IWR Computer Consultancy - Technical Support and advice on IT issues for Small Businesses.
  Site Map
 

iconSimple Software-Restriction Policy

A security enhancement for Windows XP/Vista/7 (Home or Pro)


Tray menu Software restriction policies provide a useful protection against malware. They do this by preventing executables from being launched from places where malware would typically arrive on the computer, such as download folders within the user-profile, temporary-file folders and USB memory. An additional benefit is the ability to block the installation of unwanted software from auto-running product CDs etc.

Whilst you can achieve the same result with Group Policy on Pro versions, doing so is by no means easy as the default settings don't suit this purpose. This script provides an automated config which should suit most standard Windows setups. Also works on Home versions of Windows, where Group Policies are not available.

As far as security enhancements go, some comparisons could be drawn between Software Policies and running as a Limited (non-Admin) User. In fact the two precautions are mutually beneficial, and for best security both should be implemented.
  • Limited-user working acts to prevent unauthorized alteration of files in system-folders.
  • Software Policies aim to prevent software from being run from unauthorized places such as download-folders or USB memory.
Thus, the use of both together will provide excellent security.

That said, if you've already tried and given-up on limited-user working (or Vista's horrendous UAC) having found it insufferable, give Software Policies a try. They are far less invasive than account restrictions, and can be turned-off any time you need to. I'm writing this webpage on a computer with a software policy, and basically I mostly forget it's there. Only on rare occasions do I need to turn it off, and if I do, then that is accomplished in the space of a few clicks.  A few areas in which  a software policy causes far less aggro than UAC are:
  • No dimming of the screen or repeated nags, just a message that potentially-unwanted software has been foiled.
  • No loss of remote-desktop or VNC link when changing mode.
  • No loss of software-settings when switching from unrestricted to restricted mode.
  • No loss-of-access of network shares when changing mode.
  • Less likely the user will be 'duped' into OK'ing an undesirable install. (and if that is likely to happen, you can require the Admin password)
The latest version also provides integrated support for Kåre Smith's  StripMyRights.exe - thus allowing attack-prone apps such as browsers to be given additional protection, without the need to restrict the account itself.

A system-tray icon provides controls to install/uninstall the policy, and to turn the policy off whilst installing legitimate software. In fact, the softwarepolicy.exe program itself need not be run continuously, other than to produce this icon for convenience. The policy, once set, will survive reboots and remain in-force until cancelled.

The tray icon also provides a handy list of the most frequently-used administrative utilities. This list can be edited as required.

Notes: This script and the Group Policy software restrictions should not be used simultaneously. (You can use other policies, just not software restrictions.) Not suitable for Windows 2000 or earlier.

Usage:

Run the installer, and then check that the settings in softwarepolicy.ini are suitable for your computer. Activate the policy and reboot.

To control the policy, use Lock/Unlock on the system-tray icon to turn the additional security on and off as required. (This takes immediate effect)

Removal:


From Control Panel in the usual way.  Or, if using a zipped copy, do 'softwarepolicy /u'  before deleting the files.  Note that the policy may remain in-force until a reboot.

Downloads:


Latest Version with Inno installer, updated Nov 2010. Now includes support for 64-bit platforms. Sourcecode can be had from sf.net project page.

New features:
  • StripMyRights integration, for limiting the rights of Web-browsers, etc.
  • Passwords. (stop unauthorized persons from suspending the protection)
  • 64-bit compatible.
  • Silent install for LAN rollouts.
  • Unlock Timeout (you have 30min of admin-time to install software, without further nags)
  • System-tray apps menu
  • Option to allow run from temp folder (preferably don't do this, but some apps require it)
  • Now accepts driveletters as mappings, as well as UNC paths.

Previous Version

Legal:


This software has now been in daily use on several of our own Windows XP and Windows 2003 computers for a number of months, and has proved very stable. It has also been downloaded a substantial number of times without any reports of any serious trouble having been made. As ever, you use this system-level utility entirely at your own risk. Various forms of disaster are not excluded from the list of possible outcomes of its incorrect use. Or, even of its correct use.

This software may be duplicated any number of times, and used in private or commercial IT operations. The software may not be sold for profit in any shape or form. Third-party websites and P2P hosts may offer copies for download so long as these conditions are met.
 
The sourcecode and executables of this software are released under the GNU Public Licence, version 3. Icons and other graphics remain the intellectual property of IWR Consultancy, and may not be used in derivative works without permission.

It is not necessary to supply sourcecode with every downloaded copy, so long as a link to the publisher's website is included in some form or other at the download location.

Stop Censorship