Microsoft Windows Server 2003 Software Restriction Policies (824526)

MORE INFORMATION

By using SAFER, administrators can define what programs are permitted or disallowed to run on a target system. The configuration is deployed through Group Policy objects and stored in the registry (HKLM for computer policy and HKCU for user policy).

Administrators start by deciding on a default rule: Unrestricted or Disallowed. They then create exceptions (SAFER Rules) to these defaults. For example, if the default rule was set to Disallowed, and the administrator wanted to allow Notepad to run, the administrator would create a SAFER Rule to allow this by using one of the four rules for identifying software.

These rules include Hash, Certificate, Path, and Zone. When you start a program, the default rule is examined, together with the identification rules, for exceptions to the default rule. If an exception is found, the program is either not permitted to run or it is permitted to run, depending on the rules that are defined.

A software restriction policy includes the following set of objects:

• A pre-defined set of security levels
• A default security level
• A set of additional rules. Additional rules are exceptions to the default security rule. Each rule defines a program or a set of programs and associates it with a security level
• Policy options

For additional information about deploying Software Restriction Policies in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base: