How do you do....it? Thread, Confused about software restriction policies in Technical; Trying to stop our enterprising darlings from running .exes from areas and pen drives on a 2003 server. I think ...
27th February 2008, 08:59 PM #1
27th February 2008, 09:23 PM #2
Software restriction policies are applied to users and come in three parts: a list of unacceptable suffixes, a default rule, and then one or more specific rules.
A list of suffixes is already provided, so that's one thing you don't have to do to get started. Set the default rule to either of allow or deny (I suggest allow to start with).
The specific rules are available for paths and hashes (fingerprints). A path applies to all files within that path, and a hash uniquely identifies a file - sometimes useful, but when the file changes the hash does too, so if you apply a software update you may find that hash rules you've previously set have to be updated. Path rules are much more useful.
Again, there are default path rules set up to allow, for example, core Windows programs to run like explorer.exe. The biggest problem you'll have is determining where users can run files from; a homedrive is always the same letter (U: in your case), but a removable drive can be assigned various letters. I use USBDLM to limit the letters they can be assigned to a couple (A: and B: in my case), and then apply path rules to those letters. That way, I can predict in advance which letter a drive will be assigned.
Hope that helps.
By MyDejaVu in forum Windows
Last Post: 13th June 2013, 01:02 PM
By ChrisH in forum How do you do....it?
Last Post: 28th January 2010, 09:40 AM
Last Post: 20th April 2007, 06:38 PM
By wesleyw in forum Windows
Last Post: 12th December 2006, 11:35 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)