Block A Program Using Hash

Here is a lit­tle tuto­r­i­al on how to block a pro­gram with Group Pol­i­cy, and the program’s hash.


block_hash_gpo

Start by either edit­ing an exist­ing GPO on AD, or cre­ate a new GPO. You can also do this stand alone using gpedit.msc on any Win­dows XP machine.

Drill down to Soft­ware Restric­tion Poli­cies. It depends on where you cre­ate the GPO as to which con­fig­u­ra­tion you put this under. If the GPO resides in a User OU, then it needs to go under “User Con­fig­u­ra­tion”. Like­wise, if it is in a com­put­er OU, then you need to go the the “Com­put­er Con­fig­u­ra­tion”.


block_hash_gpo_2

After you deter­mine which con­fig­u­ra­tion is best for you, right click “Soft­ware Restric­tion Poli­cies” and click “Cre­ate New Polices”. For you stand-alone non AD guys, if you want to block a cer­tain user from access­ing a pro­gram, you can log in as them and put these set­tings under the “User Con­fig­u­ra­tion”.


block_hash_gpo_3

You should now have some new fold­ers under “Soft­ware Restric­tion Poli­cies” called “Secu­ri­ty Lev­els” and “Addi­tion­al Rules”. Under “Secu­ri­ty Lev­els” are the default restric­tions. If you want total con­trol over what pro­grams are ran, then you can make the “Dis­al­lowed” the default lev­el — but that’s anoth­er post.

For now we will focus on “Addi­tion­al Rules”. Right click in the “Addi­tion­al Rules” fold­er and click “New Hash Rule”.


block_hash_rule

This will bring up the “New Hash Rule” box, where you just need to browse for the pro­gram in ques­tion. I chose Inter­net Explor­er — since I hard­ly ever use it any way. It should auto­mat­i­cal­ly fill in the Hash val­ue for the soft­ware, and also the file infor­ma­tion. Then you can choose the secu­ri­ty lev­el, which in this case would be “Dis­al­lowed”. You may also put in a descrip­tion if you wish.


block_hash_error

After you click “OK”, here is the result when try­ing to run Inter­net Explor­er, or any pro­gram of your choos­ing.

No Comments

No comments yet.

Sorry, the comment form is closed at this time.