+ Post New Thread
Results 1 to 6 of 6
How do you do....it? Thread, Software Restriction Policies in Technical; Hi All, Want to stop bat files and other exe from student home drivers. Any one know the net work ...
  1. #1
    eric.777's Avatar
    Join Date
    Mar 2007
    Location
    .
    Posts
    12
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Unhappy Software Restriction Policies

    Hi All,


    Want to stop bat files and other exe from student home drivers.
    Any one know the net work path and commands for this.
    Student home drives are map to \\server2\users$ on H.
    So i put in H:\*.bat or \\server2\users$\*.bat.
    Would like to do screening but server 2 is old win2000 server.
    So tryiug hash rules.

    Still no joy...

    Any help please.

  2. #2

    Join Date
    Jan 2011
    Location
    London
    Posts
    6
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Have you tried path rules:

    GPO:
    User Configuration > Windows Settings > Security Settings > Softwrae Restriction Policies > Additional Rules

    Add a new path rule
    \\server2\users$
    Disallowed

    We also add the profile path
    \\server2\profiles$
    Disallowed.

    We also restrict removable media by drive letter, so we would also have a path rule for F:\, D:\ and any other drives that you feel necessary.

  3. #3
    steve's Avatar
    Join Date
    Oct 2005
    Location
    West Yorkshire
    Posts
    1,043
    Thank Post
    22
    Thanked 177 Times in 123 Posts
    Rep Power
    52
    If you are running 2003R2 or above you could also do this with File Services Resource Management (FSRM). Install the role on the server with the share and create a file screen for the types of file you want to block.

  4. #4
    eric.777's Avatar
    Join Date
    Mar 2007
    Location
    .
    Posts
    12
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi,

    GPO:
    User Configuration > Windows Settings > Security Settings > Softwrae Restriction Policies > Additional Rules

    Add a new path rule
    \\server2\users$
    Disallowed

    We also add the profile path
    \\server2\profiles$
    Disallowed.

    just looked at the GPO results for the students pc and it says

    Policy Setting
    Interactive logon: Number of previous logons to cache (in case domain controller is not available) 0 logons

    Software Restriction Policieshide
    Enforcement
    Policy Setting
    Apply software restriction policies to All software files except libraries (such as DLLs)
    Apply software restriction policies to the following users All users

    Designated File Types
    File Extension File Type
    ADE Microsoft Office Access Project Extension
    ADP Microsoft Office Access Project
    BAS BAS File
    BAT MS-DOS Batch File
    CHM Compiled HTML Help file
    CMD Windows NT Command Script
    COM MS-DOS Application
    CPL Control Panel extension
    CRT Security Certificate
    EXE Application
    HLP Help File
    HTA HTML Application
    INF Setup Information
    INS Internet Communication Settings
    ISP Internet Communication Settings
    LNK Shortcut
    MDB Microsoft Office Access Application
    MDE Microsoft Office Access MDE Database
    MSC Microsoft Common Console Document
    MSI Windows Installer Package
    MSP Windows Installer Patch
    MST MST File
    OCX ActiveX Control
    PCD PCD File
    PIF Shortcut to MS-DOS Program
    REG Registration Entries
    SCR SCR File
    SHS Scrap object
    URL Internet Shortcut
    VB VB File
    WSC Windows Script Component

    Trusted Publishers
    Allow the following users to select trusted publishers End users
    Before trusting a publisher, check the following to determine if the certificate is revoked None


    Software Restriction Policies/Security Levelshide
    Policy Setting
    Default Security Level Unrestricted

    Software Restriction Policies/Additional Ruleshide
    Hash Ruleshide
    LOGON.BAT; 5 KB; 27/05/2009 12:56:15
    File hash 2FE2D2B3483A7C121F8A824CC9824F3C:4417:32771
    Security level Unrestricted
    Description
    Date last modified 16/02/2011 11:10:24


    Path Ruleshide
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
    Security Level Unrestricted
    Description
    Date last modified 15/02/2011 16:23:27

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe
    Security Level Unrestricted
    Description
    Date last modified 15/02/2011 16:23:27

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe
    Security Level Unrestricted
    Description
    Date last modified 15/02/2011 16:23:27

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\ProgramFilesDir%
    Security Level Unrestricted
    Description
    Date last modified 15/02/2011 16:23:27

    H:\ bat
    Security Level Disallowed
    Description
    Date last modified 17/02/2011 12:45:46

    H:\ exe
    Security Level Disallowed
    Description
    Date last modified 17/02/2011 12:45:52

    H:\*.exe
    Security Level Disallowed
    Description
    Date last modified 15/02/2011 16:58:10

    H:\*.exe
    Security Level Disallowed
    Description
    Date last modified 16/02/2011 13:09:21

    H:\*bat
    Security Level Disallowed
    Description
    Date last modified 16/02/2011 11:07:06

    H:\cmd
    Security Level Disallowed
    Description
    Date last modified 17/02/2011 12:46:28

    logon.bat
    Security Level Unrestricted
    Description
    Date last modified 16/02/2011 10:52:11

    But the student just rename the bat file and run it
    Example is open word then put a scrip command in it then save it as a plane text .
    word will then let you save it as a hack.BAT in the home drives
    Then run it.

    How can we stop them when we use Logon.bat to map printers and map drives?

    Any help please....

  5. #5

    Join Date
    Mar 2008
    Location
    Surrey
    Posts
    2,168
    Thank Post
    98
    Thanked 319 Times in 261 Posts
    Blog Entries
    4
    Rep Power
    113
    Could you look at changing logon.bat to be a vbs script instead, and just ban batch files across the board?

  6. #6
    eric.777's Avatar
    Join Date
    Mar 2007
    Location
    .
    Posts
    12
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi,

    Thanks for the responce but we should be able to stop *.Bat *.EXE *.CMD from a net work drive with GPO?

    Just to let you know if i use *.bat with no( H:\*.bat ) it works but no mapping drives or printers..

SHARE:
+ Post New Thread

Similar Threads

  1. Software restriction policies problem
    By mrbios in forum Windows
    Replies: 3
    Last Post: 9th December 2009, 03:48 PM
  2. Software restriction policies
    By DMcCoy in forum Windows
    Replies: 0
    Last Post: 2nd November 2008, 08:38 PM
  3. Software Restriction Policies... AGAIN
    By azrael78 in forum Windows
    Replies: 9
    Last Post: 6th August 2008, 09:51 AM
  4. Software Restriction Policies
    By wesleyw in forum Windows
    Replies: 14
    Last Post: 12th December 2006, 11:35 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •