Grab our RSS feeds Follow us on Twitter Join our Facebook Group Connect with us on LinkedIn
myITforum.com, Powered by You.
you are not logged in

Articles

Newslinks

Links

Downloads

Site Services

Community Forums

Discussion Lists

Article Search

Newsletter

Web Blogs

FAQs

Live Support

myITforum TV

Take a Poll

Monthly Drawing

myITforum Network

User Group Directory

Our Partners

About Us

Register

Login

BRONZE PARTNER:

BRONZE PARTNER:



Industry News:




  Home : Articles : Security print | email | | Forums |   print | email | | Blogs |   print | email | | Wiki |   print | email | | FAQs |   print | email | Article Search  
Using Software Restriction Policies to Block Spyware-Adware


Bookmark and Share

By: Rod Trent
Posted On: 1/23/2004

Mark Kent recently went through the process of finding a solution for blocking Spyware and Adware in his company.





NOTE: This solution requires a Windows XP workstation on the client end. On the server end you need a Windows2003 AD domain, or Win2000 AD domain with the upgraded Group Policy ADM files. Originally, to gain access (at the domain level) to the additional group policies that WindowsXP ships with, we added the XP .ADM files to our domain controllers per this good article:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/maintain/MngWinXP.asp


If you are running an Active Directory environment and using Group Policies, you can take advantage of Software Restriction Policies to block spyware and adware executables from loading. You can also use this to block some unwanted programs from being used, such as file sharing programs. While this is a central way to block these applications, there are some caveats to be aware of. The first is that this is a manual process. You must enter in the program path and/or file executable to block, and gathering these requires manual retrieval from either a users PC or a test PC (explained below). The second is that, depending upon when the file is loaded at system startup, the user may get a message stating that a “software restriction policy” is blocking the file from loading. It’s therefore best to slowly add these restriction policies to avoid getting inundated with help desk calls that will no doubt result when you start to apply these. The final caveat is that if you plan on removing the spyware from an affected PC, you must move the computer account to another Organizational Unit that is blocked from receiving the group policy in question. If you do not, the uninstaller will bomb out stating that it cannot access the directory or executable for removal.

Step 1 – Obtain executables and/or program paths

To obtain the executables and/or program paths to block, you must either retrieve these from a known infected users PC, or you must set up a test PC and fill it up yourself. The paths you can simply write down. The executables (and these don’t just have to be .EXE files, they can be any file that triggers the program launch including .DLLs) on the other hand you will have to move to a storage location for your retrieval later. File paths can be obtained from the shortcut of a program, or from the Run paths in the registry. For the best protection, it’s best to write down the path name and grab the executable as well. This way, if a user attempts to install the program to another location to bypass the path restriction, they will still be left out in the cold when they try to run the executable.

Step 2 – Restrict the software

  1. Start up your Group Policy editor. Navigate to Computer Configuration | Windows Settings | Security Settings | Software Restriction Policies.

  2. Right click on Software Restriction Policies and choose New Software Restriction Policies. This will create 2 folders, Security Levels and Additional Rules.

  3. Right click on Additional Rules and choose New Path Rule. Type in the path in the Path: box and for Security Level choose Disallowed. Click OK.

  4. Right click on Additional Rules and choose New Hash Rule. In the File Hash: box, browse to the location of an executable that you want to block (which you obtained in Step 1). Select it and click ok. This will then fill in the File Information: box (if the file has any information). For Security Level: choose Disallowed. You can fill in a description (recommended) in the Description box to help you identify what this file is later on as some files have vague descriptions.

That’s the basic process. You can add more restrictions as you see fit. Please remember that these are machine policies, which require a group policy refresh (normally 90 minutes) to get them to the PC and a system reboot to take affect.

  myITforum.com ©2010 | Legal | Privacy