+ Post New Thread
Results 1 to 6 of 6
Windows 7 Thread, Sotware restriction policy problem in Technical; Hi, I have some software restriction policies setup to prevent our students running .executables from Pen drives, their home areas ...
  1. #1

    Join Date
    Jan 2009
    Location
    United Kingdom
    Posts
    230
    Thank Post
    22
    Thanked 9 Times in 9 Posts
    Rep Power
    14

    Sotware restriction policy problem

    Hi,

    I have some software restriction policies setup to prevent our students running .executables from Pen drives, their home areas etc, and it is working well so far. This policy is set as part of a GPO at the top of our Pupil OU, we have several OU's underneath for different students in year groups etc. I have done this by adding in %HOMESHARE% as a path rule on the software restriction policy for students. This policy is not enforced, and does not have "no overide" in its config.

    As part of our Y13's ICT lessons, I have setup a sub OU of the Y13 cohort OU, called VB Users.

    These users are using visual studio, and unfortunately, they need to use run exe files from the following directory:

    H:\Documents\Visual Studio 2010\Projects\....

    If I add in either

    %HOMESHARE%
    %HOMESHARE%\*.*
    %HOMESHARE%\*.exe
    %HOMESHARE%\Documents\Visual Studio 2010\Projects\
    %HOMESHARE%\Documents\Visual Studio 2010\Projects\*.exe
    %HOMESHARE%\Documents\Visual Studio 2010\Projects\*.*
    H:\Documents\Visual Studio 2010\Projects\
    H:\Documents\Visual Studio 2010\Projects\*.*
    H:\Documents\Visual Studio 2010\Projects\*.exe

    to a GPO in the sub-OU, all as unrestricted, the programs are still blocked in Visual Studio by the previous GPO, higher up the tree!

    Some help as to where I am going wrong would be good please!

    Thanks,
    _techie_

  2. #2

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,824
    Thank Post
    971
    Thanked 1,385 Times in 849 Posts
    Blog Entries
    1
    Rep Power
    457
    Does a GPMC report give any errors/clues?

  3. #3

    Join Date
    Jan 2009
    Location
    United Kingdom
    Posts
    230
    Thank Post
    22
    Thanked 9 Times in 9 Posts
    Rep Power
    14
    Well I just added in all those entries into the software restriction policy at the same time and now it works! Will refine it a bit more Monday lol!!

  4. #4

    Join Date
    Feb 2007
    Location
    Wolverhampton
    Posts
    331
    Thank Post
    18
    Thanked 35 Times in 33 Posts
    Rep Power
    21
    Quote Originally Posted by _techie_ View Post
    Well I just added in all those entries into the software restriction policy at the same time and now it works! Will refine it a bit more Monday lol!!
    We use app locker here as we use windows 7 workstations. We used to use SRP but found it very difficult to get exactly what you want. App Locker takes some setting up but I'd very powerful. Just create a security group, add the users and allow

    We also use FSRM on our file servers that blocks the files you don't want in user areas based on the extension. You also have it alert you when someone tries to put files like exe in their areas.

    For those users you wish to allow, and just create the exception

  5. #5

    Join Date
    Feb 2010
    Location
    Cardiff
    Posts
    10
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi All

    I've been looking at our security recently and I'm also finding that SRP doesn't do what its supposed to, particularly with Path Rules. According to Microsoft it's meant to apply the path rule to any files in the folder and all subfolders but it doesn't seem to apply to subfolders at all. So, for instance - if exe's are disallowed by the SRP as a path rule for %HOMESHARE% all they need to do is copy the exe to another folder and it runs! I got around this but creating a file screen rule using File Server Resource Manager and stopped them from being able to copy exe's (and all sorts of others) within their HOMESHARE folders. However, I can't stop them from doing this on their flash pens. I can't see a way of setting up a rule in FSRM to screen files on flash pens becasue it uses paths that are local to the server (possibly %REMOVABLE% will work??)

    I had a look at AppLocker but for some reason the rules are not applying correctly. Even when I create a specific hash rule to test it, it doesn't seem to apply. I look at the GP Results for this Policy and is in the list of "Applied GPO's". I have a feeling that there may be a contradictory rule in place cancelling out this one.

    Can anyone help me on this please?

    Thanks in advance

    Aled

  6. #6
    ADMaster's Avatar
    Join Date
    May 2012
    Posts
    355
    Thank Post
    5
    Thanked 38 Times in 33 Posts
    Rep Power
    25
    I setup SRP earlier in the year and set the default to disallow. Then set allow rules for key software locations such as;
    Windows
    windows system32
    Program files
    Program files x86
    I think HKLM software … run was in there too, I’d have to look at the policy to be sure.
    I had to add a few other exceptions for programs that didn’t install in the default location.
    Students should not be able to write to any of these locations so the only software that can run must be installed properly. This prevents them from running anything from removable drives, their desktops, portable apps, etc.

    Good luck.



SHARE:
+ Post New Thread

Similar Threads

  1. Software restriction policies problem
    By mrbios in forum Windows
    Replies: 3
    Last Post: 9th December 2009, 04:48 PM
  2. Software Restriction Policy (w2k3) - path question
    By indiegirl in forum How do you do....it?
    Replies: 5
    Last Post: 19th October 2006, 06:05 PM
  3. Software Restriction Policy (w2k3) - path question
    By indiegirl in forum How do you do....it?
    Replies: 0
    Last Post: 19th October 2006, 11:11 AM
  4. default computer policy problem
    By standunstan in forum Windows
    Replies: 24
    Last Post: 19th May 2006, 03:36 PM
  5. GPo - Software Restriction Policy
    By Gatt in forum Wireless Networks
    Replies: 26
    Last Post: 23rd January 2006, 02:53 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •