How do you do....it? Thread, Hiding executables in documents! in Technical; Ok, so we can prevent students running applications (you define what is considered an application) from their user areas/home drives/pen ...
Ok, so we can prevent students running applications (you define what is considered an application) from their user areas/home drives/pen drives etc using a combination of Fileserver resource manager (2003 R2) and software restriction policies.
But how do you guys stop students executing applications they've embedded in word (and potentially any office application or any other OLE capable app) documents?
I figured the best way to do that was to identify where it launches from, and I find it points to docs & settings\username\local settings\temporary internet files\blah blah. So I figure I can use software restriction policies to restrict C:\Documents and Settings\.
This works.... however... applications with shortcuts in docs and settings\all users\start menu or even desktop for that matter won't launch now... Alrighty, so now we'll create another software restriction policy, this time 'unrestricted' for docs and settings\all users - well, that's great... right?
I admit I haven't tested many applications, however I do know of one application called InPage Urdu (some crazy app to type backards/in urdu) when launched appears to create/launch something in the users temp folder.
So, what I'm interested in is have any of you guys got any suggestions/tips for how you stop students accessing executables?
I think you're going to find it very hard to do this :-(
The other approach is to basically whitelist apps which you do want to run - you can create a hash rule for each app you want to allow; this basically checks any file being run and makes sure that it matches the files you want to allow.
Downside of this is that it's hard work to set up - you have to create a hash for every executable (and I'm guessing that every time something get's patched that the rules need upating)
Thanks but I think I have it working now, it was easier than I expected.
I'm sure I will find out in the next few days if I've broken any other software with these policies. I have attached a screenie;
A diffrent approuch would be to target the people you know who are doing this and make an example out of them.
I think this is always the best policy - you can spend your life trying to find technical solutions to what are actually people problems!
One I can see with this is that if the kids work out what's going on, they'll just plug in a USB Hub with 4 USB memory sticks so that they get a "drive G:" etc. Not sure if this would be allowed (it's not explicitly blocked) but I *think* it is ...
One of my clever techs has written a nice little vb that loads automatically and scans through all the worksheets and deletes any flash games it finds - its not perfect, but its enough to stop most things.