+ Post New Thread
Results 1 to 12 of 12
Windows Server 2000/2003 Thread, Software Restriction Policies (SRS) in Technical; I am having a problem with Software Restriction Policies not applying. I want to stop .exe, .zip running from students ...
  1. #1

    Join Date
    Feb 2012
    Posts
    13
    Thank Post
    2
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Software Restriction Policies (SRS)

    I am having a problem with Software Restriction Policies not applying. I want to stop .exe, .zip running from students mapped home folder. (H

    I have tried adding enviroment varriables and drive letter into "Additonal Rules" with no success. I have enabled SRS Logging on a client and whilst logged in as a student and I run an exe or zip from the home folder it just runs with no restriction and is not logged either!?

    Anyone have any ideas. My settings are below...

    User Configuration > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules

    %homepath%\*.exe
    %homepath%\*.zip
    H:\*.exe
    H:\*.zip
    %HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Explorer\Shell Folders\Personal%*


    User Configuration > Windows Settings > Security Settings > Software Restriction Policies > Designated File Types
    zip
    exe

    User Configuration > Windows Settings > Security Settings > Software Restriction Policies > Secuirty Levels
    Unrestricted - default

  2. #2

    Join Date
    Jun 2007
    Location
    Leeds
    Posts
    20
    Thank Post
    2
    Thanked 2 Times in 2 Posts
    Rep Power
    14
    We have something similar set for our USB/external disks mapped to V:,W: or X: drive via USBDLM and it seems to work well. Could it be something with the homepath that it doesn't like.

    Something that doesn't answer your query but could be another approach to dealing with this is applying file screening management on your file server where the homefolders are located. This is a file services role on Server 2008 (and I think 2003). You can use it to block certain file types e.g. EXE, VBS from being saved in their folder.

    Hope this helps!

  3. #3

    Join Date
    Feb 2012
    Posts
    13
    Thank Post
    2
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi Birchy

    File screening management started in Server 2003 R2 so thats a no go.

    I was just looking at USBDLM for the blocking exes etc on USB drives but I really want to stop them from running from home folders also.

    Probably is something to do with the homepath but other than the drive mapping and that variable I can't think of anything else to use

  4. #4

    Join Date
    Feb 2012
    Posts
    13
    Thank Post
    2
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Got it working for .exe using the below. Just cant get it working for zips still able to open them even if they are defined. I want to stop students playing games from within zip files.. Any ideas?

    \\server\store\10Intake\%username%\home\*.exe
    \\server\store\10Intake\%username%\home\*\*.exe
    \\server\store\10Intake\%username%\home\*\*\*.exe

    or

    Quote Originally Posted by rhyds View Post
    I think you can use the %homeshare%%homepath% variables to specify mydocs, but I'm not sure of the syntax.
    Last edited by purkle_turkle; 2nd February 2012 at 02:49 PM.

  5. #5

    Join Date
    Jul 2007
    Location
    Suffolk
    Posts
    10
    Thank Post
    2
    Thanked 8 Times in 5 Posts
    Rep Power
    15
    Have you tried putting .zip into the 'designated file types' list within the software restriction policy?

  6. #6

    Join Date
    Feb 2012
    Posts
    13
    Thank Post
    2
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by Ricko View Post
    Have you tried putting .zip into the 'designated file types' list within the software restriction policy?
    Yes it's defined in 'designated file types' but the zip can still be opened in windows explorer?

  7. #7


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,534
    Thank Post
    271
    Thanked 752 Times in 590 Posts
    Rep Power
    218
    Quote Originally Posted by purkle_turkle View Post
    Yes it's defined in 'designated file types' but the zip can still be opened in windows explorer?
    Install 7-zip on a client. (7zip.org). Set it as the default handler for zip files.

    Does the zip file get blocked then?

    I suspect it's down to the way explorer is treating the zip file as a folder.

    (we just block via server-side filters)

  8. #8

    Join Date
    Feb 2012
    Posts
    13
    Thank Post
    2
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by pete View Post
    Install 7-zip on a client. (7zip.org). Set it as the default handler for zip files.

    Does the zip file get blocked then?

    I suspect it's down to the way explorer is treating the zip file as a folder.

    (we just block via server-side filters)
    Brilliant I have 7zip installed on a the clients so I should just ne able to change the association in the registry. I will try and let you know thanks Pete

  9. #9
    meastaugh1's Avatar
    Join Date
    Jul 2006
    Location
    London/Hertfordshire
    Posts
    888
    Thank Post
    68
    Thanked 84 Times in 69 Posts
    Rep Power
    31
    The reason you were unable to block executables from running within a zip file, is because Windows extracts the executable to the user's temporary folder then executes them there. A path rule to disallow %Userprofiles%\Local Settings\temp should do it.

  10. #10

    Join Date
    Feb 2012
    Posts
    13
    Thank Post
    2
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi Pete
    Set 7Zip in file associations - still opens 7Zip FM. I don't understand why!? .zip is definitely defined in 'designated file types'

    meastaugh1 - Hi thanks yes I saw this posted elsewhere and watched it happening from my client. I was a bit concerned it would break some programs from working?

  11. #11
    meastaugh1's Avatar
    Join Date
    Jul 2006
    Location
    London/Hertfordshire
    Posts
    888
    Thank Post
    68
    Thanked 84 Times in 69 Posts
    Rep Power
    31
    Quote Originally Posted by purkle_turkle View Post
    Hi Pete
    Set 7Zip in file associations - still opens 7Zip FM. I don't understand why!? .zip is definitely defined in 'designated file types'
    Perhaps it's not being blocked because a zip file is opened rather than executed?

    meastaugh1 - Hi thanks yes I saw this posted elsewhere and watched it happening from my client. I was a bit concerned it would break some programs from working?
    In my experience, there may be one or two poorly thought out mini-application's that self-extract to the user's temp folder and then execute from there. You will be able to add explicit hash rules to allow these executables to run.

  12. Thanks to meastaugh1 from:

    purkle_turkle (3rd February 2012)

  13. #12

    Join Date
    Feb 2012
    Posts
    13
    Thank Post
    2
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    %USERPROFILE%\Local Settings\temp worked a treat thanks meastaugh1

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 11
    Last Post: 20th April 2007, 06:38 PM
  2. Software Restriction Policies
    By wesleyw in forum Windows
    Replies: 14
    Last Post: 12th December 2006, 11:35 AM
  3. Software Restriction Policy (w2k3) - path question
    By indiegirl in forum How do you do....it?
    Replies: 5
    Last Post: 19th October 2006, 05:05 PM
  4. Software Restriction Policy (w2k3) - path question
    By indiegirl in forum How do you do....it?
    Replies: 0
    Last Post: 19th October 2006, 10:11 AM
  5. GPo - Software Restriction Policy
    By Gatt in forum Wireless Networks
    Replies: 26
    Last Post: 23rd January 2006, 01:53 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •