At Browserling I just solved an interesting Windows sysadmin problem of how to allow Windows users to run just a few programs and nothing else. Since anyone can use Browserling for free, I had to find a way to restrict them from downloading and running viruses and trojans. So I took time to investigate and found a very elegant solution. No one had really documented this so this blog post will be very handy for people who can't figure it out themselves.

The solution is to configure the Software Restriction Policy (SRP) in the user's Group Policy Object (GPO) and disallow the user to run everything except the programs that are necessary to login and the programs you want the user to use.

The hardest part was figuring out all the programs that the user absolutely must be allowed to run for him/her to login the system:

  • C:\Windows\explorer.exe
  • C:\Windows\System32\csrss.exe
  • C:\Windows\System32\dwm.exe
  • C:\Windows\System32\rdclip.exe
  • C:\Windows\System32\taskhost.exe
  • C:\Windows\System32\TSTheme.exe
  • C:\Windows\System32\userinit.exe

If you don't have these in the SRP, then the user will never be able to login. So make sure they are in the SRP's "Additional Rules" and their security level is "Unrestricted."

After you add these, the user will be able to login but he wont be able to run anything! He'll just see desktop and that's it. If you want to allow the user to run, let's say, Paint, then add C:\Windows\System32\paint.exe the Unrestricted Access list.

Here is a precise list of steps to take to disallow running programs. Run them from Administrator account:

1. Open up the Microsoft Management Console (Start -> Run -> mmc):

2. Select File -> Add/Remove Snap-in.

3. Select Group Policy Object.

4. Click Add.

5. Click Browse, select the user you want to configure the GPO for.

6. Click Finish, and OK. Now you'll see the tree view with "<username> Policy."

7. Navigate to User Configuration -> Windows Settings -> Security Settings -> Software Restriction Policies.

8. Right click on Software Restriction Policies and click New Software Restriction Policies.

9. Two new items will appear the tree. Click the Security Levels.

10. Double click the Disallowed security level and click "Set as Default."

11. Go to the other item, the Additional Rules.

12. Delete the crap that Windows adds there by default (%HKEY_LOCAL_MACHINE\... something).

13. Add the rules that I documented in the beginning of the article. They are absolutely necessary for the user to login into the machine (either via desktop or remote desktop).

14. Add full paths to programs that you wish to allow the user to run (such as C:\windows\system32\paint.exe, ... etc.). Make sure the users can't overwrite the programs with their own, otherwise they might be able to execute their own programs.

15. Save the GPO.

16. Done!

Thanks to lewellyn for helping out with all this!

Ps. As I like to joke, the new title of this blog soon will be "Peteris Krumins's blog on Windows Administration" as I have spent so much time during past month messing with Windows. ;)


December 12, 2010, 06:17

Weird that there isn't a default rule for this thing, handy to have a list somewhere to look at!

December 12, 2010, 18:33

You sneaky cat.

December 12, 2010, 08:45

Hello, in some dark past I was a Windows 2000/2003 administrator. I remember playing with these security restrictions... and breaking them.

At that time you had several options on how to 'restrict' usage of programs with that GPO setting. The 'path rule' (which is easily cracked by copying exe's to an allowed path), the 'internet rule' (which didn't work), the 'hash rule'(doable) or the 'certificate rule' (which required playing with 'authenticode' command line tools, and was pretty cumbersome to maintain).
Which rule did you use ? Or does it work different now (I have not seen the GPO interface in years.)

December 12, 2010, 18:32

I am using the 'path rule' but it's not crackable in my case. Public users on my system are not allowed to overwrite the installed software.

David W Permalink
December 12, 2010, 14:01

Hi there,

This does very little for you, e.g. an attacker can still download a copy of command prompt, rename it "iexplore.exe", and find a way to run it.

Windows offers a more robust facility, which is whitelisting executables by MD5sum, but setting that up is a painstaking process.

December 12, 2010, 18:33

Not really, I have full paths to executables, such as 'C:\Program Files\Internet Explorer\iexplore.exe', and the public users are not allowed to overwrite these programs.

Shashi Kant Sharma Permalink
December 12, 2010, 16:55

You need

Some programmer Permalink
January 05, 2011, 21:38

I don't understand why he would need solidcore ? what is that commercial enterprise bs ?

December 13, 2010, 14:27

Three quick notes:

1. rdclip.exe and TSTheme.exe are probably only required since you're using Terminal Services. Admins running domains which do not make use of TS may be able to leave these two disabled.

2. An alternative to using GPOs is Trust-No-Exe.

3. See also Protecting Windows RemoteApp Servers

December 13, 2010, 17:54

Actually, there's a far more thorough yet evil solution, but since your scenario is so specific, I think it will be more secure:

Yes, you can write a DLL that gets loaded into *every process on startup*. Normally this "feature" of Windows is disabled and insane, but you could use it to TerminateProcess anything that isn't in the whitelist of allowed processes.

December 13, 2010, 22:55

Great post! Not much of a Windows Sys Admin but when I do I'll be sure to add this to my toolbox!

December 17, 2010, 10:49

I screwed up my only admin account on win 7 after adding and removing Snap-in when I restarted my laptop. I cant access any other program now. How can I recover? please help

July 26, 2012, 08:11

I've faced this problem too,

carl Permalink
December 23, 2010, 17:36

i think there was a post from mark russinovich about some defects of gpo

carl Permalink
January 10, 2011, 16:59

Does this still work?

Rana Permalink
March 13, 2011, 12:11

Great Really graet.
I made it like this
1- default unresticted
2-in the additional Rule I add path for specific .exe prog and make it disallow.
Note: I use 2008 R2 and not join it to domain it's work:)

xrhino Permalink
June 18, 2011, 14:57

Hello. I have windows 7 running. Anyone know how I can configure the GPO so that only certain files show up on the "All Programs list"..meaning only the programs that I allow for the users to use show up on the all programs list on the start menu..

Vishal Sane Permalink
September 11, 2013, 06:51

want a guide line for applying group policies ...
anyone can help me ?

Najam Permalink
December 19, 2013, 10:03

I know its very late but this is a great post. If i want some specific programs to run automatically upon log in (for monitoring purposes) this configuration does not runs those programs until i add them to unrestricted list. If i do so, it will allow the users to turn them off or exit those apps which i don't want. What to do in this case?

John Permalink
March 05, 2014, 16:54

You can also just add path wildcards. To get it working for me, I had to do: C:\Windows\system32\*

Luca Uburti Permalink
November 16, 2015, 11:05

when you say: C:\Windows\System32\rdclip.exe
I think this should be: C:\Windows\System32\rdpclip.exe

Thanks for the useful post

Syed Permalink
March 24, 2017, 13:46

OK, after 2 days of neck breaking research, this seems to have done it! Thank you.

I have a very precise question, how to allow only nps (network policy server) in windows 2012 to run?

So, following everything above, I added c:\windows\system32\nps.msc to the allowed list with unrestricted access but it still doesn't work. I am assuming it's calling a DLL named npsui.dll, which I added to allow list, but still I get an error as if nps is restricted. Any hint?

Leave a new comment

(why do I need your e-mail?)

(Your twitter name, if you have one. (I'm @pkrumins, btw.))

Type the word "disk_248": (just to make sure you're a human)

Please preview the comment before submitting to make sure it's OK.