+ Post New Thread
Results 1 to 2 of 2
How do you do....it? Thread, Confused about software restriction policies in Technical; Trying to stop our enterprising darlings from running .exes from areas and pen drives on a 2003 server. I think ...
  1. #1

    Join Date
    Feb 2008
    Location
    Belfast
    Posts
    12
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Confused about software restriction policies

    Trying to stop our enterprising darlings from running .exes from areas and pen drives on a 2003 server. I think I have the concept of software restriction policies in my head but can someone post a specific example of a path rule ?

    Our users map to \\servername\yeargroup\username as U: in profile and my documents is redirected to their area.

    What is best practice to add it to computer or user in the group policy?

    Thanks

  2. #2

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,867
    Thank Post
    412
    Thanked 778 Times in 651 Posts
    Rep Power
    182
    Software restriction policies are applied to users and come in three parts: a list of unacceptable suffixes, a default rule, and then one or more specific rules.

    A list of suffixes is already provided, so that's one thing you don't have to do to get started. Set the default rule to either of allow or deny (I suggest allow to start with).

    The specific rules are available for paths and hashes (fingerprints). A path applies to all files within that path, and a hash uniquely identifies a file - sometimes useful, but when the file changes the hash does too, so if you apply a software update you may find that hash rules you've previously set have to be updated. Path rules are much more useful.

    Again, there are default path rules set up to allow, for example, core Windows programs to run like explorer.exe. The biggest problem you'll have is determining where users can run files from; a homedrive is always the same letter (U: in your case), but a removable drive can be assigned various letters. I use USBDLM to limit the letters they can be assigned to a couple (A: and B: in my case), and then apply path rules to those letters. That way, I can predict in advance which letter a drive will be assigned.

    Hope that helps.



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 172
    Last Post: 13th June 2013, 02:02 PM
  2. Help write a guide for Software restriction policies for USB
    By ChrisH in forum How do you do....it?
    Replies: 7
    Last Post: 28th January 2010, 10:40 AM
  3. Replies: 11
    Last Post: 20th April 2007, 07:38 PM
  4. Software Restriction Policies
    By wesleyw in forum Windows
    Replies: 14
    Last Post: 12th December 2006, 12:35 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •