Software Restriction Policies
A Software Restriction Policy can help to control users’ running of untrusted applications and code. It is clear that most viruses are introduced into the computing environment when users run unauthorized applications and open email attachments. With software restrictions, these undesired applications and code can be eliminated. The following is a listing of some of the controls these policies provide:
Untrusted code is prevented from sending email, accessing files, or performing other normal computing functions until verified as safe.
Protection is provided against infected email attachments. This includes file attachments that are saved to a temporary folder as well as embedded objects and scripts.
ActiveX controls downloaded from the Web are monitored, and neutralized if necessary.
Software restriction policies can be used on a standalone computer by configuring the Local Security Policy.
Two Types of Software Restriction Policies
Software restriction policies can be applied at two security levels:
Unrestricted—Let only trusted code run. If all trusted code can be identified, the administrator can effectively lock down the system. The following are examples of where to apply a "let only trusted code run" policy:
Disallowed—Prevent unwanted code from running. In some cases, an administrator cannot predict the entire list of software that users will need to run. In these cases, the administrator can only react and identify undesirable code as it is encountered. Companies with loosely managed clients fall into this model. The following scenarios are examples of this case:
Lightly managed personal computers
Moderately managed personal computers
Software Identification Rules
An administrator identifies software through one of the following rules:
Hash rule—A Software Restriction Policy’s MMC snap-in allows an administrator to browse to a file and identify that program by calculating its hash. A hash is a digital fingerprint that uniquely identifies a program or file. A file can be renamed or moved to another folder or computer and it will still have the same hash.
Path rule—A path rule can identify software by a full pathname, such as C:\Program Files\Microsoft Office\Office\excel.exe or by the pathname leading to the containing folder, such as C:\Windows\System32. (This would refer to all programs in that directory and its subdirectories.) Path rules can also use environment variables, such as %userprofile%\Local Settings\Temp.
Certificate rule—A certificate rule identifies software by the publisher certificate used to digitally sign the software. For example, an administrator can configure a certificate rule that allows only software signed by Microsoft or its IT organization to be installed.
Zone rule—A zone rule identifies software that comes from the Internet, local intranet, trusted sites, or restricted sites zones.
Integration with Microsoft Passport via the Internet
A .NET Passport (also referred to as a Microsoft Passport) provides you with personalized access to Passport-enabled services and websites by using your email address. Passport implements a single sign-in service that enables you to create a single username and password. You can obtain a .NET Passport through the .NET Passport Wizard in User Accounts, shown in Figure 3.7. The .NET Passport Wizard helps you to obtain a .NET Passport or sign in with a Passport you already have. You will be required to configure a .NET Passport when you attempt to use the Windows Messenger application.
Figure 3.7 Microsoft .NET Passport Wizard.