Setup A Cyber Essentials Software Restriction Policy

Passing Cyber Essentials and CE Plus is fairly easy but only if you know how to implement each of the technical controls. One of the more difficult aspects of passing a Cyber Essentials Plus audit is being able to block the malware and malicious test files.

During a Cyber Essentials Plus audit the auditor will attempt to run a variety of script, compressed and executable files to see if the system is susceptible to malicious code being run. To pass this you need to block several common file types from running within the users profile space.

One easy method to achieving this is to use a software restriction policy built into Windows (Sorry Mac users, your on your own!).

What I demonstrate here is the manual configuration method. You may want to investigate implementing these policy settings using domain based group policy or via a PowerShell script.

Click on the start menu and type gpedit then click on ‘Edit group policy’.

Expand Computer Configuration -> Windows settings -> Security Settings -> Software Restriction Policies.

Right click ‘Software Restriction Policies’ and click ‘New Software Restriction Policies’.

First lets edit the ‘Designated File Types’. These are file types that are considered executable code and here we need to add a few items to the list.

Here is a good sample list to add: .7z .gz .rar .zip .gz .ps1 .pif .py .sh

Next locate Lnk and remove it. We still want users to be able to run programs from shortcuts on their desktops.

Next click on ‘Additional Rules’, right click in the white space and select ‘New Path Rule’.

Here we are going to add multiple paths within %userprofile% which specifies the users desktop, downloads and documents folder paths on the computer.

Add the following paths:





the temp path will block zipped and other compressed file contents from running. If you experience issues installing applications you may need to temporarily remove this restriction.

If you are using OneDrive’s backup feature to sync the users Desktop and Documents folders to the cloud to protect against hardware failure then add the following:


Set the Security Level to Disallowed which means block any of the file types specified earlier from running.

Next its a good idea to add any other locations which a user may commonly try and run files from which includes any USB drives which get attached. On this system if I insert a USB drive it shows up as E:\ so I added it to the list.

Reboot the PC and next we will see what happens.

Here are a selection of Cyber Essentials Plus test files. Our aim is to block the user from running any of them within three mouse clicks.

Success! clicking on any of these files results in the following message.


This is a very easy and free way to pass the malicious files test within the Cyber Essentials Plus audit. You will still have to verify that these file types cant be opened from within the users email client. Some email clients may save attachments outside of the users profile space before opening them. In practice it’s also a good idea to block all of these file types at the email server and stop them reaching the users mailbox.

*Disclaimer: I don’t guarantee you will pass with this. The tests and requirements will change over time. Use this as a guide and even pass this guide along to your auditor ahead of their visit for advice*

Author: Ian@SlashAdmin

Share This Post On
468 ad


    • Great article! CEPlus is the bain of my life as we use Azure AD so cannot use traditional GPO’s and being a charity do not have the budget to install a local domain controller or pay the ridiculous fees incurred when using a VM DC. Yet, to keep our health board contracts we need CEPlus!(which may I add they do not have and still use windows XP!!!)
      I managed to pass this year by using our firewall to block the downloads however this has proven temperamental and causes many errors with other systems. This method is exactly what I needed 🙂
      Ian, you mentioned in your comment that you are working on a powershell script that would do this, have you managed to get it to work?

      Post a Reply
      • Glad you found it useful! 😀

        Yes I have a working script to do this, just need to test it a bit more but will post a link here when I get a chance to test it a bit more. Hopefully will be done by this weekend.

        Post a Reply
        • Hi Ian,

          Did you ever get a working PS Script to do this?
          About to undergo our CE Plus renewal.



          Post a Reply
          • Unfortunately not but its something i’m getting back to asap.

            If you need any help with your CE plus renewal drop me an email because I’m a CE plus auditor so we might be able to help with the remediation work and renewal.

Submit a Comment

Your email address will not be published.