Software Restriction Policies (SRS)

**purkle_turkle** · 2nd February 2012, 02:39 PM

I am having a problem with Software Restriction Policies not applying. I want to stop .exe, .zip running from students mapped home folder. (H

I have tried adding enviroment varriables and drive letter into "Additonal Rules" with no success. I have enabled SRS Logging on a client and whilst logged in as a student and I run an exe or zip from the home folder it just runs with no restriction and is not logged either!?

Anyone have any ideas. My settings are below...

User Configuration > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules

%homepath%\*.exe
%homepath%\*.zip
H:\*.exe
H:\*.zip
%HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Explorer\Shell Folders\Personal%*

User Configuration > Windows Settings > Security Settings > Software Restriction Policies > Designated File Types
zip
exe

User Configuration > Windows Settings > Security Settings > Software Restriction Policies > Secuirty Levels
Unrestricted - default

**Birchy** · 2nd February 2012, 02:49 PM

We have something similar set for our USB/external disks mapped to V:,W: or X: drive via USBDLM and it seems to work well. Could it be something with the homepath that it doesn't like.

Something that doesn't answer your query but could be another approach to dealing with this is applying file screening management on your file server where the homefolders are located. This is a file services role on Server 2008 (and I think 2003). You can use it to block certain file types e.g. EXE, VBS from being saved in their folder.

Hope this helps!

**purkle_turkle** · 2nd February 2012, 03:00 PM

Hi Birchy

File screening management started in Server 2003 R2 so thats a no go.

I was just looking at USBDLM for the blocking exes etc on USB drives but I really want to stop them from running from home folders also.

Probably is something to do with the homepath but other than the drive mapping and that variable I can't think of anything else to use

**purkle_turkle** · 2nd February 2012, 03:26 PM

Got it working for .exe using the below. Just cant get it working for zips still able to open them even if they are defined. I want to stop students playing games from within zip files.. Any ideas?

\\server\store\10Intake\%username%\home\*.exe
\\server\store\10Intake\%username%\home\*\*.exe
\\server\store\10Intake\%username%\home\*\*\*.exe

or

Originally Posted by rhyds

I think you can use the %homeshare%%homepath% variables to specify mydocs, but I'm not sure of the syntax.

**Ricko** · 2nd February 2012, 04:57 PM

Have you tried putting .zip into the 'designated file types' list within the software restriction policy?

**purkle_turkle** · 2nd February 2012, 05:10 PM

Originally Posted by Ricko

Have you tried putting .zip into the 'designated file types' list within the software restriction policy?

Yes it's defined in 'designated file types' but the zip can still be opened in windows explorer?

**pete** · 2nd February 2012, 05:23 PM

Originally Posted by purkle_turkle

Yes it's defined in 'designated file types' but the zip can still be opened in windows explorer?

Install 7-zip on a client. (7zip.org). Set it as the default handler for zip files.

Does the zip file get blocked then?

I suspect it's down to the way explorer is treating the zip file as a folder.

(we just block via server-side filters)

**purkle_turkle** · 2nd February 2012, 05:59 PM

Originally Posted by pete

Install 7-zip on a client. (7zip.org). Set it as the default handler for zip files.

Does the zip file get blocked then?

I suspect it's down to the way explorer is treating the zip file as a folder.

(we just block via server-side filters)

Brilliant I have 7zip installed on a the clients so I should just ne able to change the association in the registry. I will try and let you know thanks Pete

**meastaugh1** · 3rd February 2012, 11:17 AM

The reason you were unable to block executables from running within a zip file, is because Windows extracts the executable to the user's temporary folder then executes them there. A path rule to disallow %Userprofiles%\Local Settings\temp should do it.

**purkle_turkle** · 3rd February 2012, 02:40 PM

Hi Pete
Set 7Zip in file associations - still opens 7Zip FM. I don't understand why!? .zip is definitely defined in 'designated file types'

meastaugh1 - Hi thanks yes I saw this posted elsewhere and watched it happening from my client. I was a bit concerned it would break some programs from working?

**meastaugh1** · 3rd February 2012, 02:53 PM

Originally Posted by purkle_turkle

Hi Pete
Set 7Zip in file associations - still opens 7Zip FM. I don't understand why!? .zip is definitely defined in 'designated file types'

Perhaps it's not being blocked because a zip file is opened rather than executed?

meastaugh1 - Hi thanks yes I saw this posted elsewhere and watched it happening from my client. I was a bit concerned it would break some programs from working?

In my experience, there may be one or two poorly thought out mini-application's that self-extract to the user's temp folder and then execute from there. You will be able to add explicit hash rules to allow these executables to run.

**purkle_turkle** · 3rd February 2012, 03:11 PM

%USERPROFILE%\Local Settings\temp worked a treat thanks meastaugh1

LinkBack

Thread Tools

Search Thread

Software Restriction Policies (SRS)

Thanks to meastaugh1 from:

Similar Threads

Software restriction policies on USB sticks

Software Restriction Policies

Software Restriction Policy (w2k3) - path question

Software Restriction Policy (w2k3) - path question

GPo - Software Restriction Policy

Thread Information

Users Browsing this Thread

Posting Permissions