Software Restriction Policies - Allow ONLY certain software

[pete]

You can kill off the network drives issue by using file restriction policies on the fileserver (2003R2+).
We prevent the saving of executable content to student homedirs.

Regarding Tor - stick them in detention/get the parents in. The parents agreed to an AUP that their kids would be held to, I assume?

[cookie_monster]

You can kill off the network drives issue by using file restriction policies on the fileserver (2003R2+).
We prevent the saving of executable content to student homedirs.

Regarding Tor - stick them in detention/get the parents in. The parents agreed to an AUP that their kids would be held to, I assume?

We do already use FSRM to ban the saving of exe's but I wasn't trying to ban them from being run from network drives I needed to alow it.
As for TOR it no longer matters as I've whitelisted all exe's that I want them to run so now they can't run any exe's from pen drives or anywhere else, that goes for games as well

[cookie_monster]

@ DMcCoy

Now that you have exe's locked down and you ban any high risk exe's like cmd.exe, MMC and regedit do you allow students access to the C: drive. As an ordinary user still of course.

[DMcCoy]

C: Is still hidden with group policy, although you can still see it with various non logo compliant applications anyway. Users have standard rights so they can't do much even with access.

[cookie_monster]

C: Is still hidden with group policy, although you can still see it with various non logo compliant applications anyway. Users have standard rights so they can't do much even with access.

Yes GIMP drives me around the bend with that and Kompozer the old version didn't obey the ban then the new one did now the beta doesn't

[ABennett]

What's been everyones experience with allowing only a certain set of software? I'd like to make it so that only school applications can be run. No matter how much I try to restrict IE, students are always going to bring in more applications. They'll keep downloading their exe's and their iso's and their vb scripts and running them, but what I'd like to do is make it so only select software applications can be run.

I tried to block other web browsers etc. and make every user not a local administrator so they didn't have access to installing software, but then they go ahead and either install it to their network drive, or install it to the desktop, and it works perfectly.

Is there a way to use software restriction policies to only allow a certain set of applications to be run? For example only the preinstalled applications that I install with each image? My only concern is how well software restriction policies work. If they're as good as Apple's parental controls where you click the app you don't want them to run and your good to go, or if you have to hash every single DLL and system file required by each program. For a program like Adobe Premiere or Microsoft Office, that's a few hundred seperate hashes for each program that have to be fed through software restriction. Is it smart enough to just pick up the exe that's allowed, like WinWord.exe for Microsoft Word, realize Word is allowed, and use all features of Word? Or is there a better way that my mind is too busy to think of?

Thanks!

I use the policy element in The USER system part of AD, "run only allowed windows applications" You then enter the names of executables allowed to run on your network by the students. Works great here

[aerospacemango]

Hi guys,

Just thought I'd join up so that I could post my thanks for this thread.

I'm a techy geek in Suffolk, who's been having trouble with students using Firefox, when I want them to use IE! This is all due to proxy server being installed. Once I got the GPO for that sorted, I became aware that they could use Portable from USB.

Having spent hours looking through threads for pushing through a drive letter, and closing that off, I came across this, and the solution was excellent for what we wanted.

I take my hat off to you guys.....Thanks so much, and I'll be back!!

[sippo]

Don't mean to bump such an old thread...

Basically the kids have got hold of stress_relief.exe and stress_relief.zip. I want to block/disable all zip files and just the stress_relief.exe. They store it into their H: (Home) drive, and try to hide it in different folders so we can't see it...

Can anyone help a simpleton out. I know you have to create a rule but that is whizzing over my head..

Thanks guys and gals.

[sippo]

Can anyone help on this? Please? Pretty please with cherries on top?

[3s-gtech]

File restriction by hash rule in GPO should sort this, as the app will always have the same hash.

User Configuration/Windows Settings/Security Settings/Software Restriction Policies/Additional Rules, right click - New hash rule, then browse to a copy of the file.

Ban!

[sippo]

But is that file/path name user specific or does it just ban that whole exe on the network?

[pete]

But is that file/path name user specific or does it just ban that whole exe on the network?

The path rule disallows it running from that path for any user to whom that gpo applies.
The hash rule will prevent that executable (renamed or not) from running anywhere for any user to whom that gpo applies.

Hash rule can be subverted by new versions / recompiling the app to change the hash only.

There's also (on 2003R2+) filtering options on the fileserver - we block executables in student user areas, for example.

[sippo]

Thanks Pete. Where can I find the filtering options in 2003r2?

[pete]

Administrative Tools > File Server Resource Manager > File Screening Management.

Look at the default templates, create a test folder tree and have a play. I'd advise against applying them at the root of the homedir folder tree, since you may wish to differentiate between groups of users. Ours has driveletter:\users\usergroup01 and we apply the template at the usergroup01 (or 02, 03) level.