+ Post New Thread
Page 3 of 4 FirstFirst 1234 LastLast
Results 31 to 45 of 48
How do you do....it? Thread, Restrict Kids from Installing ANYTHING in Technical; @Geoff - Would I be right in assuming that the ADM template shown below will only disable the USB storage ...
  1. #31
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Restrict Kids from Installing ANYTHING

    @Geoff - Would I be right in assuming that the ADM template shown below will only disable the USB storage if it is already running? I looked on a PC that has never seen a USB stick and the registry keys are not there. In this instance the policy will have no effect. A user could install a USB key and use it until the PC was rebooted. I think you need to modify the permissions on USBSTOR.INF and USBSTOR.PNF to prevent installation in the first place.

    Quote Originally Posted by Geoff
    How about a GPO ADM template? Per Machine but meh..

    1.) Take the following text, copy it, and paste it into a text document. Then, save it as USBSTOR.ADM.

    Code:
    CLASS MACHINE
    CATEGORY "Custom Policies"
    KEYNAME "SYSTEM\CurrentControlSet\Services\UsbStor"
      POLICY "USB Mass Storage Installation"
       EXPLAIN "When this policy is enabled, USB mass storage device permissions can be changed by using the drop down box.
     
    Selecting 'Grant Permission' will allow USB mass storage devices to be installed.  Selecting 'Deny Permission' will prohibit
    the installation of USB mass storage devices.
     
    IF REMOVING THIS POLICY: Reset to original setting and let policy propegate before deleting policy."
         PART "Change Settings:" DROPDOWNLIST REQUIRED
           VALUENAME "Start"
           ITEMLIST
            NAME "Grant Permission" VALUE NUMERIC 3 DEFAULT
            NAME "Deny Permission" VALUE NUMERIC 4
           END ITEMLIST
         END PART
       END POLICY
    END CATEGORY
    2.) Open a group policy management console, and right click on "administrative templates" under "Computer Configuration". Select "Add/Remove Templates".

    3.) Browse to the text document you just saved and click OK. You'll now see "Custom Policies" under "Administrative Templates". Right click on it, select "View", then select "Filtering". Uncheck the bottom box, labeled "Only show policy settings that can be fully managed".

    4.) Click ok. Now you'll see the USB policy available for use under the custom policy heading. From there, you can enable or disable it just like any other policy.

  2. #32

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Restrict Kids from Installing ANYTHING

    Well no. Normal users can install drivers. At least here they can't.

  3. #33
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,966
    Thank Post
    248
    Thanked 49 Times in 45 Posts
    Blog Entries
    2
    Rep Power
    46

    Re: Restrict Kids from Installing ANYTHING

    Quote Originally Posted by RoyG
    It means that we don't have to have any restrictions on the workstations whatsoever.
    You still need all protection from the no 1 threat, that is access to sensitive data. This is the main reason for policy lock down. Destruction of the local PC is a concern, but I can't say i've ever really had a problem with that. My machines just get re-built as software sets change.

  4. #34
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    34

    Re: Restrict Kids from Installing ANYTHING

    Quote Originally Posted by russdev
    we do by fact that we run rm here...

    what they have done is allowed programs to run from program files with out a problem but students cant access program files dir etc...

    then also if want to run exe outside of that addem to list of allowed files and paths..

    russ
    This seems like the sanest approach. Let any program run on C:\ (say), but everything else is restricted. Then deny them access to browse the C:\ drive using group policy. (you could go tighter and allow only "c:\program files", but there's bound to be some piece of educational software written circa 1992 that you have to put in c:\ because it hates spaces in paths)

    Obviously if you need to run apps from windows shares etc., you can just add them to the path rule in software restrictions, but just make sure they can't write to anywhere they can execute from.

  5. #35
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Restrict Kids from Installing ANYTHING

    Hmmm ... Isn't it a bit risky allowing execute from C:\.
    All the users temporary internet files are likely to be on C:\.
    The %temp% folder will be on C:\

    Even denying access to browsing C:\ does not prevent a clever user who has found a way of getting a file into his/her temp folder from executing it.

  6. #36

    Join Date
    Feb 2006
    Posts
    1,187
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Restrict Kids from Installing ANYTHING

    Quote Originally Posted by ajbritton
    Hmmm ... Isn't it a bit risky allowing execute from C:\.
    All the users temporary internet files are likely to be on C:\.
    The %temp% folder will be on C:\

    Even denying access to browsing C:\ does not prevent a clever user who has found a way of getting a file into his/her temp folder from executing it.
    I don't see the problem if all EXEs are restricted to running from Program Files and Windows and perhaps exceptions for other paths (as for the pre 1992 apps) thenn %temp% isn't issue.

    Is there some way of using temp to graft a abitrary folder so that it appears to be path of the permitted paths?

