Trying to stop our enterprising darlings from running .exes from areas and pen drives on a 2003 server. I think I have the concept of software restriction policies in my head but can someone post a specific example of a path rule ?
Our users map to \\servername\yeargroup\username as U: in profile and my documents is redirected to their area.
What is best practice to add it to computer or user in the group policy?
Software restriction policies are applied to users and come in three parts: a list of unacceptable suffixes, a default rule, and then one or more specific rules.
A list of suffixes is already provided, so that's one thing you don't have to do to get started. Set the default rule to either of allow or deny (I suggest allow to start with).
The specific rules are available for paths and hashes (fingerprints). A path applies to all files within that path, and a hash uniquely identifies a file - sometimes useful, but when the file changes the hash does too, so if you apply a software update you may find that hash rules you've previously set have to be updated. Path rules are much more useful.
Again, there are default path rules set up to allow, for example, core Windows programs to run like explorer.exe. The biggest problem you'll have is determining where users can run files from; a homedrive is always the same letter (U: in your case), but a removable drive can be assigned various letters. I use USBDLM to limit the letters they can be assigned to a couple (A: and B: in my case), and then apply path rules to those letters. That way, I can predict in advance which letter a drive will be assigned.
Hope that helps.
There are currently 1 users browsing this thread. (0 members and 1 guests)