Software Restriction Policy on Windows 8 screws everything up - Any advice?

Discussion in 'Windows 8' started by dummekuehe, Feb 21, 2013.

  1. dummekuehe

    dummekuehe MDL Senior Member

    Jan 11, 2009
    So with Windows 7 i usually created Software Restriction Rules like that:
    -New Software Restrictions
    -add the Additional Rule for x86 Program Files Folder
    -Remove LNK from Designated File Formats
    -Enforce it on All Software, All Users except Admins
    -Set Security Level - Disallowed to default

    This adds a security layer that makes it almost impossible for a virus to infect a PC because there is no Folder that a Standard User can write to and execute from.

    I tried to do the same in Windows 8 but end up with a nonfunctional desktop. Probably blocking some metro crap.
    Any advice? Couldnt find any Windows 8 specific tutorials.

    Thanks in advance
  2. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    Is this about applocker? can't proof myself as I don't have any enterprise near.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. hbhb

    hbhb MDL Expert

    Dec 15, 2010
    appreciate you bringing this up, as I would like to explore this feature when i boot my enterprise later:D
    one thing I started using is encryption built in win8, creating virtual hard drive and encrypting them. That I like better than using third party software. Now,I am looking forward to checking this app locker joint, and see if i can implement it in my systems somehow if I see a need. :aerobueke:
  4. dummekuehe

    dummekuehe MDL Senior Member

    Jan 11, 2009
    oh i thought i had answered yesterday but must've forgotten to submit
    so does anybody know a tutorial to achieve the same i did with srp now with applocker
    already looked at ms page but it is just pages and pages of yadayada and right now I just don't have the time to learn how this stuff works
    also there are a few things that don't seem to work with applocker
    and they say you can use both, whatever
    i'd be happy if i could just do what i did before: Have no folder that a standard user can write to and execute from
  5. dummekuehe

    dummekuehe MDL Senior Member

    Jan 11, 2009
    Thanks for your links.
    So, I'm running W8 Enterprise and I created the default rules for executables under Applocker and changed the dropdown for for executable rules enforcement to "enforce rules".
    The default rules it creates are pretty much the same as in SRP. It allows everyone to execute from windows and program files folders and another rule to allow administrators to run every executable.
    Not sure where the 'deny everything thats not allowed' part is specified or if thats even necessary. So afterwards I switched to a standard user account and tried to run teamviewer_qs.exe from desktop to test the enforcement. Of course I could still run it. Couldn't just work like that. It's MS not Apple. (kidding, i hate apple just as much)
    So I changed the Application Identity service from "manually" to "automatic" and started it. Still no difference. Can run every exe no matter where it sits.
    So what did I miss?

    Thanks in advance
  6. dummekuehe

    dummekuehe MDL Senior Member

    Jan 11, 2009
    #6 dummekuehe, Feb 27, 2013
    Last edited: Feb 27, 2013
    thanks for deleting all of vymrdals post
    i know he was known to be a bit impolite at times
    but what did he do to deserve to be banned?

    My question still stands btw.
  7. dummekuehe

    dummekuehe MDL Senior Member

    Jan 11, 2009
    So nobody here that can help with this problem?
    Please vymrdal come back. I'm desperate.
  8. nuhuh

    nuhuh MDL Novice

    Oct 10, 2013
    #8 nuhuh, Jan 23, 2015
    Last edited: Jan 24, 2015
    So, did you manage to make this work?
    I can't make SRP rules apply to the admin account.
    EDIT: Never mind, it suddenly started to work. (after waking from hibernation)

    (And AppLocker is also kinda useless for the local admin account in Windows 8.)