+ Post New Thread
Results 1 to 6 of 6
Windows Server 2008 Thread, Blocking 2008 R2 .bat files .cmd in Technical; Hi All, Just looking for a bit of advice please, im trying to set a group policy to stop students ...
  1. #1

    Join Date
    Mar 2013
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Blocking 2008 R2 .bat files .cmd

    Hi All,

    Just looking for a bit of advice please, im trying to set a group policy to stop students writing .bat files etc.

    When i add in c: to the additional rules it stops them launching .exe files?

    any ideas please


    Thanks

  2. #2

    Join Date
    Nov 2009
    Location
    Manchester
    Posts
    1,052
    Thank Post
    6
    Thanked 200 Times in 180 Posts
    Rep Power
    52
    We block everything then add exceptions to the correct locations, such as program files etc.

  3. #3

    Join Date
    Mar 2013
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    the problem i have is students create files on the desktop or where ever they can then just rename to .bat,

    If i have added c: as an exception but then it blocks .exe's from launching from the desktop or Quick launch etc

    could you please provide me some examples.

  4. #4
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,318
    Thank Post
    115
    Thanked 90 Times in 60 Posts
    Rep Power
    29
    Software Restriction Policies - default block and then whitelist common paths (c:\program files etc) and make sure they can't browse the C:\ drive to add files into that area.

    We whitelisted local installed programs and also networked applications which run on a mapped drive (so you only need to whitelist H:\ or similar)

  5. #5

    Join Date
    Mar 2013
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by Sheridan View Post
    Software Restriction Policies - default block and then whitelist common paths (c:\program files etc) and make sure they can't browse the C:\ drive to add files into that area.

    We whitelisted local installed programs and also networked applications which run on a mapped drive (so you only need to whitelist H:\ or similar)
    Thanks

    I thought this but unless I add C: to the path then .bat files can still be ran from the desktop?

    Which then stops .exes etc running?

  6. #6
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,318
    Thank Post
    115
    Thanked 90 Times in 60 Posts
    Rep Power
    29
    If your default is to block then you only specify where files can be run from, so desktop etc will result in a block. We've found this useful in blocking viruses as well as they tend to try and execute from the users temp folder.

    Of course it takes a bit of work to take the whitelisting approach but we've found it very effective. You can also use group policy to make the desktop read only so nothing can be created there!

    It causes the occasional problem with applications that run executables all over the shop but you just have to find what's being run and add it to the SRP whitelist.

    You will need to work out what needs to be whitelisted (including login scripts!) and then users can literally only run pre approved applications.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 11
    Last Post: 22nd May 2012, 11:10 PM
  2. Minimum specs for server 2008 R2? File share/Print/DHCP server.
    By dany2010 in forum Windows Server 2008 R2
    Replies: 22
    Last Post: 6th January 2012, 10:12 AM
  3. Stopping SQL using a Bat file
    By ful56_uk in forum Windows
    Replies: 4
    Last Post: 7th April 2008, 12:09 AM
  4. Replies: 9
    Last Post: 17th January 2008, 12:45 PM
  5. Covert CMD/BAT files to vbs help
    By tosca925 in forum Scripts
    Replies: 12
    Last Post: 8th November 2007, 02:58 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •