settings.
path rule
path rule is identified by its file path to the program. Since this rule is specified by path, the path rule will be invalid after the program moves. Environment variables such as %programfiles% or %systemroot% can be used in path rules. Wildcards are also supported by path rules, and the supported wildcards are * and ?.
hash hash rule is a series of fixed-length byte that uniquely identifies a program or file. The hash is calculated by the hash algorithm. Software restriction policies can be identified by SHA-1 (Secure Hash Algorithm) and MD5 Hash Algorithm based on the hash of the file. Renamed files or files moved to other folders will produce the same hash.
example, you can create a hash rule and set the security level of certain documents "not allowed" to prevent users from running. Files can be renamed or moved to other locations and still produce the same hash. However, any tampering with the file will change its hash value and allow it to bypass the limit. The software restriction policy will only identify those hashes that have been calculated using the software restriction policy.
Internet zone rule
zone rule applies only to Windows Installer packages. Regional rules can identify software from the designated area of Internet Explorer. These areas are the Internet, local computers, local intranets, restricted sites, and trusted sites. File type affected
above rules only those types of "Designated file types" listed. The system has a list of specified file types that are shared by all rules. By default, the file types in the list include: ADADEDPBASBATCHMCMDCOMCPLCRTEXEHLPHTAINFINSISPLNKMDBMDEMSCMSIMSPMSTOCXPCDPIFREGSCRSHSURLVBWSC, so for normal non-executable files, such as TXTJPGGIF these are not affected, if you think there are any extended files that are threatening, you can also add them here. , or which extensions you think are non-threatening, you can also remove them.
security level for software restriction policies, by default, the system provides us with two levels of security: "unlimited" and "impermissible"
Note:
"allowed" does not contain any level of file protection operations. You can read, copy, paste, modify, delete, etc. a file that is set to "not allowed". Group Policy will not be blocked. Of course, your user level has the right to modify the file. The level does not mean that it is completely unrestricted, but is not subject to the additional restrictions of the software restriction policy. In fact, when the "unrestricted" program starts, the system will give the program's parent process permission. The access token obtained by the program is determined by its parent process, so the permissions of any program will not exceed its The parent process.
But in fact, there are three levels in default is hidden away, we can be manually turned on by modifying the registry of the other three levels, open the Registry Editor, expand to:
< BR> HKEY_LOCAL_MacHINESOFTWAREPolicIEsMicrosoftWindows
SaferCodeIdentifIErs
a new DOWRD, named Levels, the value 0x4131000 (sixteen ten made 4.131 million) to re-open gpedit.msc been created after
We will see that the other three levels are now open.
highest authority
not limited, but it is not entirely unrestricted, but "software access is determined by the user's access rights" that inherited the parent process Permissions.
basic user
basic user privileges enjoyed only "Bypass traverse checking" and denied access to administrator privileges.
limited
more restrictive than the basic user, but also privileged "Bypass traverse checking" in.
distrust
allowed on system resources, user access to resources, a direct result of the program will not run.
unconditionally allowed to perform or stop the program file is opened
can be sorted according to size permission: Unrestricted & gt; Basic User & gt; limited >Untrusted> Not allowed