Chapter 6. Running Secure Code

Malicious and poorly written software costs businesses millions of dollars every year. Whether the software is a virus deliberately written to wreak havoc or simply a poorly written game that causes computers to crash, unauthorized or insecure software is a clear and present security threat. Each version of the Windows operating system has added features to help protect against unsecured code. Over the years, technologies such as code signing and signed driver verification have been added. Windows Server 2003 takes the biggest leap yet, allowing you to completely control the ability of your users to run unsecured software on your company's computers.

This chapter describes two of the newest features in this area: software restriction policies and unsigned driver behavior. Software restriction policies (SRP) is a powerful configuration option that can allow or deny software to run based on a number of different rules. These rules are set up by an administrator and reflect the desired level of security established by policy or driven by known threats. Unsigned driver behavior is similar in that it uses an administrator-defined setting whenever an unsigned or untrusted hardware driver is installed. The administrator can define whether to allow these potentially dangerous drivers to operate. Together, these two features dramatically increase the ability of Windows to reject untrusted code.