Phenquestions
Simple Software-restriction Policy allows you to harden Windows machines by adding Linux-like execute permissions to them.
Windows by default does not prevent software from being run from any location on the computer which malware and unwanted software exploit.
For instance, programs may be run directly from USB Flash Drives, download folders or system temp directories.
Simple Software-restriction Policy changes that by locking down that functionality on the system. It ships with a default rules file which is a good start but may need tweaking.
After installation, you will notice that you cannot execute files anymore from download folders or most folders on the system for that matter.
It is still possible to run software from select locations, the program files folder for instance but executions from most locations are blocked.
The program's functionality is defined in the softwarepolicy.ini file. Open it in any plain text editor to fine-tune its behavior. This is not as intimidating as it sounds as the syntax is simple and instructions are provided for each entry.
Here is a short list of important sections in the ini file that you may find useful:
- LimitedApps - This is only useful if the user is a local admin. If that is the case, it ensures that the programs listed in this section are run with limited privileges. Web browsers such as Firefox, Opera or Chrome are listed in this section by default. In addition, you may define when these restrictions apply (when the app is locked down, always, never).
- CustomPolicies - Use this section to define locations on the computer or network where software exeuctions are not blocked in.
- AdminMenuPasswordLevel - Enable this to password protect the unlocking functionality of the application and the software#s configuration.
- SoftwarePolicy - Defines extensions that are limited by the program. Includes many executable file types and important file types such as exe, bat or reg by default.
- AddRootDirs - Block or allow programs to run from root directories, e.g. c: or d:
- AddTempDir - Block or allow programs from running from temporary directories
- IncludeDlls - Whether to prevent the launching of dynamic link libraries as well.
- AlwaysAllowSystemFolders - Determines whether system programs can be launched at all times.
- Disallowed - Add paths or executable files that should never be run on the system.
The two main features of the program are to lock-down the execution of programs on the system to safe areas and to run specified programs automatically with limited privileges.
The program ships with an unlock option with disables its protection which may be useful when certain applications or updates won't run properly when the application is enabled. A folder full of portable applications for instance may be a good target for an exemption as you won't be allowed to run the programs on the Windows machine otherwise.
Depending on how you are using your system currently, you may need to change certain behaviors after enabling Simple Software-restriction Policy's protection. It is for instance no longer possible to run downloaded executable files directly from the download directory unless you make modifications to the default configuration.
Verdict
Simple Software-restriction Policy hardens Windows systems by limiting the locations that applications can be run from. In addition, it is allowing you to run certain programs with limited rights.
It is a useful program not only for your own systems but maybe also for systems of relatives or friends who are not computer-savvy.
