So if you know anything about managing Windows systems then you know about GPOs. In my honest opinion, GPOs are one of the greatest tools available in Windows. GPOs let you administratively manage all aspects of your computers. You can literally set about 99.9999% of any settings you ever wanted to configure on a computer.
One of the things that make GPOs so great is that it is expandable in that you can add new administrative templates as you add new software to your workstations in your domain. So not only can you manage just about any Microsoft or Windows setting, but you can also add in templates for third-party software from most of the big software venders and enterprise applications, as well as add new templates when new Microsoft releases new OSes and software.
The biggest downside of GPOs is that they can feel like a daunting wall when you first get started implementing them simply because there are sooo many settings that you can potentially configure – where to begin!?! And how do you figure out where to set some of those really odd settings. Well don’t worry, I don’t know anyone that remembers exactly where each setting is. For me, there are two resources that I regularly use to help me find the settings that I want to configure.
This is an official Microsoft tool that lets you search all of the various settings that are available to you in all Microsoft products. It’s a great resource to find where things are set just by using a keyword. Think of it as “Bing” (or “Google”) for GPOs. Out of these two links, this site is the easiest to navigate when looking specifically for Microsoft and Windows settings.
This site includes all of the Microsoft settings, but where it really shines is all of the third-party software settings it has indexed for you. If need to figure out where to set something in Chrome or Adobe or any other software, this site has you covered.
So this last site is just a bonus as it is not exactly a GPO site, but it comes in handy. It’s a way to convert registry settings into powershell commands that you can run. Paste your reg key into it and it will spit out the corresponding PS command for it.
Using GPOs is a great way to allow or block programs from running on your corporate network. Just be careful and limit yourself to only blocking the applications which you actually have a need to block. Don’t go too crazy locking down programs
Microsoft first made the introduction of “Software Restriction Policies” in Windows Server 2008 and they’ve continued to evolve. Today I will show you four ways which Microsoft allows us to restrict programs from running.
File Path / File Name Rule
Network Zone Rule
Hash Rule
Certificate Rule
To begin, fire up the Group Policy Management Editor. Click on the start menu and type “gpmc.msc”. If you are on a Domain Controller it should work. If you’re on a workstation you’ll likely have to run Server Manager as a Domain Admin (or other user with the correct administrative privileges), choose “Group Policy Management” from the ‘Tools’ dropdown.
Once it’s open, scroll down to the folder “Group Policy Objects” and right-click on it to create a “New ” policy object. Give it an appropriate name, something like “Software Restrictions – Test”. Now find and right-click on your new policy and select “Edit…”.
The software restriction policy exists under both “Computer Configuration” and “User Configuration”. So depending on your needs, you can lock down either the user or the computer.
Drill down into the policy… “Policies” -> “Windows Settings” -> “Security Settings” -> “Software Restriction Policies”.
Right-click on “Software Restriction Policies” and click “New Software Restriction Policies”
Select and open the “Additional Rules” folder.
Right-click under the two pre-existing default entries, and then from that drop-down menu select the type of rule you want to create. I’ll expand on the four methods below…
There are three security levels used in all of these rules:
DISALLOWED: Software will not run, regardless of the access rights of the user.
BASIC USER: Allows programs to run only as standard user. Removes the ability to “Run as Administrator”.
UNRESTRICTED: No changes made by this policy – Software access rights are determined by the file access rights of the user.
My examples below all show how to block software with ‘dissallowed’ rules. But just remember that you can just as easily allow for software by using ‘basic user’ and ‘unrestricted’ rules. Use them wisely!
1. Block by File Path / File Name Rule
In this example I will show you how to lock down the computer from running WordPad.
Select “New Path Rule”.
Type, or use the “Browse…” button, to enter the file path or file name you wish to block. Make sure that the ‘Security level’ is set to “Dissallow”. Then click ‘OK’.
Note: System variables will all function in the rule, variables such as %windir%, %ProgramFiles(x86)%, %AppData%, %userprofile%, and others.
It is important to note that many applications launch in more than just one way. So you may have to block multiple executables to fully block the application, just fyi.
You also need to take note of where/how software get launched from, as some applications have multiple ways they can be launched. Just FYI, in case you start banging your head as to why some block rule doesn’t seem to be working.
Also be careful using just the file name itself to try to block a program from running. If you were to block just the file name ‘update.exe’ for example, hundreds of applications all ship with an ‘update’ executable and they would all be hindered and unable run.
My rule of thumb is to always use the full path unless it’s truly a unique file name, and even then I still prefer to use the full path.
2. Block by Network Zone Rule
Select “New Network Rule”.
Select the Network zone you want to block. Make sure that the ‘Security level’ is set to “Dissallow”. Then click ‘OK’.
These rules allow you to block programs if they come from sites you’ve designated into a zone, like your Restricted sites. Or in the case that you were to be creating an allow rule, your local Intranet. While this option exists, it seems unlikely to me that most SMBs ever use it.
3. Block by Hash Rule
In this example I will show you how to lock down the computer from running WordPad.
Select “New Hash Rule”.
Use the “Browse…” button to navigate to the file which you are wanting to block. Select the file and click ‘Open’. It will automatically pull the needed file information and the “hash” it needs from the file you selected. Make sure that the ‘Security level’ is set to “Dissallow”. Then click ‘OK’.
The only problem this method has is that file hashes change any time there is ANY change to file. It doesn’t matter how small of a change is made, it will always create a new hash. That means that hash rules are best applied to older software that you are trying to kill, and not for programs that get updated often.
4. Block by Certificate Rule
In this example we will be blocking applications signed by Adobe Inc.
Select “New Certificate Rule”.
Use the “Browse…” button to navigate to the certificate file which you are wanting to use to block signed software. Select the file and click ‘Open’. Make sure that the ‘Security level’ is set to “Dissallow”. Then click ‘OK’.
Certificate rules are by far one of the most secure rules as they rely on certificates from trusted publishers. Because of this but they require more work on the PC’s part as it goes out and tries to verify the validity of the certificate, so they may significantly effect performance. I can’t tell you how much of an impact they’ll create, but it’s enough that MS warns us. Also, if the certificate ever expires, you’ll need create a new rule.
So when using RDS in Windows Server 2016 there is a funny issue that arises… Users can actually reboot your Remote Desktop Session Host (RDSH). Yes, you read that right! Your users have the rights/permissions to reboot your host. If your like the dozens of forum posts i discovered, they will probably/definitely do it during production hours.
I know what you’re probably thinking… I had set up my GPOs and it was working before when we were on Windows Server 2012 or 2012 R2.
Well folks, 2012 R2 is where the support for that GPO ended. It is not supported on 2016 or higher. Stupid, right?!? Why would they take away that setting? Or better yet, why would users need to restart a server, that’s an administrator’s role? To be honest I don’t know.
The setting you used to use was “Allow non-administrators to receive update notifications”. It is found under “Computer Configuration\Administrative Templates\Windows Components\Windows Update\”. (Full description here – https://gpsearch.azurewebsites.net/#2794)
It seems like the only viable, and IMHO equally dumb option, to prevent users from applying updates and restarting your server is to completely disable windows updates.
That setting, if you choose to go that route, is “Turn off access to all Windows Update features”. It is found under “Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\”. (Full description here – https://gpsearch.azurewebsites.net/#4728)
Hopefully Microsoft fixes this and administrators are again able to take control back and stop our users applying windows updates and rebooting our machines.
There is a GPO setting for, literally, almost everything in Windows!
Software companies provide all of these settings to administrators by means of Group Policy Administrative Templates, better known as ADMX templates or ADMX files. The domain admin imports these ADMX files, into their Active Directory schema, and can then manage an array of settings for the software related to the imported ADMX template.
You can usually find these files on your software vendor’s website, or try doing a search for your software along with the term ” ADMX”. The files or templates consist of two parts; (1) ADMX file – this half are the settings that it allows you to set, and (2) ADML file – the is the language localization file and will have the same name as the ADMX file it is associated with.
While these ADMX templetes allow for an amazing level of control and standardization within a domain or corporate environment, it can be pretty intimidating trying to comb through all of the available settings to find the one thing you want to tweak. It’s akin to trying to find a needle in a hay stack.
Luckily we live in the age of the Internet. There are a couple of websites that I like to use, that have made the task of finding particular GPO settings incredibly simple. Since I’m starting off with Microsoft – Think of it as “Bing’ but just for GPOs & ADMXs. As i mentioned, the first one is “powered” by Microsoft themselves. I feel that it does a great job of simplifying the task of searching for the right GPO setting you want.
The other site that I like to use is not Microsoft specific, but compiles and lists the configurable settings available from many software vendors (I stopped counting after I got to 50 different venders).
If the software you use has an available ADMX template, there is pretty darn good chance that it’s settings will be listed on the site below.
