+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 23
Windows Server 2000/2003 Thread, Preventing File Extensions through GPO in Technical; Need help with preventing students from running specific file extensions from either USB Drives or there own user area. Would ...
  1. #1

    Join Date
    Oct 2006
    Posts
    146
    Thank Post
    1
    Thanked 13 Times in 7 Posts
    Rep Power
    32

    Preventing File Extensions through GPO

    Need help with preventing students from running specific file extensions from either USB Drives or there own user area. Would ideally like to be able to achieve this through GPO if possible.

    Can Anyone help?

  2. #2
    ricki's Avatar
    Join Date
    Jul 2005
    Location
    uk
    Posts
    1,475
    Thank Post
    20
    Thanked 164 Times in 157 Posts
    Rep Power
    52
    Me too

    Richard

  3. #3
    User3204's Avatar
    Join Date
    Aug 2006
    Location
    Wirral
    Posts
    769
    Thank Post
    55
    Thanked 66 Times in 62 Posts
    Rep Power
    34
    You want "Software Restriction Policy", do a search around edugeek.

    Start here How To Use Software Restriction Policies in Windows Server 2003
    then go here Using Software Restriction Policies to Protect Against Unauthorized Software for more info.

    You can add/remove extra file extensions from the allowed list if necessary, although I'm not sure what this would do to an XLS/DOC file...
    by default, it blocks anything you class as an application, BAT, COM, EXE, VBS, etc, etc, we're at the stage where we're going to stop SWF files too, but they still work when embedded into XLS etc.

  4. #4

    Join Date
    Oct 2006
    Posts
    146
    Thank Post
    1
    Thanked 13 Times in 7 Posts
    Rep Power
    32
    Quote Originally Posted by User3204 View Post
    You want "Software Restriction Policy", do a search around edugeek.

    Start here How To Use Software Restriction Policies in Windows Server 2003
    then go here Using Software Restriction Policies to Protect Against Unauthorized Software for more info.

    You can add/remove extra file extensions from the allowed list if necessary, although I'm not sure what this would do to an XLS/DOC file...
    by default, it blocks anything you class as an application, BAT, COM, EXE, VBS, etc, etc, we're at the stage where we're going to stop SWF files too, but they still work when embedded into XLS etc.
    what we are looking at doing is restricting specific files from a specific drive as we could quite easily block all exe though we would get ourselves into a lot of problems.

  5. #5

    Join Date
    Oct 2006
    Posts
    146
    Thank Post
    1
    Thanked 13 Times in 7 Posts
    Rep Power
    32
    Right, i've managed to get a policy working to lock down the users my documents and prevent file access. Next is them blasted USB Sticks.

    User Configuration > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules

    Create new path to: %HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Explorer\Shell Folders\Personal%*

    Set to disallowed.

    Then anything in:

    User Configuration > Windows Settings > Security Settings > Software Restriction Policies > Designated File Types

    will be disabled.

  6. #6
    AngryITGuy's Avatar
    Join Date
    Oct 2007
    Location
    County Durham
    Posts
    311
    Thank Post
    54
    Thanked 73 Times in 44 Posts
    Rep Power
    30
    For your USB problem, see the following thread for more information, found it useful when I was in the same boat as you.

    We use USBDLM on all workstations here which forces all USB devices to use either drives X, Y or Z. We then have path rules assigned to each of these drives locking down access to innapropriate file types.

  7. #7
    buzzard's Avatar
    Join Date
    May 2006
    Location
    North West
    Posts
    299
    Thank Post
    103
    Thanked 27 Times in 23 Posts
    Rep Power
    24
    Quote Originally Posted by AngryITGuy View Post
    For your USB problem, see the following thread for more information, found it useful when I was in the same boat as you.

    We use USBDLM on all workstations here which forces all USB devices to use either drives X, Y or Z. We then have path rules assigned to each of these drives locking down access to innapropriate file types.
    Beat me to it! I second that solution works great for me

  8. #8
    clarky2k3's Avatar
    Join Date
    Nov 2007
    Location
    Northumberland
    Posts
    318
    Thank Post
    35
    Thanked 47 Times in 39 Posts
    Rep Power
    24
    Yeah USBDLM is the way to go!

