Software Restriction Policies - Allow ONLY certain software

[link470]

What's been everyones experience with allowing only a certain set of software? I'd like to make it so that only school applications can be run. No matter how much I try to restrict IE, students are always going to bring in more applications. They'll keep downloading their exe's and their iso's and their vb scripts and running them, but what I'd like to do is make it so only select software applications can be run.

I tried to block other web browsers etc. and make every user not a local administrator so they didn't have access to installing software, but then they go ahead and either install it to their network drive, or install it to the desktop, and it works perfectly.

Is there a way to use software restriction policies to only allow a certain set of applications to be run? For example only the preinstalled applications that I install with each image? My only concern is how well software restriction policies work. If they're as good as Apple's parental controls where you click the app you don't want them to run and your good to go, or if you have to hash every single DLL and system file required by each program. For a program like Adobe Premiere or Microsoft Office, that's a few hundred seperate hashes for each program that have to be fed through software restriction. Is it smart enough to just pick up the exe that's allowed, like WinWord.exe for Microsoft Word, realize Word is allowed, and use all features of Word? Or is there a better way that my mind is too busy to think of?

Thanks!

[joe90bass]

I used to use software restriction policies. It is a major headache to setup, you need to allow all exes for each app. It does work well though. The only reason I don't use it now is because I recreated the pupil policy from scratch and never got around to putting the very lengthy list of apps back on

[maniac]

Software restriction policies in Group Policy will do this, but as mentioned it is tricky to setup.

We allow all EXE's in the c:\program files and c:\windows directory, as well as a few others that were installed elsewhere. We disallowed everywhere else. It took a while to get the correct list of allowed applications and directories, but once it was setup, it worked a treat.

Mike.

[cookie_monster]

I know this is an old thread but I'm just in the 'thinking' stage about switching from banning certain exe's to a blanket ban then white listing what I want to run.

Am I right that if I setup a policy then remove all extensions from the 'Default Designated File Types' policy except .exe then that's all that will be banned then I can add more in as necessary?

Cheers.

[Michael]

It's far easier to work on a deny policy rather than an allow policy. Think about it, as the probability is you'll need to deny a few applications only.

As for alternative browsers, it would be more appropriate to block www.mozilla.org for example using your filtering software.

[cookie_monster]

Unfortunatly deny doesn't work on USB drives if the exe is more that three or four folders deep. The students are bringing in TOR programs on USB drives and it's getting around all filters, currently our students are going through our Smoothwall and the ISP's Netsweeper software and the can still get on anything with the TOR program.

If I blanket allow C:\Program Files path, Windows path and Netlogon folders that should be all of the places students need to run exe's from.

[DMcCoy]

It's far easier to work on a deny policy rather than an allow policy. Think about it, as the probability is you'll need to deny a few applications only.

As for alternative browsers, it would be more appropriate to block Mozilla.org - Home of the Mozilla Project for example using your filtering software.

Actually it's the opposite. Much easier to allow applications, as long as users aren't administrators then they will be installed in the normal locations. There are default rules in the allow list that covers the windows folders and program files. We have a handful of additions to the list.

%AllUsersProfile%\Desktop\ Path Unrestricted
%AllUsersProfile%\Start Menu\ Path Unrestricted
%AppData% Path Unrestricted
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% Path Unrestricted
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\ProgramFilesDir% Path Unrestricted
%SystemRoot%\System32\nvcplui.exe Path Disallowed
%SystemRoot%\System32\runas.exe Path Disallowed
%UserProfile%\Desktop\ Path Unrestricted
%UserProfile%\Local Settings\Temp\ Path Disallowed
%UserProfile%\Start Menu\ Path Unrestricted
*.mdb Path Unrestricted

Apart from these we have a few additions for application shares etc. The desktop one looks like it's allowing students to run exe files from there, but it is redirected to their home folder on a server that blocks exe files.

[Michael]

Although I would agree with your theory, in practice I've never found it to be the case. Schools always insist on using older applications which do not always adhere to modern standards!

[cookie_monster]

Although I would agree with your theory, in practice I've never found it to be the case. Schools always insist on using older applications which do not always adhere to modern standards!

With our move last year to Citrix and our planned move to x64 Citrix units next year we've filtered out most of the dross apps so I'm hoping this should work.

Thanks for the list DMcCoy.

[cookie_monster]

I notice that when an exe is restricted that it is logged in the local station event log. Do you have any way of collecting these events or logging them in the server event log or will I have to look into a wmi script?

Do you also need to allow Netlogon shares for logon scripts?

[DMcCoy]

I notice that when an exe is restricted that it is logged in the local station event log. Do you have any way of collecting these events or logging them in the server event log or will I have to look into a wmi script?

Do you also need to allow Netlogon shares for logon scripts?

\\domain.name will do to cover GPOs and Netlogon scripts, you can specify the servers if you wish.

[cookie_monster]

Should that be \\domain.name\* or any wildcards required?

Also I'm having trouble getting a path rule to work that will allow a drive letter, I'd like to allow exe's on the S:\ drive in any folder is that possible?

Thanks.


EDIT


I think I've sorted that now it wouldn't let me ban a mapped network drive, I could allow a local drive letter like I:\ for a pen drive though. When I allow the UNC path rather than a mapped drive letter it seems to be ok.

[DMcCoy]

Should that be \\domain.name\* or any wildcards required?

Also I'm having trouble getting a path rule to work that will allow a drive letter, I'd like to allow exe's on the S:\ drive in any folder is that possible?

Thanks.


EDIT


I think I've sorted that now it wouldn't let me ban a mapped network drive, I could allow a local drive letter like I:\ for a pen drive though. When I allow the UNC path rather than a mapped drive letter it seems to be ok.

\\domain.name will cover any files and subfolders
\\server\share will do the same, no need for * etc unless you want to restrict to specific folders or types.

[rh91uk]

We deny here, only allowing apps to be run from our apps server and c:/program files

[ful56_uk]

So wild card on a path rule is only used for if you want to restrict certain files and folder within that path so if it is used without the wild the whole path with everything in will run ok