  7. #37
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Restrict Kids from Installing ANYTHING

    @NetworkGeezer: I was really referring to sahmeepee's suggestion that any program be allowed to run from C:\ (and therefore anywhere on C: drive unless specifically exempt)

  8. #38
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    34

    Re: Restrict Kids from Installing ANYTHING

    Quote Originally Posted by ajbritton
    @NetworkGeezer: I was really referring to sahmeepee's suggestion that any program be allowed to run from C:\ (and therefore anywhere on C: drive unless specifically exempt)
    Yeah, sorry if my post was a bit offhand. You'd obviously have to look very carefully at this. You could specifically disallow temp and your browser's cache folder or block everything on C:\ then open it back up folder-by-folder.

    It definitely takes planning and testing, e.g. you may have problems with blocking shortcuts in the users' docs&settings (e.g. their own start menu) from running if you get it wrong.

  9. #39
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Restrict Kids from Installing ANYTHING

    Well, I'm new to software restriction policies, but I reckon it's better to start with a bucket with no holes and drill 'em where you need 'em rather that a leaky bucket which you hope you've fully patched.

    I've blocked everything and excpeted the following list (I'll have to update this later when I get to work)

    (REMOVED LIST FOR SECURITY REASONS) - If you want to see my list, PM me and I will send it...

    So far I've not had any major problems. (actually that's a lie, I forget to include the path to the server shre where all managed software is installed from, and that caused the occasional error)
    If I get any apps which insist on running outside of Program Files, then it's a 2 minute job to add an extra path rule.

    Maybe a WiKi on use of Software Restriction Policies is in order covering the set up and potential pitfalls.

  10. #40
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    34

    Re: Restrict Kids from Installing ANYTHING

    Looks good.

    In that scenario, can the user (a normal user) drag an exe file into their start menu and then run it?

  11. #41

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Restrict Kids from Installing ANYTHING

    Users dont have write access to their Startmenus here.

  12. #42
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Restrict Kids from Installing ANYTHING

    I need to do more testing. I've been re-reading the SRP reference on technet and noticed the following things

    1 - Avoid environment variables as they can be redefined to point to a different location

    2 - If .LNK files can be excluded from the list of extensions which are checked, then the executable will still be subject to the SRP. This would mean that the user profile would not need to be exempt from the restriction.

  13. #43
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Restrict Kids from Installing ANYTHING

    OK, testing with SRP complete.

    I tried removing LNK from the lsit of extensions in the SRP for students, but shortcuts still failed. It turns out there was a machine based SRP in effect. Now I did not set this up so I assume it is there as a local machine policy in XP. The machine based SRP extension list was taking priority which meant that LNK files were still being blocked. I created my own machine based SRP and applied to an OU which covers all PCs that students will use, and removed LNK files. Bingo

    In summary then here's my setup...

    1 - Machine based SRP with LNK removed from extension list (otherwise no changes to defaults)

    2 - Users based SRP as follows...
    • Disallow all software by default
    • Remove LNK files from extension list
    • Default exemptions are sufficient to allow software installed under C:\Program Files to execute (limited users cannot write here)
    • Add exemptions for logon scripts \\(fqdn)\sysvol
    • Add exemptions for managed software installs \\(servername)\install
    • Add exemptions for network apps M:\
    • Add exemptions for an local apps not running from C:\Program Files (NB - Be as precise as possible!)


    The only thing I have not done is a comprehensive analysis of the permissions on C:\WINDOWS to find any locations that limited users might have write access to e.g. C:\WINDOWS\TEMP. If these exist, then they would need locking down with additional exemptions.

  14. #44

    Join Date
    Feb 2006
    Posts
    1,187
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Restrict Kids from Installing ANYTHING

    Good work AJ.

    I assume for login script exemptions there is an entry for each DC hosting Active Directory.

  15. #45
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    5,013
    Thank Post
    120
    Thanked 283 Times in 261 Posts
    Rep Power
    108

    Re: Restrict Kids from Installing ANYTHING

    This should cover that:

    Add exemptions for logon scripts \\(fqdn)\sysvol

SHARE:
+ Post New Thread
Page 3 of 4 FirstFirst 1234 LastLast

Similar Threads

  1. Kids Installing Firefox
    By tomscaper in forum Windows
    Replies: 30
    Last Post: 17th October 2007, 11:29 AM
  2. Restrict Logon
    By DSapseid in forum Wireless Networks
    Replies: 7
    Last Post: 28th March 2007, 10:30 AM
  3. Restrict filetypes
    By Gatt in forum How do you do....it?
    Replies: 21
    Last Post: 22nd September 2006, 11:28 AM
  4. restrict pupils printing
    By chrbb in forum How do you do....it?
    Replies: 3
    Last Post: 6th July 2006, 07:51 AM
  5. Restrict Access To USB Devices
    By MuppetQueen in forum Wireless Networks
    Replies: 25
    Last Post: 15th December 2005, 04:53 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •