How to make a disallowed-by-default Software Restriction Policy

Ruin a malware author's whole day with a Software Restriction Policy! : )

If you're using a Limited account on Windows XP Professional Edition, or a Standard user account on Windows Vista Business/Ultimate/Enterprise Editions, consider further enhancing your security by adding a Software Restriction Policy. Setting up a Software Restriction Policy takes just a few minutes, and it can be reversed if necessary. It's a proactive defense that won't need updates or signatures to provide protection, has no noticable performance impact, and protects your other layers of defense from sabotage.

Notes:

you can't use Software Restriction Policy if you have Windows XP Home, Windows Vista Home Basic, or Windows Vista Home Premium, but Limited or Standard accounts are still strongly suggested. Try them out; you can always go back if they don't work well for your needs.
I've added a couple of refinements in Step 5. One refinement is for Windows Vista. The other refinement is for 64-bit versions of Windows, which includes the 64-bit versions of Windows Vista, and also the rarely-used Windows XP Professional x64 Edition.
If you're an Information Technology professional, read Microsoft's information on Software Restriction Policy for comprehensive information. The use of Software Restriction Policy that I'm showing on this page is just one possible implementation of it, most similar to what Microsoft calls a Line-of-Business PC setup.

Here's the core idea, in visual form (in this picture, "user" is the name of my Limited account). yeah, whatever... just take me to the setup instructions already

A Limited or Standard user account is good basic protection against attacks that depend upon Administrator-level privileges to succeed. A Limited or Standard account also helps protect security software and critical system files & settings from tampering.

With the Software Restriction Policy, you take the fight to the next level. The goal of combining a non-Administrator account with Software Restriction Policy is to prevent execution of unwanted files that might do a "hit-&-run" attack designed to function even within a Limited account. To list some possibilities, an attacker might...

harvest email addresses from your profile for Spammers
encrypt your documents and hold them for ransom
delete your music, videos & documents, or send copies of them to the bad guys
steal your game CD keys to sell on the black market
...or other stuff that could be accomplished by running an executable file from within a Limited account.

Software Restriction Policy can also be used to prevent uncooperative computer users from running programs from USB drives, CDs, DVDs or from within their user profile directory. Additionally, it protects the system from malware that auto-plays from infected CDs or USB drives, a tactic that appears to be spreading (example: the Fujacks family of malware). UPDATE: I now have a page showing how to disable or restrict AutoPlay, adding another proactive layer of defense against AutoPlay attacks.

But dude, I already have antivirus and a firewall. Does a Software Restriction Policy really have anything to offer me? Heck yeah. New malware is being released every hour of the day, and it takes time for your antivirus software to get updates that detect the new malware, leaving a window of vulnerability. Malware will often try to disarm security software as its opening move in the game, too. Your firewall can be fooled... malware may try to borrow an "approved" program (such as your web browser) to get through your firewall protection without triggering an alert. There are other crafty ways to get malware through the firewall, too. When you combine Software Restriction Policy and non-Administrator user accounts, you add an entirely different, proactive layer of defense to your security strategy.

Step 1: Create a Software Restriction Policy

Log on with an Administrator account. Click Start > Run, type gpedit.msc in the Run box, click OK, and Group Policy will open.
Go down to Computer Configuration > Windows Settings > Security Settings, as shown in the picture below.
Right-click on "Software Restriction Policies" and create new policies.

Step 2: Apply the Software Restriction Policy to all software, and to all users except Administrators

Double-click Enforcement and set the Enforcement like shown below. You could apply the Software Restriction Policy to all users including Administrators, but then you'd run into occasional hangups when installing/removing software.

Step 3: Remove the LNK filetype

In the right panel, double-click Designated File Types. A panel opens. Go down the list to LNK and click it, then click the Delete button. This adjustment allows you to use your desktop shortcuts and Quick Launch icons, which are mostly the LNK filetype.

Step 4: Switch on the protection!

Right-click on Disallowed in the Security Levels folder, and set it as the default security level.

You'll see a prompt like this. Choose "Yes."

If you want to turn the Software Restriction Policy off again, just set Unrestricted as the default, and that's the same as not having a Software Restriction Policy at all.

Step 5: For Vista, and/or 64-bit versions of Windows, add some rules

Adjustment for 64-bit Windows 64-bit versions of Windows (both Vista and XP Pro x64 Edition) have an extra Program Files directory named C:\Program Files (x86). Click on Additional Rules and make a new Path Rule that makes that directory Unrestricted, so software that's installed there is allowed to run. Scroll down for an example of how to make a Path Rule.

Adjustment for Vista In Step 2, you made your Administrator account exempt from the Software Restriction Policy, so you can use your Administrator account to install/remove software. But with Windows Vista, even if you're logged on as an Administrator, programs (including software installers) are still launched with non-Administrator privilege levels. So your Software Restriction Policy will stop them.

Easy solution: If you want to run a file that your Software Restriction Policy is preventing, simply right-click the file and choose Run as Administrator. That was easy. : ) Remember that you will need to do this to run setup programs when installing stuff from a CD or DVD, too.

Remind me again, why is this beneficial? As the first picture on this page illustrates, combining a Software Restriction Policy with a Limited or Standard account puts the bad guys in an impasse. If they're exploiting your Limited user account, then they won't be able to save a payload file (say, an infectuous .exe file) to anywhere that Windows will let them actually execute it. This makes entire classes of exploits worthless to the bad guys, even when the system's technically vulnerable. For a concrete example, see my firsthand WMF Exploit testing. The Software Restriction Policy also prevents malware from attacking via an infected USB drive or an infected CD.

OK, but what if I have software that isn't in an "SRP-approved" location? As you saw above in Step 5, you can create a new Path rule or a new Hash rule if you need to run executable files that aren't in the usual locations. Obviously, you will save yourself some trouble if you simply make sure software installs to someplace in the C:\Program Files directory, rather than into oddball locations.

For example, I have UT2004 Demo installed. It installed to a weird place, C:\UT2004Demo. Obviously, the smart thing to do would be to uninstall it, then reinstall it and modify the installation folder to be C:\Program Files\UT2004Demo, which is a location that the SRP has set to Unrestricted. But for the sake of example:

The actual UT2004.exe file is in C:\UT2004Demo\System, and since there's a bunch of supporting files in that same folder too, I decided to do a Path rule for the whole folder. Easily done, I just right-click in the Additional Rules panel and choose New Path Rule:

Now the files in that folder will be exempt from the Software Restriction Policy.

I need to troubleshoot my Software Restriction Policy, because it's having unexpected side effects! Click on Start > Run >, type compmgmt.msc in the Run box, and click OK to open Computer Management, then look in Event Viewer's software logs to see what the Software Restriction Policy is preventing. Then you can make exceptions in the Additional Rules area as needed.

Got any other security suggestions? Here are some:

Right-click My Computer, choose Properties, and turn on your Data Execution Prevention all the way, as shown in this picture. While you're in there, hit the Automatic Updates tab and ensure that your Automatic Updates feature is on fully-automatic.
If you have any Microsoft Office products installed, such as Word, Works Suite, Excel, PowerPoint, Outlook, Publisher, Visio, or Access, visit the Office Update site monthly for security updates.
Give your system's other software a checkup with Secunia's nifty Personal Software Inspector.
Avoid warez, cracks and keygens. This stuff is a prime vehicle for malware, especially since you'll need to elevate to Admin level to run it, handing over the keys to your system in the process. Just DON'T, ok?
Before downloading & running any seemingly-harmless goodies, drop them into VirusTotal and Jotti for an analysis. Even if it comes up "clean," think REALLY HARD about whether you REALLY need whatever it claims to be, because it could be a new, undetected Trojan Horse. We're not living in the 1990s any more, people... avoid taking risks.
Uninstall software that you have no actual need for. The bad guys can't try to exploit stuff that isn't there. Based on past & current trends, I advise removing all versions of Sun Java if you do not actually need it, as well as QuickTime if you don't actually use it.
Do not assume your antivirus software is going to detect malware. See my recent "reality check" thread. Ready to use a non-Admin account now? ;)
Use a router to shield your computer from direct attack. If you have a wireless router, disable the wireless feature if you don't actually need it. If you do use wireless, secure it using the highest level of encryption your wireless gear supports (WPA2 is the best, followed by WPA, then WEP), and enter the MAC addresses of your computers into the router so they're the ONLY computers that the router will talk to.
mech, aren't you going to bash Internet Explorer and recommend something else? Nope, that's noOb thinking. DO update to Internet Explorer 7 if you haven't done so already, even if it's not the browser you routinely use yourself. Sure, use some other browser if you want, but keep it updated and properly caged inside a Limited account too. Anything else is just playing Russian Roulette with a different brand of pistol, instead of using unloaded pistols. My opinion is that Internet Explorer is actually a pretty good browser nowdays. It also offers enterprise manageability that goes unappreciated by home users who don't have eleventy billion computers to keep configured and updated, even if the computer users don't want to cooperate. ; )

On Windows Vista, Internet Explorer's new Protected Mode (enabled by default) forms yet another layer of proactive defense, right where people need it badly. Protected Mode puts Internet Explorer 7 into a super-low-rights mode that's even lower than your non-Administrator account is. If you'd like to know more about Protected Mode, here's an overview at Wikipedia which will give you the basic idea. For a detailed technical explaination, see this technical overview at MSDN. No other web browser currently has a comparable capability.

~ hope that helps! : )