CIS 170F: Windows 7 Administration

Week 10

Application Support
Application Control Policies
Software Restriction Policies

  • Software Restriction Policies are implemented as part of a management strategy for Windows XP workstations that are domain-joined to a Windows Server 2003 domain.
  • Software Restriction Policies are typically created using an MMC Group Policy snap-in on an Active Directory domain server to create a Group Policy Object (GPO).




  • Any single mistake can have serious consequences to the ability of workstations to operate. The default behavior is set to allow all applications to run by default.




  • The following additional rule types that can be created as exceptions include:
    • Hash Rule: It defines a hash identifier that uniquely identifies a file and assigns it a software restriction behavior.
    • Path Rule: It defines exceptions that allow or disallow a file or folder location specified with a path value.
    • Internet Zone Rule: It works with the Windows Installer.
    • Certificate Rule: It defines exceptions based on a digital certificate signed to an application or script.
    • Registry Key Rule: It defines exceptions based on a path stored in a registry value.




  • Software restriction policies know about most executable file types based on their file extension. Restriction policies are delivered by Group Policy.