|
|
Focus on Microsoft
RE: services running in windows domain (winXP clients) Dec 28 2004 06:04PM Starks, Brad (booteyebirdhand co marin ca us) (1 replies) Re: services running in windows domain (winXP clients) Dec 31 2004 05:05PM Nicolas RUFF (listes) (ruff lists edelweb fr) (1 replies) |
|
Privacy Statement |
> > The way I understand it, software restriction policies only work for
> > applications that are called by the Windows explorer process. If they
> > are called by any other process, then the restriction policy does not
> > work.
> [...]
> You can check by yourself that SRPs apply to all processes :
> - Create a 'deny' rule on NOTEPAD.EXE
> - Launch GPUPDATE to update your policy
> - Try to launch NOTEPAD from inside CMD.EXE : it won't run
>
> Then I tried on the IIS system service (INETINFO.EXE) : the service DID
> start despite the 'deny' rule ... Too bad. I think I will investigate
> this further, but indeed SRP won't solve your particular problem.
Launching apps from cmd.exe is comparable to launching it from IE or
Explorer -- in each case the programs is started by the user.
System services, however, are not. These are started by the SYSTEM.
Perhaps a service might honor the policy if it is started under a user
account (other than SYSTEM), but my past experience has been that it
ignores the policy.
In short: Apps started from the GUI (Explorer, cmd.exe window, etc) will
check the policy setting first. Apps started by the system as services,
the scheduler, I believe, and other already started applications
(spawning sub commands/scripts/batchfiles/etc) are not. I think the
screen saver is also not checking the policy, if I remember right.
Would make for an interesting project -- to create a matrix of different
launch methods and policy compliance results.
Regards,
Frank
[ reply ]