The SAFER ruleset implements for Windows’ NTFS file system the equivalent of DEP alias W^X for virtual memory: execution is denied in all directories where unprivileged users are allowed to write (i.e. create, modify or replace) files, and allowed only in directories where unprivileged users are denied to write files.
More precise: for users without administrative privileges execution is allowed only in the directory %SystemRoot%\ (typically C:\Windows\) and its subdirectories, in the directory “%ProgramFiles%\” (typically “C:\Program Files\”) and its subdirectories, on systems with AMD64 alias x64 processor architecture also in the directory “%ProgramFiles(x86)%\” (typically “C:\Program Files (x86)\”) and its subdirectories; execution in all other directories and their subdirectories is denied.
Users who are subject to Software Restriction Policies
- are still able to download arbitrary (executable) files from arbitrary web sites, to receive arbitrary (executable) files as attachments of mails, etc. and store them anywhere they are allowed to write files, but they can’t execute these files any more;
- can but open all files with any application installed on their machines, i.e. they still can work with all their documents and all their applications without any restriction;
- can execute all Win32 applications that meet the minimum requirements of the now 20 years old Designed for Windows specification, i.e. are installed beneath the directories “%ProgramFiles%\” or “%SystemRoot%\”.