Microsoft KB Archive/824526

= Microsoft Windows Server 2003 Software Restriction Policies =

Article ID: 824526

Article Last Modified on 1/31/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition

-



INTRODUCTION
Software Restriction Policies (also known as SAFER) was introduced in Microsoft Windows XP and is now available with Windows Server 2003. By using SAFER, you can prevent the execution or installation of unauthorized programs on the Microsoft Windows Server 2003. By using SAFER, you can control what programs are installed on the servers and workstations in your environment and help create a more supportable infrastructure to manage. This article describes how software restriction policies are implemented internally, the structures and application programming interfaces (APIs) that are used, and the components that implement these interfaces.



MORE INFORMATION
By using SAFER, administrators can define what programs are permitted or disallowed to run on a target system. The configuration is deployed through Group Policy objects and stored in the registry (HKLM for computer policy and HKCU for user policy).

Administrators start by deciding on a default rule: Unrestricted or Disallowed. They then create exceptions (SAFER Rules) to these defaults. For example, if the default rule was set to Disallowed, and the administrator wanted to allow Notepad to run, the administrator would create a SAFER Rule to allow this by using one of the four rules for identifying software.

These rules include Hash, Certificate, Path, and Zone. When you start a program, the default rule is examined, together with the identification rules, for exceptions to the default rule. If an exception is found, the program is either not permitted to run or it is permitted to run, depending on the rules that are defined.

A software restriction policy includes the following set of objects:
 * A pre-defined set of security levels
 * A default security level
 * A set of additional rules. Additional rules are exceptions to the default security rule. Each rule defines a program or a set of programs and associates it with a security level
 * Policy options

For additional information about deploying Software Restriction Policies in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

324036 How to use software restriction policies in Windows Server 2003

Keywords: kbgrppolicyinfo kbinfo KB824526

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.