![]() | Register | FAQ | Members | Social Groups | User Map | Calendar | Search | Today's Posts | Mark Forums Read |
How do you do....it?
How do you do it forum sponsored by |
| | | LinkBack | Thread Tools | Search Thread | Language |
| Sponsored Links |
| | #1 |
![]() Join Date: Jun 2005 Location: East Lancs
Posts: 3,847
Thanks: 2
Thanked 32 Times in 26 Posts
Rep Power: 19 | You can get the basics but there is no defintive source of information in one place and trust me I have read through every post!!! There is certain information I am missing regarding paths and such. Including how to ban all and allow a few. Is it a case of disallow *.* then allow *.doc? Things I can start with are the use of USBDLM to fix your USB drive letters. I am looking for specific information on the paths used and how multiple levels of paths are dealt with. I have seen this example: *.swf *\*.swf *\*\*.swf etc Is this how other people are doing it? Please provide all the information you can regarding this subject then it is all in one place and I will put it on the wiki. Cheers ChrisH |
| |
| | #2 |
![]() Join Date: Jun 2005 Location: Fylde, Lancs, UK.
Posts: 9,841
Thanks: 41
Thanked 217 Times in 198 Posts
Blog Entries: 1 Rep Power: 64 | I believe in the long run, the 'whitelist' mentality is the more robust solution. So basically you have a policy that denies everything, then you allow specific files, applications and folders until your system does everything you need it to. To address your specific question. Imagine you had implemented your above rules on students folders via a mapped drive. The above rules would stop H:\mygame.swf H:\games\mygame.swf H:\.superhiddenfolder\games\mygame.swf However it would not stop: H:\work\other\games\mygame.swf because your file restriction policy only blocks to a depth of two folders. Therefore we need to know, what's the folder depth limit on an NTFS partition? Unhelpfully, the answer is that there isn't one. However there is a limitation in the Windows shell of 255 characters. So what kind of depth does that work out to be? Well, lets see. If we've accessing the path via a mapped drive, we must account for the drive letter in this path, 3 characters. We must also append the minimum file name length, which is a single character name plus a 3 character extension. Therefore, the maximum folder depth using 8.3 format file names is (255 - 3 - 4)/2 = 124. If we omit the drive mapping (for example, when using folder redirection) this limit will actually decrease, depending on the naming convention of your DFS shares or server names. Clearly, to implement this is insane. So I'd like to refer you back to my original point. |
| |
| | #3 |
![]() Join Date: Jun 2005 Location: East Lancs
Posts: 3,847
Thanks: 2
Thanked 32 Times in 26 Posts
Rep Power: 19 | Ok thats good. But basically you are saying for a blanket ban to start with your going to have start to with h:\ or will you have to resort to H:\*\* H:\*\*\* etc for a good few levels? Also the other question the has arisen is the designated file type properties. If I want to be banning mp3 and swf etc do these need to be added into this dialogue or is it unrelated? Keep it coming! |
| |
| | #4 |
![]() Join Date: Jun 2005 Location: Fylde, Lancs, UK.
Posts: 9,841
Thanks: 41
Thanked 217 Times in 198 Posts
Blog Entries: 1 Rep Power: 64 | Ban everything (by setting the default security level to disallowed), then open up files and folders as required. Stick to using hash rules rather than path rules as much as possible. Also, you absolutely must have a test environment setup to check things before implementation. Over restrictive polices can render machines unusable. Yes, every file type you want to control must be added to the dialogue, otherwise the polices will have no affect. |
| |
| | #5 |
![]() Join Date: Jun 2005 Location: East Lancs
Posts: 3,847
Thanks: 2
Thanked 32 Times in 26 Posts
Rep Power: 19 | I am under a test OU so nobody else is being affected. Luckily the default rules on the policy stop you getting into too much trouble unless you start changing them |
| |
| | #6 |
![]() Join Date: Jun 2005 Location: East Lancs
Posts: 3,847
Thanks: 2
Thanked 32 Times in 26 Posts
Rep Power: 19 | Ok new problems now. I have it defaulting to disallowed. This seems to be working well for scripts and exe files but its not working for MP3 etc which I would like to add. I have added MP3 to the designated file types but they are still allowed to play. Is this some kind of limitation? I thought it might be because the file is played with something else, but then I found my logon script wasnt running which runs under script so that must be the case as after I added a rule for netlogon the scripts ran fine. Can anyone shed any light on this? Nearly there now it seems |
| |
| | #7 |
![]() Join Date: Jun 2005 Location: East Lancs
Posts: 3,847
Thanks: 2
Thanked 32 Times in 26 Posts
Rep Power: 19 | Any takers? Come on dont be shy? |
| |
| |
| | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Blocking Flash Games Software restriction Policies... Hash | MyDejaVu | Windows | 20 | 05-03-2008 10:45 AM |
| Software Restriction Policies - Allow ONLY certain software | link470 | Networks | 2 | 01-12-2007 07:48 PM |
| Software restriction policies on USB sticks | Kyle | Windows | 11 | 20-04-2007 06:38 PM |
| Software Restriction Policies | wesleyw | Windows | 14 | 12-12-2006 12:35 PM |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | Search Thread |
|
|






