1 2 Previous Next 23 Replies Latest reply on Oct 21, 2014 9:06 AM by Don Kim

    Win2003 Software Restriction policy

    Manas P



      I am looking for compliance check of software restriction policy in Win2k3 server. This is available under local security settings/security settings. When we do live browse of any server only Local policies and Account policies are available.




      Can anyone guide me how to build compliance for software restriction policies. Even standard compliance template do not have any such thing.


      I think the only way we can achieve this by using extended object approach or there any other best way to do this ?


      If we use extended object approach then how can we capture details for software restriction policies.

      Does anyone have done this kind of use case before ?

      Any suggestion would be greatly appreciated.




        • 1. Re: Win2003 Software Restriction policy
          Manas P

          I have tried using secpol.msc in EO but no luck.


          Bill Robinson pls suggest...

          • 2. Re: Win2003 Software Restriction policy
            Joe Piotrowski

            I have noticed in the past that we do not capture all Security Settings as server properties in BSA. And "Software Restriction Policies" doesn't ring a bell with me. If you can use a Windows command from a cmd shell and output the information you're looking for as text to the screen, we can create an Extended Object or Configuration File for you to use for this purpose.


            secpol.msc won't help you here as an EXO.


            List a specific setting, and what you want to check against it, and we can help guide you on how to do this in BSA.

            • 3. Re: Win2003 Software Restriction policy
              Manas P

              Hi Joe,


              We are looking to build compliance check around Software Restriction Policies(All settings like Enforcement,trusted publishers,designated file types,security levels,additional rules). As you rightly mentioned we need to have window command to fetch required properties value here. but I have failed find any such command available.


              one of the requirement is to Enforcement setting need to be as below for any server to become compliant else non-compliant.



              In the same way we need to build compliance check for all other settings as well.

              • 4. Re: Win2003 Software Restriction policy
                Joe Piotrowski

                In my experience, this typically requires some research. I usually search for a security setting and "registry" or "command line" to determine if it's stored in the registry (almost always) and if there is a command line to spit out the value.


                For example http://support.microsoft.com/kb/324036 references registry key:


                and whether it's set to 0 or 1 to see if certificate rules are turned on (1) or off (0).

                How Software Restriction Policies Work: Group Policy references keys:



                for software restriction policies.


                I will use a test server and turn the policies on and off, and go refresh the registry to see if I have the correct key, and how the values are changing. From there I can easily create compliance rules and remediation (optional).


                If you find a way to run a command and spit out the settings and their values, we can create an EXO to check those values as well.

                • 5. Re: Win2003 Software Restriction policy
                  Manas P

                  can you pls help me writing single rule for Software restriction Policies/Enforcement with the settings as shown in last post. I am quite new to compliance and handling registry in compliance rule looks even complicated.

                  • 6. Re: Win2003 Software Restriction policy
                    Monoj Padhy

                    I am also looking for the similar compliance rules to be build for 2k3 servers.


                    My requirement is to check if unrestricted is selected for Software restriction Policies\security levels, If not set as a part of remediation. Still in the search of solution to it.



                    If you can point to the exact registry settings here. Even there is nothing documented in Microsoft sites which registry setting to be used.




                    • 7. Re: Win2003 Software Restriction policy
                      Joe Piotrowski

                      Unfortunately I don't have a Windows Server 2003 in my local environment to test this out. Also, I think these are settings that get set by policy only, and I don't have an AD setup in my local environment either. I'll see if my customer has something I can look at when I have the time.

                      • 8. Re: Win2003 Software Restriction policy
                        Joe Piotrowski

                        This is the research you guys need to do.


                        First, do an internet search for what you're looking for. I did a search for:

                        "security settings software restriction policies enforcement all software files except libraries registry" and found:

                        How Software Restriction Policies Work: Group Policy


                        A couple of pages down it tells you where the registry keys are stored:



                        Now compare the settings in the GUI to the registry settings.



                        Now change a setting, refresh the Registry Editor, and see the changes.



                        And the next one.



                        And the last one.



                        From there, it's easy to create a Compliance Template, add those Registry Keys as Parts, and check the value of those parts to what matches above. Then verify this logic against some test servers set to different settings.

                        1 of 1 people found this helpful
                        • 9. Re: Win2003 Software Restriction policy
                          Monoj Padhy

                          Bravo... Thanks Joe.

                          • 10. Re: Win2003 Software Restriction policy
                            Monoj Padhy

                            Here is another registry setting for Software Restriction Policy/Security Level


                            Now change value to disallowed, DefaultLevel value will be chained to 0.


                            Similarly you can also try for other settings. I will do my research and try to find reg setting for others. Gud luck and give a try. If you are lucky someone else may reply for trusted publisher and additional rules setting .

                            1 of 1 people found this helpful
                            • 11. Re: Win2003 Software Restriction policy
                              Manas P

                              Thanks guys for your assistance. Will try find registry settings for others as you did.

                              • 12. Re: Win2003 Software Restriction policy
                                Manas P

                                compliance rule shows non-compliant even if correct value is set for the setting. Security setting is set to unrestricted (means 40000) but it is showing current value is set to Disallowed(0). Am I doing anything wrong in writing rule.




                                • 13. Re: Win2003 Software Restriction policy
                                  Monoj Padhy

                                  You need to modify rules as

                                  262144 is the integer equivalent for 40000 as hexa value.

                                  • 14. Re: Win2003 Software Restriction policy
                                    Monoj Padhy

                                    trusted publishers


                                    You can change the value as per your requirement. Try changing the settings in the GUI and refresh the registry for the value and set accordingly.

                                    you will get 769 when you have below settings.


                                    default Additional rules(unrestricted) as follow, similarly you can add as many as rules you wish for


                                    •  %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%

                                    •  %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\*.exe

                                    •  %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\SystemRoot%\System32\*.exe

                                    •  %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

                                    compliance rule

                                    "Registry Value:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\safer\codeidentifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}\ItemData"."String Value (Windows)"=%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%




                                    1 2 Previous Next