  9. #9

    Join Date
    Oct 2006
    Posts
    146
    Thank Post
    1
    Thanked 13 Times in 7 Posts
    Rep Power
    32
    Well i've just added all the drives which could possibly be usb devices to the disallowed list like: "J:\*"

  10. #10

    Join Date
    Oct 2006
    Posts
    146
    Thank Post
    1
    Thanked 13 Times in 7 Posts
    Rep Power
    32
    Success!

    Had a few youngsters come down to the office today...

    Them: "Mr IT man... We got firefox portable on our USB sticks and its stopped working"
    Me: "and?"
    Them: "Can you allow us to use it as IE7 is horrible and we don't like microsoft"
    Me: "Nothing wrong with IE7 and it even supports tabbed browsing so get used to it"
    Them: "But you are using firefox"
    Me: "I don't like IE7 its too slow"

    Kids look confused and walk off in a huff and talk over ways to get around it. (which they wont do but ill let them try for the fun of it)


    Thanks for all the help in getting this damn policy working

  11. #11
    petectid's Avatar
    Join Date
    Jun 2005
    Posts
    298
    Thank Post
    2
    Thanked 15 Times in 13 Posts
    Rep Power
    20
    Quote Originally Posted by flexyjerkov View Post
    Success!

    Had a few youngsters come down to the office today...

    Them: "Mr IT man... We got firefox portable on our USB sticks and its stopped working"
    Me: "and?"
    Them: "Can you allow us to use it as IE7 is horrible and we don't like microsoft"
    Me: "Nothing wrong with IE7 and it even supports tabbed browsing so get used to it"
    Them: "But you are using firefox"
    Me: "I don't like IE7 its too slow"

    Kids look confused and walk off in a huff and talk over ways to get around it. (which they wont do but ill let them try for the fun of it)


    Thanks for all the help in getting this damn policy working
    You could roll out Firefox for all your pupils and lock it down in group policy using the Firefox adm available from SourceForge

  12. #12
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,998
    Thank Post
    120
    Thanked 280 Times in 258 Posts
    Rep Power
    106
    SRPs also stop these nice viruses that they seem to have on their USB drives. Sophos tends to delete their autorun.inf files as well which is good for a change.

  13. #13
    techie211's Avatar
    Join Date
    Feb 2009
    Posts
    130
    Thank Post
    27
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by AngryITGuy View Post
    For your USB problem, see the following thread for more information, found it useful when I was in the same boat as you.

    We use USBDLM on all workstations here which forces all USB devices to use either drives X, Y or Z. We then have path rules assigned to each of these drives locking down access to innapropriate file types.
    did you push down the .msi? how did you edit the USBDLM.INI? did you unpack the msi first? I want to use the .msi because of the quantity of computers we have but not sure how 'assigning the drive letters' works this way.
    If anyone has any input on this I'd appreciate it.

  14. #14
    DrPerceptron's Avatar
    Join Date
    Dec 2008
    Location
    In a house
    Posts
    917
    Thank Post
    34
    Thanked 134 Times in 114 Posts
    Rep Power
    41
    I don't remember how we went through, just follow the instructions, I tweaked it for something, but I don't remember what or why I did...

    We just push it out using the exe as part of our default startup script

  15. #15

    Join Date
    Dec 2008
    Location
    Plymouth
    Posts
    63
    Thank Post
    6
    Thanked 10 Times in 7 Posts
    Rep Power
    14
    Assign the .MSI to computers, then a day or two later add a few lines to a startup batch script assigned to the computers to copy your edited .INI file into place on all workstations, from your NETLOGON share.

    Take the example .INI file and tweak it to suit your needs - the app has a great deal of documentation to show you how to do this.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. VBScript, wildcards or file extensions
    By Bobo in forum Windows
    Replies: 4
    Last Post: 25th August 2011, 04:58 PM
  2. extensions
    By tea_and_toast in forum EduGeek Joomla 1.0 Package
    Replies: 5
    Last Post: 8th November 2008, 09:24 PM
  3. Stop file downloads though GPO.
    By boomam in forum Windows
    Replies: 7
    Last Post: 26th February 2008, 05:24 PM
  4. File Extensions
    By Gatt in forum Windows
    Replies: 5
    Last Post: 31st January 2007, 01:29 PM
  5. Deploy the contents of a CAB file through GPO?
    By tosca925 in forum Windows
    Replies: 0
    Last Post: 16th October 2005, 12:46 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •