Limit Computer Malware - Use Software Restriction Policies

By TOM BOWSER

Software Restriction Policies enable you to block many programs from running on a Microsoft Windows based computer except what you specifically allow. Enabling only specific programs to run/work is sometimes referred to as "whitelisting".

Why is this useful? Software restriction policies reduce the possibility of malware installing on your computer.

This tutorial was written for Windows versions 8 and above. The procedure will also work on earlier versions once you gain access to the Local Security Policy Editor window. The process I outline below only works on versions of Windows Professional. It will not work on the "Home" versions of Windows.

Let us begin:

  • Right click on the Windows Start button.
  • Left click on "Control Panel" from the list.
  • Double left click on Administrative Tools.
  • Double left click on "Local Security Policy". The Local Security Policy Editor window should open (see image below).

Picture of the Microsoft Windows Local Security Policy Editor Window

  • Left click on "Software Restriction Policies" in the left hand pane of the Local Security Policy Editor window.
  • If a software restriction policy has never been created on the computer you will see the message "No Software Restriction Policies Defined" in the right hand pane.
  • Right click on "Software Restriction Policies" in the left hand pane.
  • Left click on "New Software Restriction Policies" on the menu that appears. A new Software Restriction Policy will be created. It will be visible in the right hand pane. (see image below)

The Microsoft Windows Local Security Policy Editor Window showing Software Restriction Policies
  • Double left click on "Designated File Types" in the right hand pane to open Designated File Type Properties. The extensions listed under "Designated file types will all be restricted from executing/running. You need to remove the LNK extension from this list. If you do not remove it none of the shortcuts on your computer will function.
  • Left click on the LNK extension listed in the designated file types list. The list is alphabetical.
  • Left click on the "Remove" button.
  • Left click on the "Yes" button when asked "Are you sure you want to delete this file type?".
  • Left click on the "Apply" then "OK" buttons to save your changes.
  • Double left click on "Security Levels" in the left hand pane of the Local Security Policy Editor window. (see image below)
  • Double left click on "Disallowed" in the right hand pane.
  • Left click on the "Set as Default" button.
  • Left click on the "Yes" button to continue.
  • Left click on the "Apply" then the "OK" buttons to save your changes.
Windows Local Security Policy Editor showing Security Levels

Software Restriction Policies are now enabled and blocking applications and executable code except what is located within C:\Program Files and C:\Windows folders.

If you have a 64 bit version of Windows you also need to perform the following steps to enable applications to run that are located in the C:\Program Files (x86) directory.

  • Right click on "Additional Rules" in the left hand pane of the Local Security Policy Editor window.
  • Left click on "New Path Rule…" in the menu that appears. The "New Path Rule" window will appear.
  • Type C:\Program Files (x86) into the "Path:" box. You can also left click on the "Browse…" button to go to that directory.
  • Ensure that "Unrestricted" is chosen as the "Security Level".
  • Click on the "Apply" then "OK" buttons to save the new path rule you've just created. This rule will "whitelist" applications located within the C:\Program Files (x86) directory allowing them to execute and run.

If you need to remove the software restriction policy you created:

  1. Open the Local Security Policy as described earlier in this tutorial.
  2. Right click on "Software Restriction Policies" in the left pane.
  3. Left click on "Delete Software Restriction Policies".

NOTE: I suggest you consider adding additional file extensions to the Designated File Types Properties. Review a comprehensive list of over 25 extensions that are NOT included in the default list of the Designated File Types Properties. Before adding these file extensions:

  1. Examine the list to ensure you do not restrict extensions that enable features or functionality required by the users of applications installed on the computer.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.