+ Post New Thread
Results 1 to 8 of 8
How do you do....it? Thread, Help write a guide for Software restriction policies for USB in Technical; This topic is everywhere but there all lots of posts with a lot of padding. You can get the basics ...
  1. #1
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,987
    Thank Post
    120
    Thanked 283 Times in 261 Posts
    Rep Power
    107

    Help write a guide for Software restriction policies for USB

    This topic is everywhere but there all lots of posts with a lot of padding.
    You can get the basics but there is no defintive source of information in one place and trust me I have read through every post!!!

    There is certain information I am missing regarding paths and such. Including how to ban all and allow a few. Is it a case of disallow *.* then allow *.doc?
    Things I can start with are the use of USBDLM to fix your USB drive letters.

    I am looking for specific information on the paths used and how multiple levels of paths are dealt with. I have seen this example:

    *.swf
    *\*.swf
    *\*\*.swf etc

    Is this how other people are doing it?

    Please provide all the information you can regarding this subject then it is all in one place and I will put it on the wiki.

    Cheers

    ChrisH

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,807
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Help write a guide for Software restriction policies for USB

    I believe in the long run, the 'whitelist' mentality is the more robust solution. So basically you have a policy that denies everything, then you allow specific files, applications and folders until your system does everything you need it to.

    To address your specific question. Imagine you had implemented your above rules on students folders via a mapped drive. The above rules would stop

    H:\mygame.swf
    H:\games\mygame.swf
    H:\.superhiddenfolder\games\mygame.swf

    However it would not stop:

    H:\work\other\games\mygame.swf

    because your file restriction policy only blocks to a depth of two folders. Therefore we need to know, what's the folder depth limit on an NTFS partition? Unhelpfully, the answer is that there isn't one. However there is a limitation in the Windows shell of 255 characters.

    So what kind of depth does that work out to be? Well, lets see. If we've accessing the path via a mapped drive, we must account for the drive letter in this path, 3 characters. We must also append the minimum file name length, which is a single character name plus a 3 character extension. Therefore, the maximum folder depth using 8.3 format file names is (255 - 3 - 4)/2 = 124. If we omit the drive mapping (for example, when using folder redirection) this limit will actually decrease, depending on the naming convention of your DFS shares or server names.

    Clearly, to implement this is insane. So I'd like to refer you back to my original point.

  3. #3
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,987
    Thank Post
    120
    Thanked 283 Times in 261 Posts
    Rep Power
    107

    Re: Help write a guide for Software restriction policies for USB

    Ok thats good. But basically you are saying for a blanket ban to start with your going to have start to with

    h:\ or will you have to resort to
    H:\*\*
    H:\*\*\* etc for a good few levels?

    Also the other question the has arisen is the designated file type properties. If I want to be banning mp3 and swf etc do these need to be added into this dialogue or is it unrelated?

    Keep it coming!

  4. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,807
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Help write a guide for Software restriction policies for USB

    Ban everything (by setting the default security level to disallowed), then open up files and folders as required. Stick to using hash rules rather than path rules as much as possible. Also, you absolutely must have a test environment setup to check things before implementation. Over restrictive polices can render machines unusable.

    Yes, every file type you want to control must be added to the dialogue, otherwise the polices will have no affect.

  5. #5
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,987
    Thank Post
    120
    Thanked 283 Times in 261 Posts
    Rep Power
    107

    Re: Help write a guide for Software restriction policies for USB

    I am under a test OU so nobody else is being affected. Luckily the default rules on the policy stop you getting into too much trouble unless you start changing them

  6. #6
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,987
    Thank Post
    120
    Thanked 283 Times in 261 Posts
    Rep Power
    107

    Re: Help write a guide for Software restriction policies for USB

    Ok new problems now. I have it defaulting to disallowed. This seems to be working well for scripts and exe files but its not working for MP3 etc which I would like to add.
    I have added MP3 to the designated file types but they are still allowed to play. Is this some kind of limitation? I thought it might be because the file is played with something else, but then I found my logon script wasnt running which runs under script so that must be the case as after I added a rule for netlogon the scripts ran fine. Can anyone shed any light on this?
    Nearly there now it seems guide coming soon once everything is ironed out.

  7. #7
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,987
    Thank Post
    120
    Thanked 283 Times in 261 Posts
    Rep Power
    107

    Re: Help write a guide for Software restriction policies for USB

    Any takers? Come on dont be shy?

  8. #8
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,207
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    I'm just wondering if this ever made it onto a wiki or sticky somewhere.


    We have recently implemented a software restriction white list to stop apps e.g portable TOR and portable games on USB drives. This has been extremely effective and has saved us having to 'manage' drive letters as the policy is system wide. Below are the basic settings that we started with before starting to allow exe's to be run from certain drives, mainly ones that students can't write too.


    Code:
    %logonserver%\Netlogon\  Path Unrestricted
    \\domain.sch.uk\ Path Unrestricted
    %AllUsersProfile%\Desktop\ Path Unrestricted
    %AllUsersProfile%\Start Menu\ Path Unrestricted
    %AppData% Path Unrestricted
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% Path Unrestricted
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\ProgramFilesDir% Path Unrestricted
    %SystemRoot%\System32\runas.exe Path Disallowed
    %UserProfile%\Desktop\ Path Unrestricted
    %UserProfile%\Local Settings\Temp\ Path Disallowed
    %UserProfile%\Start Menu\ Path Unrestricted
    *.mdb Path Unrestricted
    We also started with just these extensions, you can add later.

    .bat
    .cmd
    .com
    .exe
    .zip

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 172
    Last Post: 13th June 2013, 01:02 PM
  2. Software Restriction Policies - Allow ONLY certain software
    By link470 in forum Wireless Networks
    Replies: 28
    Last Post: 9th July 2010, 04:29 PM
  3. Replies: 11
    Last Post: 20th April 2007, 06:38 PM
  4. Software Restriction Policies
    By wesleyw in forum Windows
    Replies: 14
    Last Post: 12th December 2006, 11:35 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •