LinkBack URL
About LinkBacksNeed help with preventing students from running specific file extensions from either USB Drives or there own user area. Would ideally like to be able to achieve this through GPO if possible.
Can Anyone help?
Need help with preventing students from running specific file extensions from either USB Drives or there own user area. Would ideally like to be able to achieve this through GPO if possible.
Can Anyone help?
Me too
Richard
You want "Software Restriction Policy", do a search around edugeek.
Start here How To Use Software Restriction Policies in Windows Server 2003
then go here Using Software Restriction Policies to Protect Against Unauthorized Software for more info.
You can add/remove extra file extensions from the allowed list if necessary, although I'm not sure what this would do to an XLS/DOC file...
by default, it blocks anything you class as an application, BAT, COM, EXE, VBS, etc, etc, we're at the stage where we're going to stop SWF files too, but they still work when embedded into XLS etc.
what we are looking at doing is restricting specific files from a specific drive as we could quite easily block all exe though we would get ourselves into a lot of problems.Originally Posted by User3204
Right, i've managed to get a policy working to lock down the users my documents and prevent file access. Next is them blasted USB Sticks.
User Configuration > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules
Create new path to: %HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Explorer\Shell Folders\Personal%*
Set to disallowed.
Then anything in:
User Configuration > Windows Settings > Security Settings > Software Restriction Policies > Designated File Types
will be disabled.
For your USB problem, see the following thread for more information, found it useful when I was in the same boat as you.
We use USBDLM on all workstations here which forces all USB devices to use either drives X, Y or Z. We then have path rules assigned to each of these drives locking down access to innapropriate file types.
Beat me to it! I second that solution works great for me
Yeah USBDLM is the way to go!
Well i've just added all the drives which could possibly be usb devices to the disallowed list like: "J:\*"
Success!
Had a few youngsters come down to the office today...
Them: "Mr IT man... We got firefox portable on our USB sticks and its stopped working"
Me: "and?"
Them: "Can you allow us to use it as IE7 is horrible and we don't like microsoft"
Me: "Nothing wrong with IE7 and it even supports tabbed browsing so get used to it"
Them: "But you are using firefox"
Me: "I don't like IE7 its too slow"
Kids look confused and walk off in a huff and talk over ways to get around it. (which they wont do but ill let them try for the fun of it)
Thanks for all the help in getting this damn policy working
You could roll out Firefox for all your pupils and lock it down in group policy using the Firefox adm available from SourceForge
SRPs also stop these nice viruses that they seem to have on their USB drives. Sophos tends to delete their autorun.inf files as well which is good for a change.
did you push down the .msi? how did you edit the USBDLM.INI? did you unpack the msi first? I want to use the .msi because of the quantity of computers we have but not sure how 'assigning the drive letters' works this way.
If anyone has any input on this I'd appreciate it.
I don't remember how we went through, just follow the instructions, I tweaked it for something, but I don't remember what or why I did...
We just push it out using the exe as part of our default startup script
Assign the .MSI to computers, then a day or two later add a few lines to a startup batch script assigned to the computers to copy your edited .INI file into place on all workstations, from your NETLOGON share.
Take the example .INI file and tweak it to suit your needs - the app has a great deal of documentation to show you how to do this.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
