Help write a guide for Software restriction policies for USB

[ChrisH]

This topic is everywhere but there all lots of posts with a lot of padding.
You can get the basics but there is no defintive source of information in one place and trust me I have read through every post!!!

There is certain information I am missing regarding paths and such. Including how to ban all and allow a few. Is it a case of disallow *.* then allow *.doc?
Things I can start with are the use of USBDLM to fix your USB drive letters.

I am looking for specific information on the paths used and how multiple levels of paths are dealt with. I have seen this example:

*.swf
*\*.swf
*\*\*.swf etc

Is this how other people are doing it?

Please provide all the information you can regarding this subject then it is all in one place and I will put it on the wiki.

Cheers

ChrisH

[Geoff]

I believe in the long run, the 'whitelist' mentality is the more robust solution. So basically you have a policy that denies everything, then you allow specific files, applications and folders until your system does everything you need it to.

To address your specific question. Imagine you had implemented your above rules on students folders via a mapped drive. The above rules would stop

H:\mygame.swf
H:\games\mygame.swf
H:\.superhiddenfolder\games\mygame.swf

However it would not stop:

H:\work\other\games\mygame.swf

because your file restriction policy only blocks to a depth of two folders. Therefore we need to know, what's the folder depth limit on an NTFS partition? Unhelpfully, the answer is that there isn't one. However there is a limitation in the Windows shell of 255 characters.

So what kind of depth does that work out to be? Well, lets see. If we've accessing the path via a mapped drive, we must account for the drive letter in this path, 3 characters. We must also append the minimum file name length, which is a single character name plus a 3 character extension. Therefore, the maximum folder depth using 8.3 format file names is (255 - 3 - 4)/2 = 124. If we omit the drive mapping (for example, when using folder redirection) this limit will actually decrease, depending on the naming convention of your DFS shares or server names.

Clearly, to implement this is insane. So I'd like to refer you back to my original point.

[ChrisH]

Ok thats good. But basically you are saying for a blanket ban to start with your going to have start to with

h:\ or will you have to resort to
H:\*\*
H:\*\*\* etc for a good few levels?

Also the other question the has arisen is the designated file type properties. If I want to be banning mp3 and swf etc do these need to be added into this dialogue or is it unrelated?

Keep it coming!

[Geoff]

Ban everything (by setting the default security level to disallowed), then open up files and folders as required. Stick to using hash rules rather than path rules as much as possible. Also, you absolutely must have a test environment setup to check things before implementation. Over restrictive polices can render machines unusable.

Yes, every file type you want to control must be added to the dialogue, otherwise the polices will have no affect.

[ChrisH]

I am under a test OU so nobody else is being affected. Luckily the default rules on the policy stop you getting into too much trouble unless you start changing them

[ChrisH]

Ok new problems now. I have it defaulting to disallowed. This seems to be working well for scripts and exe files but its not working for MP3 etc which I would like to add.
I have added MP3 to the designated file types but they are still allowed to play. Is this some kind of limitation? I thought it might be because the file is played with something else, but then I found my logon script wasnt running which runs under script so that must be the case as after I added a rule for netlogon the scripts ran fine. Can anyone shed any light on this?
Nearly there now it seems guide coming soon once everything is ironed out.

[ChrisH]

Any takers? Come on dont be shy?