Limiting applications on Win 2003 server
At a recent seminar, I was told by Microsoft staff that we can limit the applications that we want to run on a Win 2003 server and a virus cannot run if I set this feature. Please advice how to do this.
I cannot speak for Microsoft, but I believe the reference is to Software Restriction policies. You can set them at the domain level in a GPO and therefore manage the software that can run on all XP Professional computers in a domain or OU. You can also use this on a single XP Professional computer. In short, you create a policy that prevents any software from running, and then you must create rules that allow the software that you have authorized to run. If a user attempts to run software for which there is no rule, it will not run. This can be a virus, Trojan, worm or a legitimate application. You must remember to specify all of the applications that you want to run. That's the key. But, any new software that is on purpose or accidentally added to the computer cannot run. I recommend that you experiment on a single Windows XP Professional computer until you get the rules correctly written. Then write a policy at the OU level. A good place to start researching Software Restriction Policies is with the help files on Windows XP Professional or Windows Server 2003.
Learn more about desktop security in Roberta Bragg's webcasts, Managing your road warriors and Secrets of desktop security.
This was first published in October 2003