Hi!
I am trying to block all EXE files in students home directories, using Group Policy Software Restriction Policies, but am struggling at the moment!
It is not dependant on a specific application, I just want blanket coverage for all EXE's. It would ideal to block exe's from Pen drives as well. I have looked at USBDLM, but have come up against the software restriction policy again!
HELP!! Please...
Mark
You cannot do a blanket block of EXE's using GPO you need to be specific.
If you are windoes windows 2003 server R2 it has file restrictions builtin if not you will need to use free tools that you can either sweep the home dirs in a re-active manner or buy some software to control the home dirs in a pro-active manner.
I am using R2s file screening for Home directories and software restriction policies for USB drives. I have found that you can only define scripts and programs though using SRP and not ban stuff like MP3s etc which would have been nice.
How did you do the software restriction policies for the USB drives?
This is the nut I currently cannot crack!
Ta
Mark
If you've converted any of your fileservers over to *nix/samba you can use the 'veto files' and 'delete veto files' share level configuration options to block file types based on extension.
Use USBDLM to always map USB drives to the same drive letter(s). Then apply the appropriate software restriction policy to that mapping.
What do you mean when you say that you have come up against 'the software restriction policy'?
I understand the software restriction policies upto a point.
I have managed to block specific programs (such as media player and windows games) using Path Rules. How, and what type of rule have you used for your USB drives. I thought it would work the same for users home directories, but so far no luck. All our students use H: for their home directories.
I tried H:\*.exe and H:\..\*.exe but to no avail!!!
Thanks
Mark
Dont be silly.You cannot do a blanket block of EXE's using GPO you need to be specific.
See my attachment.
You can set different drives as permanantly disallowed.
fooby
I still want to allow USB drives, but to block EXE files on them!! Not block them completely!!!!!
I don't think anyone actually understands what I am on about so far!!
Mark
You can switch SRP security level to disable everything, allow specified rather than allow everything disable specified. Needs testing to catch and identify things that should be allowed like login scripts etc.
markwilliamson2001
The settings I have displayed to 100% exactly that. It is what is set here in my college. USB drives and SD XD etc cards read, however no one can execute anything from them.
fooby
fooby
Does this mean that you can use the pen drive in a normal way, to transfer work (word docs etc etc) and copy to and from the Pen Drive?
Ta
Mark
Yes indeedy.
Software Restriction Policies blocks executing of executables, not any sort of file accessing. We have this set up here, so students can open any of their work files from usb ipod etc but not run any flash games and stuff like that.
If you need more help, it took me ages so i can help with this more.
fooby
It doesnt seem to block executables on home directories for students areas (which are mapped to H
I am going to try %HOMEDRIVE% next to see if it works...
Mark
Sometimes the SRP takes more than one logoff / logon to apply. Try restarting the PC and logon as a student. If not, logoff, logon as admin, start run, gpupdate /force, reboot, logon as student and test, or reboot again and test.
group policies can take a while to make sure they are applied.
also check the event logs often for errors reported, such as SRP could not apply etc.
fooby
p.s blocked exe's are also recorded in the event log so u can see if it works.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote