While searching for some useful GPOs I encountered very nice thread with clear and thorough explanation about how to restrict/whitelist locations and file types that can be executed in Windows OS using Group Policy Object.

Commenter state that using this method he basically got rid of all threads in his environment and analysing his approach I can say it makes sense.

No point of rewriting whole post, so I’m attaching most important parts below. Full story can be found here, credit goes to original authors

Computer Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies

Set the security level to Disallowed, Allow these in “Additional Rules” (see attached), and you’re 90% done. You’ll just add any application paths outside of Program Files that you might need (network locations, etc.).

I also disallow regedit.exe and runas.exe.


If you just want to blacklist you’ll set your default level to Unrestricted, then disallow %USERPROFILE%\Appdata

It’s not going to be very effective, though.  Also, make sure to whitelist *.lnk or users will find that start menu shortcuts don’t work.

and next answer:

Security is often a trade off with convenience, it sounds like your counter argument for properly securing your workstations is “it’s hard.”  It wouldn’t be if you had started from a default position of security, and it will only be difficult in the short term while adjustments are made.

Users shouldn’t be running code willy nilly from any location they see fit.  It’s IT’s job to create and maintain safe locations and documented exceptions. You could, for instance, dedicate a network location and a specific local directory for this and thereby minimize your footprint.

Whitelisting with SRP is system hardening 101.  You should be doing everything you can do to minimize the attack surface on your network.

It’s really a lot less work than you think, I have less than 20 additional unrestricted locations in my whitelist.

Here’s the other benefit:  With close to 1000 end points spread geographically over the entire continental united states, the Pacific Islands, and Carribean, running a whole lot of custom software, and supporting a development team. I have very few problems, and our helpdesk doesn’t ever remove infections because they don’t happen. We support this with a team of 2 help desk technicians working a straight 40 hour week.  This single decision probably saves us 6 digits a year that we can use to serve our clients better, and to upgrade our network.  It costs next to nothing and creates minimal inconvenience for the users.

It’s really a no-brainer. I understand that sometimes hands can be tied, and that this isn’t necessarily your decision entirely, but you should be able to make a strong case.

I also want to add a little information for anyone who wants to do this, I forgot it in my earlier post.  The exceptions for file types and admins are found under “Software Restriction Policies” in the “Enforcement” and “Designated File Types” (see attached)  Make sure to configure the enforcement policies as shown or you won’t be able to install software as an admin.  Also, remove “LNK” from the Designated File Types if it’s in there so that shortcuts will work.

I encourage you to read the full story as commenters contributed much to the thread.