Software Restriction Policy (w2k3) - path question

[indiegirl]

Hello all,

I'm setting out SRP up to stop the little darlings from running exes etc from their home drives. I have searched for an answer to the query I'm about to pose but didn't find an answer.

So, my question is:

If I implement a 'path' restriction, eg:

\\fileserver\%username% - will that restrict everything in that path that's in the 'file types' properties (I assume it does)

Can I - for peace of mind - also restrict just one type, and if so, would this work:

\\fileserver\<share>\*.exe ??

Can I use this to restrict just .exe's and zip's from that share? Or is that overkill given the file types cover .exe and more?

Sorry - probably a v silly question, but one I need reassurance on!

[NetworkGeezer]

It appears that you are attemptign a blocking list. A better approach would be to specifcify approved locations such as

Code:

"C:\Program Files", "C:\Windows" \\<domain_name>\SYSVOL

This way you don't have to be so explicit in what you are trying to block because executables outside the approved areas won't be run.

[tarquel]

Nice one there

I cant wait til i can get around to this R2 update

Finding BitComet [P2P proggy] in a pupils user who just laughed at me when i had him was not enjoyable....

touche [when i get R2 sorted hehe]

Nath.

[mark]

If you could set that restriction on one PC OU you could pick off the executable from the list of exclusions.

This is how I found it works, by picking up the dissalowed list from the PC setting

[djm968]

SRP is sometimes a bit like black magic. I have had no luck with wild cards although many say you can use them.

I have also seen issues with SRP resolving the %username% variable.

If you want to include a path restriction you may need to set it at a higher level eg: \\server\homefoldershare$\

You may also want to add a SRP path rule for other dives like E: F: G: to prevent them running exe's from usb drives

[NetworkGeezer]

Just white list the approved locations then you won't have to worry about variable substition for home share UNCs. Same thing for removeable drives. IF they're not on the allowed list then the executables won't run from them.