SRPs have been legacy for a while now, I guess, Microsoft has been encouraging people to switch to AppLocker. To migrate I think you would need to switch some AppLocker policies in audit mode, capture the required settings, and then disable the SRPs.
I used to be a big fan of SRPs, they always felt simpler to set up than AppLocker, but I guess Microsoft may deprecate them eventually. This is *assuming* that you don't get any odd behaviour in AppLocker :-) Cheers, JR On 4 March 2015 at 16:31, Klaus Hartnegg <[email protected]> wrote: > Software Restriction Policy (SRP) in Win7-64 behaves different than in > Win7-32 or WinXP-32 (I'm using SRP in whitelisting mode, default level is > restricted). > > SRP allows to choose whether it should affect everybody, or everybody > except admins. In 32bit this does have the expected effect. But in 64bit > administrator always are allowed to run executables everywhere, regardless > of SRP settings. Is SRP broken in 64bit Windows? > > Also there is an option whether SRP should affect all except DLLs, or > really all software. In Win7-64 with DLLs specifically excluded from SRP, > every user gets on the first login the error message that MSOE.DLL cannot > be loaded. Why? SRP is told to not not restrict DLLs, and that DLL is in a > directory that is specifically allowed. > > I did find a solution to the second problem: remove these registry keys: > HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51- > 11CF-AAFA-00AA00B6015C} > HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed > Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} > > But the first issue makes me wonder whether SRP can be trusted any more, > or maybe we must switch to AppLocker? > > Klaus > > > > -- *James Rankin* --------------------- RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization Practice Analyst - Desktop Virtualization http://appsensebigot.blogspot.co.uk

