Ok, so we can prevent students running applications (you define what is considered an application) from their user areas/home drives/pen drives etc using a combination of Fileserver resource manager (2003 R2) and software restriction policies.
But how do you guys stop students executing applications they've embedded in word (and potentially any office application or any other OLE capable app) documents?
I figured the best way to do that was to identify where it launches from, and I find it points to docs & settings\username\local settings\temporary internet files\blah blah. So I figure I can use software restriction policies to restrict C:\Documents and Settings\.
This works.... however... applications with shortcuts in docs and settings\all users\start menu or even desktop for that matter won't launch now... Alrighty, so now we'll create another software restriction policy, this time 'unrestricted' for docs and settings\all users - well, that's great... right?
I admit I haven't tested many applications, however I do know of one application called InPage Urdu (some crazy app to type backards/in urdu) when launched appears to create/launch something in the users temp folder.
So, what I'm interested in is have any of you guys got any suggestions/tips for how you stop students accessing executables?
I think you're going to find it very hard to do this :-(
The other approach is to basically whitelist apps which you do want to run - you can create a hash rule for each app you want to allow; this basically checks any file being run and makes sure that it matches the files you want to allow.
Downside of this is that it's hard work to set up - you have to create a hash for every executable (and I'm guessing that every time something get's patched that the rules need upating)
Thanks but I think I have it working now, it was easier than I expected.
I'm sure I will find out in the next few days if I've broken any other software with these policies. I have attached a screenie;
Can you just use GP to turn macro security up?
Wouldnt that prevent it?
I'm supprised A-Virus desent pick the documents up as a potential virus.
A diffrent approuch would be to target the people you know who are doing this and make an example out of them.
I think this is always the best policy - you can spend your life trying to find technical solutions to what are actually people problems!Originally Posted by PEO
One I can see with this is that if the kids work out what's going on, they'll just plug in a USB Hub with 4 USB memory sticks so that they get a "drive G:" etc. Not sure if this would be allowed (it's not explicitly blocked) but I *think* it is ...
I think you'll find banning the embedded flash very hard it's been discussed in a few threads and the only way that really works is turning off vb support which also stops macros running.
http://www.edugeek.net/forums/ffs/12...-file-ffs.html
I'm not too worried about embedded flash, they are taught to use flash unfortunately. Executables were all I was really worried about, it's something that's always bugged me tbh.
Currently students cannot access any pen drives, but I'm trying to do all I can to protect things in preperation for enabling pen drives again.
One of my clever techs has written a nice little vb that loads automatically and scans through all the worksheets and deletes any flash games it finds - its not perfect, but its enough to stop most things.
Ahem care to share it
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote