Lock down any PC with Simple Software Restriction Policy
Simple Software Restriction Policy (SSRP) is a free tool which gives complete control over the folders where software can be executed.
Program Files, System and other folders are allowed by default. But commonly-exploited locations like your desktop and temporary folders are blocked, instantly protecting you from a host of potential threats.
Windows has been able to do this for years, at least in theory, but with some problems. The standard policy editors aren’t available in the Home or most basic Windows versions, and even if you’ve got them, are awkward and inconvenient to use.
Simple Software Restriction Policy runs on any edition of Windows from XP up, and can simplify the setup process by entering your policies directly in the Registry.
The program takes effect as soon as it’s installed, no further configuration required. Applications installed in your Program Files or Windows system folders should launch as normal, but run an EXE somewhere non-standard and you’ll get a "your system administrator has blocked this program" error message.
It won’t be long before this becomes, well, inconvenient, perhaps if you’ve downloaded some interesting portable program to E:\UsefulStuff and want to run it right away.
One instant fix for this is to right-click the Simple Software Restriction Policy icon and select "Unlock". All protection is disabled, and you can run whatever you like, whatever you like, just as before.
A better long-term option is to configure SSRP with trusted folders which you never want to be blocked. If you regularly download programs to D:\Portable, for instance, adding that to the list will reduce the chance of conflicts.
Simple Software Restriction Policy is configured by editing an INI file, but this is more straightforward than you’d expect. The program opens the softwarepolicy.ini file on demand, so you’re not left to find it yourself, and it’s absolutely packed with comments and explanations.
Here are a few lines taken from the real file.
[CustomPolicies]
; Software in standard locations such as Program Files can always run.
; Add any extra locations from which software can be run here.
; (LAN users note – drive mappings are accepted, but may need a manual policy update if they are changed.)
; Format is disk_location=1 Examples:
; C:\Sage=1
; \\server=1
; \\server2\share=1
; J:\=1
It’s all very clear and straightforward, so within moments you’ll be adding something like D:\Portable\=1 to the file, and just after that you’ll find your portable toolkit is working again.
If you’re already using Software Restriction Policy via group policies or some other route, SSRP doesn’t offer any benefit. In fact, the developer warns that "software policies may only be set by this applet, or by the group policy editor. Using both to set software policies would cause a conflict of interests".
Simple Software Restriction Policy isn’t for the novice user, either. There will be occasional hassles when you try to install or run a program, it doesn’t work as expected and you have to tweak SSRP accordingly. And configuration requires some care, because accidentally disabling a setting like "AlwaysAllowSystemFolders" could cause major problems.
But if you’re an experienced user, Simple Software Restriction Policy offers real benefits, keeping you safe from many future exploits and vulnerabilities, and running alongside other antivirus and security suites without conflicts. Give it a try.
Simple Software Restriction Policy is a free application for Windows XP and later.