Windows Server 2000/2003 Thread, Restricting executables on a mapped drive in Technical; Hi,
I am aware of how to restrict specific executables from being run using group policy but is there a ...
3rd April 2009, 11:11 AM #1
- Rep Power
Restricting executables on a mapped drive
I am aware of how to restrict specific executables from being run using group policy but is there a way to blanket block all executables from running on a certain drive?
For example I have users with mapped drive F:\. I don't want them to be able to run any executable files at all from this drive.
Any help would be appreciated,
3rd April 2009, 11:50 AM #2
- Rep Power
Hi, It's been a while since i have done this but i am sure you can specify a new path rule to disalow exe files via group policy also, be sure to include shortcuts also, if you do not do this the exe will still run regardles of what you policy says.
3rd April 2009, 12:32 PM #3
- Rep Power
Well, the path rule thing was what I was talking about, I've tried using wildcards for example F:\*.exe and that doesn't work. Specifying full file names does work but I want to stop any exe running on the F:\ drive, I don't want to have to keep adding new files as we find them.
1st June 2009, 07:54 AM #4
- Rep Power
Hi 2003 RC2 has file screens that does this, I think!
Originally Posted by speckled
1st June 2009, 08:01 AM #5
Yes, of course. You can do this via a particular GPO.
Says if you had a student GPO, which has the logon script to pull down the mapped drives etc. In User Configuration -> Windows Settings -> Security Settings -> Software Restriction Policies. If you haven't already, create a policy (literally a couple of simple clicks, if i remember?). Then click Additional Rules.
Right Click -> New Path Rule. Then, enter in a path (says you wanted to block them on the H drive, try H:\*.exe), make sure security level is "disallowed", click OK and head out of the gpo editor window.
I hope that's right, lol!
2nd June 2009, 08:38 AM #6
You need to install file server resource manager on your windows 2003 R2 / windows 2008 box. There you can config file screening.
2nd June 2009, 09:53 AM #7
Originally Posted by richardharris
Can this be applied on any USB drive?
2nd June 2009, 10:03 AM #8
Yes it sure can - if you use a program like USB Drive Letter Manager. This ensures that USB sticks always go on the same drive letter, and you can therefore specify them as disallow. Best way tho is to use disallow overall - with specific allows. You need to do your homework on anything that requires write access first before changing this main setting. I sense a blog post coming up.....! It mite be on the WIKI already tho so worth takin a look there.
2nd June 2009, 04:36 PM #9
i did this through the group policy software restrictions
basically set the Software Restriction Policies/Security Levels
Default Security Level Disallowed
so that all exes and things like VBS are disabled
And then under
Software Restriction Policies/Additional Rules
setup rules that allow things through
c:\Program files (x86)
Security Level Unrestricted
Also include all you logon server shares etc.. (so that VBS and CMD scripts can run)
the windows directory!
By RabbieBurns in forum Web Development
Last Post: 19th January 2009, 03:21 PM
By theeldergeek in forum Wireless Networks
Last Post: 2nd June 2008, 03:21 PM
By d4476m in forum Windows
Last Post: 11th February 2008, 02:03 PM
By ozydave in forum Network and Classroom Management
Last Post: 13th June 2007, 03:13 PM
By Samson in forum Wireless Networks
Last Post: 3rd May 2007, 03:35 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)