+ Post New Thread
Results 1 to 12 of 12
Network and Classroom Management Thread, Blocking .EXE and COM etc on a new Windows 2003 Domain Help! in Technical; Hi all. We have just migrated away from RM CC3 to a Windows 2003 network. Does anybody know of a ...
  1. #1

    Join Date
    Aug 2007
    Location
    Loughborough
    Posts
    15
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Blocking .EXE and COM etc on a new Windows 2003 Domain Help!

    Hi all.

    We have just migrated away from RM CC3 to a Windows 2003 network.

    Does anybody know of a easy way of blocking .BAT, COM, EXE and SWF being run by a student user?

    I know of software restrictions policies in group policy but I have never used them myself.

    We use Impero to block and watch what students do so I can block things they do in that but I feel that it's only a matter of time before somebody tries to run regedit.exe from a memory stick....

    Thanks in advance,


    Ben

  2. #2
    mrforgetful's Avatar
    Join Date
    May 2006
    Posts
    1,639
    Thank Post
    7
    Thanked 15 Times in 15 Posts
    Rep Power
    23

    Re: Blocking .EXE and COM etc on a new Windows 2003 Domain Help!

    If you want to stop them running anything you'll have to use a Software Restriction Policy, or I think there is a Group Policy where you can enter a list of allowed programs and no others will run.

    If you wish to stop them saving files of certain types in their User Areas you can use a File Resource Manager File Screen to do that.

  3. #3

    SpuffMonkey's Avatar
    Join Date
    Jul 2005
    Posts
    2,268
    Thank Post
    55
    Thanked 285 Times in 191 Posts
    Rep Power
    136

    Re: Blocking .EXE and COM etc on a new Windows 2003 Domain Help!

    We've just started to use Disknet Pro to stop all this malarky - stops the U3 memory sticks too.

  4. #4
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    63

    Re: Blocking .EXE and COM etc on a new Windows 2003 Domain Help!

    This depends on if you want to do it the hard way (FREE) or the easy way (£££)

    If you want to do it for free the you will have to use Software Restirction Policies based on HASH rules and do regular sweeps of user directories to ensure viloations are removed (see link in my signature below).

    As far a BAT, CMD, and COM are concerned there are GPO setting which can be set to prevent these being run (a search of the forums should bring up alot as this has been covered many times), also if the users are just domain users then they should not be able to install much anyhow.

    There is a domain GPO policy that will stop windows installer from running so this would stop a large number of installers running and a GPO to stop access to tools like regedit and such

    If you are willing to spend money the I would recommend Space Guard from Tools4Ever -> http://www.tools4ever.com/products/spaceguard/ I have been using this for at least 2 years now and has proven to be very good. It will sort out your quota sizes for you but the main thing is it will stop files based on file extension and it works.

    The cost is around £300 ish (don't quote me) for a file server with unlimited quotas and rule sets.

  5. #5

    Join Date
    Aug 2007
    Location
    Loughborough
    Posts
    15
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Blocking .EXE and COM etc on a new Windows 2003 Domain H

    Hi again, many thanks for your replies, SpaceGuard looks like just the product for me. I really have had enough of hash rules and software policies etc etc

    Thanks again for your help.

    Ben

  6. #6
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    63

    Re: Blocking .EXE and COM etc on a new Windows 2003 Domain Help!

    HTH :-)

  7. #7
    altecsole's Avatar
    Join Date
    Jun 2005
    Location
    Whittington, Lancashire
    Posts
    286
    Thank Post
    40
    Thanked 37 Times in 27 Posts
    Rep Power
    26

    Re: Blocking .EXE and COM etc on a new Windows 2003 Domain Help!

    We use a software restriction policy based on a path - executables etc are blocked for all paths other than the C: drive.

    If you have 2003 R2 you can also use disk management to stop users saving certain files to their user area.

  8. #8

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227

    Re: Blocking .EXE and COM etc on a new Windows 2003 Domain Help!

    You can also do something similar if you have *nix Samba based file servers too.

  9. #9
    rrichmond's Avatar
    Join Date
    Jul 2007
    Location
    Brisbane
    Posts
    108
    Thank Post
    3
    Thanked 7 Times in 7 Posts
    Rep Power
    17

    Re: Blocking .EXE and COM etc on a new Windows 2003 Domain H

    I think you may find my post useful.

    Stopping .EXE, .CMD and .BAT files

    Plus its free and works well. We use it at our school.

  10. #10

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,422
    Thank Post
    645
    Thanked 967 Times in 667 Posts
    Blog Entries
    2
    Rep Power
    328

    Re: Blocking .EXE and COM etc on a new Windows 2003 Domain Help!

    Would have been easier if you hadn't migrated from CC3

    *runs*

  11. #11

    Join Date
    Aug 2007
    Location
    Loughborough
    Posts
    15
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Blocking .EXE and COM etc on a new Windows 2003 Domain Help!

    Quote Originally Posted by webman
    Would have been easier if you hadn't migrated from CC3

    *runs*
    The network model we had was 6 years old and the cost to stay with RM was way to expensive compared to putting in a normal Windows 2003 network. Also, CC4 looked like it addressed a lot of issues we had with CC3 but trying to get a release date for it from RM was impossible. We had terrible issues with profiles, slow log on's, software installation problems, full domain controllers ( user areas ) troubleshooting pc's when they went wrong ( no local log on ) which we don't have now.

    At the moment, we have the kids on our side and we have a few of the really good hackers finding holes in my system and letting us know what they are but it's only a matter of time before one of them actually does something using the .COM . EXE exploit.

    When I first started the current job at LES I really didn't like RM, but over the 2 years I have used it it has really grown on me and I now see why schools have it as it does most things for you. As a Microsoft professional I believe you can do everything ( well most ) better without RM.

    Cheers,


    Ben

  12. #12

    Join Date
    Feb 2013
    Location
    edmonton
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    The best way to block any file in a domain environement is to create a rule in your current default domain group policy :

    1. Edit yours.
    2. Go in User configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies -> Additional Rules
    3. Create a new Hash Rule.

    Reference from :
    Deny Specific Application in Active Directory GPO - TechSultan



SHARE:
+ Post New Thread

Similar Threads

  1. Dansguardian on windows 2003 domain
    By netadmin in forum *nix
    Replies: 68
    Last Post: 12th July 2007, 09:18 AM
  2. Replies: 10
    Last Post: 31st March 2007, 06:40 PM
  3. Replies: 3
    Last Post: 2nd February 2007, 11:09 AM
  4. Replies: 11
    Last Post: 10th November 2006, 07:42 PM
  5. Blocking Batch Files using Group Policy in Server 2003
    By markwilliamson2001 in forum Windows
    Replies: 13
    Last Post: 4th October 2005, 06:28 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •