Saarah Rasheed

3.1 Creating Software Restriction Policies Including Architecture, Hash Rules, etc. Hi there, I am [brief intro] and in this tutorial video I am going to talk about Software Restriction Policies through GPM. Before we proceed with the tutorial, let’s first discuss what it is. So a Software Restriction Policy limits the access of a client or user for a specific software. You can even prevent users from opening .exe files, for example, by applying this policy to a specific group of users or OU. You can also prevent users from accessing certain software on the system, using this policy, such as playing games, using social media or anything that is non-productive during working hours. Now there are two more terms you should be familiar with, before we can proceed with the tutorial. Hash rule, is a rule that is created to analyze a software. It considers you can say, the footprint of a software to recognize it. For instance you can use it to tell whether a certain software was used or modified by a certain user. Note that renaming a software doesn’t change its footprint and hence the rule is still able to detect it. We will be using Hash Rule in our software restriction policy to ensure we can track if a user tries to access one of the restricted software. Now a policy architecture is a compilation of policy documents that are applicable for a group of users. SO we will be using a policy architecture to implement software restriction policies. Now let’s begin with the process. Now first of all, open the Server Manager. Now on the top right corner, go to Tools Menu and select Group Policy Management. If you don’t find it in there, you need to install it in your system for which you can check out the first video of the series to get that done. Now when the GPMC opens, in the left pane under the domain, for me which is tetranoodle.com, if I expand it, there is an OU Group Polciy Objects, click on that. Now in order to assign policies, we need a GPO. So let’s create one by right clicking on it, and selecting New. Since we are creating Software Restriction policies, so let’s simply name it Software_Restriction. Now let’s edit this GPO. Right Click on it and click on Edit to open GPM Editor. Now in the left pane of the editor, expand Policies under Computer Configuration, then Windows Settings, now Security Settings. Under here you will find Software Restriction Policies, click on it. Now currently there are no Software Restriction policies defined here for us to enable, so let us first create one. Right click on Software Restriction Policies, and select New Software Restriction Policy. Now once you do it you will see I automatically creates sub directory levels; additional rules and security, along with some files. Since we plan to first add a rule, right click on Additional Rule and select New Hash Rule. Now a dialogue box appears, click on Browse. Here we select the software or application we wish to analyze. For demo purpose, let’s choose Registry Editor, which you can find in the Windows folder of C Drive. Search regedit and here it is, select it and click okay. Now select the security level as disallowed and click on apply and then okay. Now as you can see over here we have created a new rule, and its security level is set to disallow. Now let’s close the editor. Now we link this GPO, Software_Restriction, to an OU, preferably Systems which contains all the client computer. But before we do so, let us check whether we are able to access this application, regedit, before the implementation of the policy or not. Switching to client computer, let’s login now. First let’s check whether this system is joined to the domain. Right click on My Computer and select Properties. Now as you can see here it is domain joined, that is linked to tetranoodle.com. Now let’s check out the application. Go to My Computer, then Local Disk C, then Windows folder, then scroll down a bit and here it is. Open it. Yes we can open the file successfully over here. Now switching back to the server manager, let’s link the GPO to the domain. Linking it here, it gets inherited to all OUs and the systems OU as well. Now right click on domain, select Link an Existing GPO, and then select Software_Restriction from the list and click on okay. Now let’s manually implement it from command line, write cmd in the Run application and click okay. Now enter the command, gpoupdate/force and hit enter. Okay now let’s do the same thing in the client’s machine as well. Write cmd in the Run application and click okay. Now enter the command, gpoupdate/force and hit enter again. Now let’s run regedit to see if our policy works. Okay so there seems to be some sort of configuration gap here. Let’s go back and see where we lacked. In the GPMC, open the editor for Software_Restriction GPO, now in the left pane of the editor, expand Policies under Computer Configuration, then Windows Settings, now Security Settings and then Software Restriction Policy. So this time let’s try creating a path rule by specifying the path of the application, right click and select new path rule. Click Browse and locate the regedit file. Click okay and then apply and then okay. Now let us manually update the GPO here in the administrator machine as well as the client’s machine. Now enter the command, gpoupdate/force and hit enter. And one more time for client. Okay now let’s restart the system to make sure the policy is in effect. Okay restarting. Enter the credentials. Okay now let’s go to the application, though drive C and then Windows and now locate the reedit file, yes here it is. Double click to open it. Okay so now our policy works. As you can see instead of opening the registry editor, it displays the error message, this program is blocked by group policy, for more information, contact your system administrator. So yes we have successfully blocked this application for the client. Now just to make sure, let’s check whether other applications are accessible or not. Let’s try notepad.exe, okay yes it works. So turns out our policy works, every application is accessible except the registry editor, regedit, for the users. Now just for a better understanding, let’s verify for other users in the system to see if the policy is applicable for them. Go to server manager, then tools then Active Directory Sites and Service (ADSS). Oh sorry, Active Directory Users and Computers, that is ADUC. Okay close ADSS. Okay so go to domain, then Tetra OU. Okay so we have Tetra1 and Tetra2. We checked for user, test. Now let’s try for other users as well. Let’s try for Tetra1 credentials. Okay let’s try with administrator to see through client’s computer. Okay so let’s try to access regedit with it, and well as you can see we can’t even access it with Administrator account in the client’s computer. Let’s check another file, okay notepad.exe works just fine. So this is how we implement software restriction policies using GPM. For more videos in the series, stay tuned!