The Hardened strategy is similar to the 5.2.x Strict Prevention policy. The Hardened strategy provides protection for the operating system and a set of common applications. This strategy confines the remaining applications (both service and interactive programs) within the Hardened sandbox. The Hardened sandbox is set up to confine the programs running within it so that they cannot modify operating system or other application resources.
The following Protection Categories are enabled by default in the Hardened sandbox:
Obey All Other Application Data Restrictions
Obey Global Resource List Restrictions
Software Installation Restrictions
Block modifications to executable files
Block modifications to startup folders
Block registration of COM and ActiveX controls
Basic Operating System Restrictions
Protect auto start locations
Protect operating system resources
Protect the raw local disk device
The Hardened strategy also configures and enforces the network perimeter to include Local IPs and Local Subnet addresses. No programs can connect to systems outside the perimeter or receive connections from systems outside the perimeter. The configuration is done through the global inbound and outbound host lists, and the global default network rules. The network perimeter is enforced by the fact that all sandboxes in the policy reference these global network host lists and global default network rules. However, there are sandboxes that allow networking outside of the defined network perimeter.
The list of sandboxes that allow networking outside of the defined network perimeter are as follows:
Host Security Programs
Microsoft Exchange Server
Microsoft Outlook & Outlook Express
Default Windows Programs and Services
Distributed File System
Windows Netsvcs Services
Fully Open with Self Protection Enabled
Imported Document ID: HOWTO95351
Subscribing will provide email updates when this Article is updated. Login is required.