TechNet Home > TechNet Security > Library > Server Security

Threats and Countermeasures

Chapter 8: Software Restriction Policies

Updated: December 27, 2005

Software restriction policies are a new feature in Microsoft® Windows® XP and Microsoft Windows Server™ 2003. They provide a policy-driven system to specify which programs are allowed to execute and which are not.

The Threat of Malicious Software

The increased use of networks and the Internet in daily business computing means that it is more likely than ever that an organization's users will encounter malware (malicious software). Software restriction policies can help organizations protect themselves because they provide another layer of defense against viruses, Trojans, and other types of malicious code.

Vulnerability

People use computer networks to collaborate in increasingly sophisticated ways; they use e-mail, instant messaging, and peer-to-peer applications. As these collaboration opportunities increase, so does the risk from viruses, worms, and other forms of malware. It is important to remember that e-mail and instant messaging can transport unsolicited hostile code, and that hostile code can take many forms—from native Windows executable (.exe) files, to macros in word processing (.doc) documents, to script (.vbs) files.

Viruses and worms are often transmitted in e-mail messages, and they frequently include social engineering techniques that trick users and cause them to perform an action that activates the malicious code. The sheer number and variety of forms that code can take makes it difficult for users to know what is safe to run and what is not. When activated, malicious code can damage content on a hard disk, flood a network with requests to cause a DoS attack, send confidential information to the Internet, or compromise the security of a computer.

Countermeasure

Create a sound design for software restriction policies on end-user computers in your organization, and then thoroughly test the policies in a lab before you deploy them into a production environment.

Potential Impact

A flawed software restriction policy implementation can disable necessary applications or allow hostile applications to execute. Therefore, it is important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies.

Note: Although software restriction policies are an important tool that can enhance the security of computers, they are not a replacement for other security measures such as antivirus programs, firewalls, and restrictive access control lists (ACLs).

Top of page

More Information

The following links provide additional information about designing and using software restriction policies:

•	The article "Microsoft Windows XP: Using Software Restriction Policies to Protect Against Unauthorized Software" at www.microsoft.com/technet/prodtechnol/winxppro/ maintain/rstrplcy.mspx describes how to implement software restriction policies on Windows XP computers.
•	Chapter 6 of the Windows XP Security Guide at www.microsoft.com/technet/security/ prodtech/windowsxp/secwinxp/xpsgch06.mspx describes the details of how to design and deploy software restriction policies for Windows XP client computers.
•	The Microsoft Knowledge Base article "How To Use Software Restriction Policies in Windows Server 2003" at http://support.microsoft.com/default.aspx?kbid=324036 describes the details of how to deploy software restriction policies on Windows Server 2003 systems and in Active Directory® directory service domains.