+ Post New Thread
Results 1 to 15 of 15
How do you do....it? Thread, Prevent Files With These Extensions Running From These Locations... in Technical; I know this has been asked before. However I think I have followed the advice in the other posts and ...
  1. #1

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    8,774
    Thank Post
    351
    Thanked 1,274 Times in 870 Posts
    Blog Entries
    4
    Rep Power
    1126

    Prevent Files With These Extensions Running From These Locations...

    I know this has been asked before. However I think I have followed the advice in the other posts and it is still not working for me so what am I doing wrong?

    Taking one file type as an example [solving the problem gives me the answer to other file types also]

    Let us say that I want to prevent students running CMD from their home folders and from memory stick locations. And let us say that home folders are mapped to U:\ and memory sticks are created as E:\ and F:\

    At the server in Group Policy [GPO created to control student user behaviour] In User Configuration I have created a Designated File Type in:

    Policies\Windows Settings\Security Settings\Software Restriction Policies

    File Type: CMD

    In the same GPO I have placed a Path Rule under User Configuration:

    Policies\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules

    Path Rule: U:\*.CMD: Disallowed

    However I find that students can still run a test CMD file.

    What am I missing?

    Server: Windows Server 2008: Standard Edition: 64 Bit: Service Pack 2

    Client: Windows XP Pro: SP3

    Thanks.

  2. #2
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,490
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    51
    have you told the machine and server to gpupdate (forcefully)?

  3. #3

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    8,774
    Thank Post
    351
    Thanked 1,274 Times in 870 Posts
    Blog Entries
    4
    Rep Power
    1126
    Quote Originally Posted by p858snake View Post
    have you told the machine and server to gpupdate (forcefully)?
    Yes I have also restarted the station and waited an absolute age.
    Last edited by DaveP; 11th July 2010 at 08:56 AM. Reason: Correct spelling mistake.

  4. #4

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,038
    Thank Post
    852
    Thanked 2,664 Times in 2,261 Posts
    Blog Entries
    9
    Rep Power
    767
    Have you looked at it with the RSoP snapin to see what policies have applied and what errors, if any are generated?

  5. #5


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,748
    Thank Post
    221
    Thanked 2,626 Times in 1,936 Posts
    Rep Power
    778
    Quote Originally Posted by DaveP View Post
    What am I missing?
    I may be wrong, but shouldn't you be disallowing cmd.exe and command.com (both located in %SystemRoot%\System32) because you would usually block VBS files by disallowing cscript.exe and wscript.exe?

    It's also worth mentioning that even after you have done the above, it is still very easy to bypass these restrictions via process injection. I reckon a student could easily do this if they spent a few minutes on Google.

  6. #6

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    8,774
    Thank Post
    351
    Thanked 1,274 Times in 870 Posts
    Blog Entries
    4
    Rep Power
    1126
    Quote Originally Posted by Arthur View Post
    I may be wrong, but shouldn't you be disallowing cmd.exe and command.com (both located in %SystemRoot%\System32) because you would usually block VBS files by disallowing cscript.exe and wscript.exe?

    It's also worth mentioning that even after you have done the above, it is still very easy to bypass these restrictions via process injection. I reckon a student could easily do this if they spent a few minutes on Google.
    What I am actually trying to do it develop a GPO which can be eventually be expanded to include all file type and all locations where I do not want students running files they control.

    They might bring in a memory stick that has a batch file they have written at home, it may have a shortcut to a program that I do not want the students to run directly or it may have a portable executable. So as a start I am trying to prevent students from running:

    *.EXE, *.BAT, *.ZIP, *.COM, *.CMD, *.LNK from U:\, E:\ and F:\ [these are areas connected to the school network they have read/write control over]

    Or is this not the right approach?
    Last edited by DaveP; 11th July 2010 at 11:55 AM. Reason: Add to post content.

  7. #7


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,748
    Thank Post
    221
    Thanked 2,626 Times in 1,936 Posts
    Rep Power
    778
    Quote Originally Posted by DaveP View Post
    What I am actually trying to do it develop a GPO which can be eventually be expanded to include all file type and all locations where I do not want students running files they control.
    Actually I was wrong. I was thinking of something else.

    An easy way to prevent all executables and scripts from being run from USB flash drives would be to create a couple of path rules like: "E:\*" and "F:\*". This should work no matter many sub-folders they use. I assume you're still using USBDLM so that removable drives do not get assigned other drive letters?

    N.B. I've not tried it myself yet, but apparently restricted users can use %SystemRoot%\System32\runas.exe to bypass SRPs so you may want to block that too. e.g.

    Code:
    runas /trustlevel:"Unrestricted" e:\schoolwork\game.exe

    For files in user areas, you could use "File Server Resource Manager" on your server to block each extension you don't want to have in there.

    Yet another approach might be to do the exact opposite and disallow everything by default because there will almost always be something you have missed (like WSH and HTA files). All you have to do then is explicitly allow just the programs and/or locations via hash or path rules. Details on how to do this can be found here and here (from step 3).

  8. #8

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    8,774
    Thank Post
    351
    Thanked 1,274 Times in 870 Posts
    Blog Entries
    4
    Rep Power
    1126
    Yes I am using USBDLM but I can't experiment with that today because I am not on site. I can experiment with student home folders [U:\]

    I have created a path file for U:\ [U:\*.CMD and U:\*.BAT] but I find that my students can still run these file types from this location.

    Do I have the 'wrong end of the stick' on this setting?

  9. #9


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,748
    Thank Post
    221
    Thanked 2,626 Times in 1,936 Posts
    Rep Power
    778
    Does U:\* work?

  10. #10

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    8,774
    Thank Post
    351
    Thanked 1,274 Times in 870 Posts
    Blog Entries
    4
    Rep Power
    1126
    Quote Originally Posted by Arthur View Post
    Does U:\* work?
    That looks like it will deny access to everything in U:\. I can give it a go and let you know...

  11. #11


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,748
    Thank Post
    221
    Thanked 2,626 Times in 1,936 Posts
    Rep Power
    778
    Not everything. By default it should be just the following designated file-types.

    Code:
    Extension / Description
    . ADE	Microsoft Access Project Extension
    . ADP	Microsoft Access Project
    . BAS	Visual Basic Class Module
    . BAT	Batch File
    . CHM	Compiled HTML Help File
    . CMD	Microsoft Windows NT Command Script
    . COM	Microsoft MS-DOS Application
    . CPL	Control Panel Extension
    . CRT	Security Certificate
    . EXE	Application
    . HLP	Windows Help File
    . HTA	HTML Applications
    . INF	Setup Information File
    . INS	Internet Communication Settings
    . ISP	Internet Communication Settings
    . JS	Microsoft JScript File
    . JSE	JScript Encoded Script File
    . LNK	Shortcut
    . MDB	Microsoft Access Application
    . MDE	Microsoft Access MDE Database
    . MSC	Microsoft Common Console Document
    . MSI	Windows Installer Package
    . MSP	Windows Installer Patch
    . MST	Visual Test Source File
    . PCD	Photo CD Image
    . PIF	Shortcut to MS-DOS Program
    . REG	Registration Entries
    . SCR	Screen Saver
    . SCT	Windows Script Component
    . SHS	Shell Scrap Object
    . URL	Internet Shortcut (Uniform Resource Locator)
    . VB	VBScript File
    . VBE	VBScript Encoded Script File
    . VBS	VBScript Script File
    . WSC	Windows Script Component
    . WSF	Windows Script File
    . WSH	Windows Scripting Host Settings File

  12. #12

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    8,774
    Thank Post
    351
    Thanked 1,274 Times in 870 Posts
    Blog Entries
    4
    Rep Power
    1126
    This is what I have in that GPO:


    Code:
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% 
    Security Level Unrestricted 
    Description  
    Date last modified 11/07/2010 10:56:35 
     
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% 
    Security Level Unrestricted 
    Description  
    Date last modified 11/07/2010 10:56:35 
     
    U:\* 
    Security Level Disallowed 
    Description  
    Date last modified 11/07/2010 13:50:23 
     
    U:\*.BAT 
    Security Level Disallowed 
    Description  
    Date last modified 11/07/2010 11:07:09 
     
    U:\*.CMD 
    Security Level Disallowed 
    Description  
    Date last modified 11/07/2010 11:06:37
    I have run gpupdate /force

    I have restarted the station

    I have waited for some time [more than an hour] before logging on a s a typical student and I find that this user can still run CMD and BAT files from U:\

    Using Group Policy Modelling Wizard at the Domain Controller to check if the policy is applied to this test student I find that the policy does indeed apply to this individual.

    I must still be missing something but what?

  13. #13


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,748
    Thank Post
    221
    Thanked 2,626 Times in 1,936 Posts
    Rep Power
    778
    I think you may need to make a few changes. What happens if you use these instead?

    Code:
    %SystemRoot%
    Security Level: Unrestricted
    
    %ProgramFiles% 
    Security Level: Unrestricted
    
    U:\*
    Security Level: Disallowed
    
    %SystemRoot%\System32\cmd.exe
    Security Level: Disallowed
    
    %SystemRoot%\System32\command.com
    Security Level: Disallowed

    If that works you will probably want to add the following to your list too.

    Code:
    E:\*
    Security Level: Disallowed
    
    F:\*
    Security Level: Disallowed
    
    %SystemRoot%\System32\cscript.exe
    Security Level: Disallowed
    
    %SystemRoot%\System32\wscript.com
    Security Level: Disallowed
    
    %SystemRoot%\System32\mstsc.exe
    Security Level: Disallowed
    
    %SystemRoot%\System32\mmc.exe
    Security Level: Disallowed
    
    %SystemRoot%\System32\msiexec.exe
    Security Level: Disallowed
    
    %SystemRoot%\System32\rundll32.exe
    Security Level: Disallowed
    
    %SystemRoot%\System32\task*.exe
    Security Level: Disallowed
    
    %SystemRoot%\System32\telnet.exe
    Security Level: Disallowed
    
    %SystemRoot%\regedit.exe
    Security Level: Disallowed

    As you can see, using a white-list might be a better approach because there are far too many EXEs to block with a black-list.

  14. #14


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,748
    Thank Post
    221
    Thanked 2,626 Times in 1,936 Posts
    Rep Power
    778
    How did you get on, Dave. Any luck?

  15. #15

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    8,774
    Thank Post
    351
    Thanked 1,274 Times in 870 Posts
    Blog Entries
    4
    Rep Power
    1126
    Hi. I took the settings suggested in your previous post.

    Still not working I am afraid.

    Could be a job for the Summer Holiday?

SHARE:
+ Post New Thread

Similar Threads

  1. running macros to open files
    By RichB in forum Office Software
    Replies: 6
    Last Post: 19th March 2010, 06:22 PM
  2. [MS Office - 2007] Prevent editing of certain files
    By Bluetooth in forum Office Software
    Replies: 9
    Last Post: 1st February 2010, 11:10 AM
  3. prevent running .exe from ZIP files
    By theaman in forum Windows Server 2000/2003
    Replies: 6
    Last Post: 11th June 2009, 01:21 PM
  4. Running batch files in vista
    By Kained in forum Windows Vista
    Replies: 6
    Last Post: 4th September 2007, 02:25 PM
  5. Replies: 2
    Last Post: 3rd February 2006, 10:01 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •