+ Post New Thread
Results 1 to 9 of 9
Windows Thread, GP to Prevent Running exe not installed in Technical; Wondering if anyone has successfully created a group policy that would prevent students from running any kind of executable, other ...
  1. #1

    Join Date
    Jan 2014
    Location
    Manasquan
    Posts
    6
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    GP to Prevent Running exe not installed

    Wondering if anyone has successfully created a group policy that would prevent students from running any kind of executable, other than those installed on the machine.

    Basically, we want to prevent students running .exe from a flash drive or if they are able to download it.

    Any thoughts about this?

  2. #2
    nickbro's Avatar
    Join Date
    Jul 2010
    Location
    Gilwern, Wales
    Posts
    3,582
    Thank Post
    39
    Thanked 513 Times in 443 Posts
    Rep Power
    115
    Software restriction policies is what you want

    Using Software Restriction Policies to Protect Against Unauthorized Software

    You can basically set it to stop anyone but administrators running staff that isn't on the c:\* \\domain\netlogon\.* \\domain\sysvol\.*

    You can also do hash rules, which in theory will allow unencryption software to run from an external drive but nothing else, never gotten it working properly.

    We use SRP to only allow c:\windows\*.*, c:\program files*.* and a few other exceptions (like 100)

  3. #3

    Join Date
    Jan 2014
    Location
    Manasquan
    Posts
    6
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Can you give me an example of some of the other exceptions you have to put in? Also how might this affect Apps in windows 8, if at all?

  4. #4
    nickbro's Avatar
    Join Date
    Jul 2010
    Location
    Gilwern, Wales
    Posts
    3,582
    Thank Post
    39
    Thanked 513 Times in 443 Posts
    Rep Power
    115
    Properties
    Policy Setting
    Allow users to select new root certification authorities (CAs) to trust Enabled
    Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
    To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only

    Software Restriction Policies

    Enforcement
    Policy Setting
    Apply software restriction policies to the following All software files except libraries (such as DLLs)
    Apply software restriction policies to the following users All users except local administrators
    When applying software restriction policies Ignore certificate rules
    Designated File Types
    File Extension File Type
    BAS BAS File
    BAT Windows Batch File
    CHM Compiled HTML Help file
    CMD Windows Command Script
    COM MS-DOS Application
    CPL Control panel item
    CRT Security Certificate
    EXE Application
    HLP Help file
    HTA HTML Application
    INF Setup Information
    INS INS File
    ISP ISP File
    JS JScript Script File
    MSC Microsoft Common Console Document
    MSI Windows Installer Package
    MSP Windows Installer Patch
    MST MST File
    OCX ActiveX control
    PCD PCD File
    PIF Shortcut to MS-DOS Program
    REG Registration Entries
    SCR Screen saver
    SHS SHS File
    VB VB File
    VBS VBScript Script File
    WSC Windows Script Component
    Trusted Publishers
    Trusted publisher management Allow all administrators and users to manage user's own Trusted Publishers
    Certificate verification None

    Software Restriction Policies/Security Levels

    Policy Setting
    Default Security Level Disallowed

  5. #5
    nickbro's Avatar
    Join Date
    Jul 2010
    Location
    Gilwern, Wales
    Posts
    3,582
    Thank Post
    39
    Thanked 513 Times in 443 Posts
    Rep Power
    115
    Software Restriction Policies/Additional Rules
    (1.6.1.1);
    Security Level Unrestricted
    Description USB Key Unlock Software
    Date last modified 30/04/2012 14:09:55
    (2.5.0.32); Health & Social care; Health & Social care; Health & Social care; Health & Social care
    Security Level Unrestricted
    Description Health & Social care 5
    Date last modified 30/03/2012 10:43:07
    (2.5.0.32); Health & Social care; Health & Social care; Health & Social care; Health & Social care
    Security Level Unrestricted
    Description Health & Social care 3
    Date last modified 30/03/2012 10:42:26
    (2.5.0.32); Health & Social care; Health & Social care; Health & Social care; Health & Social care
    Security Level Unrestricted
    Description Health & Social Care 1
    Date last modified 30/03/2012 10:42:07
    (2.5.0.32); Health & Social care; Health & Social care; Health & Social care; Health & Social care
    Security Level Unrestricted
    Description Health & Social care 4
    Date last modified 30/03/2012 10:42:45
    (2.5.0.32); Health & Social care; Health & Social care; Health & Social care; Health & Social care
    Security Level Unrestricted
    Description Health & Social care 2
    Date last modified 30/03/2012 10:42:18
    AdaptiveReadingScales.exe (1.0.4105.36268); AdaptiveReadingScales.exe;
    Security Level Unrestricted
    Description Adaptive Reading Scales
    Date last modified 27/02/2012 10:13:53
    AdaptiveReadingScales.exe (1.0.4105.36268); AdaptiveReadingScales.exe;
    Security Level Unrestricted
    Description Adaptive Reading Scales
    Date last modified 30/03/2012 10:34:18
    Become a World Explorer 2.0.20
    Security Level Unrestricted
    Description Become a World Explorer 2.0.20
    Date last modified 14/01/2008 04:44:52
    CamMenuPlayer.exe (4.0.0.0); CamMenuPlayer; Camtasia MenuMaker Player; Camtasia Studio; TechSmith Corporation
    Security Level Unrestricted
    Description
    Date last modified 08/04/2014 16:15:23
    CHS.SIMS.TOOUTLOOK.exe (1.0.0.0); CHS.SIMS.TOOUTLOOK.exe; CHS.SIMS.TOOUTLOOK; CHS.SIMS.TOOUTLOOK; Crickhowell High School
    Security Level Unrestricted
    Description CHS SIMS to Outlook
    Date last modified 30/03/2012 10:44:01
    cleanup.exe (1.0.0.3); cleanup; U3 Cleanup Application; U3 Cleanup Application;
    Security Level Unrestricted
    Description U3 Cleanup
    Date last modified 02/05/2012 08:41:13
    Clicker 4
    Security Level Unrestricted
    Description Clicker 4
    Date last modified 14/01/2008 04:45:04
    Control Studio 2
    Security Level Unrestricted
    Description Control Studio 2
    Date last modified 14/01/2008 04:44:46
    CountDown.exe (3.1.0.4); CountDown; Numbers Game; CSFsoftware Build a Free Website with Web Hosting | Tripod
    Security Level Unrestricted
    Description
    Date last modified 24/06/2013 14:52:03
    I Love Science Sampler
    Security Level Unrestricted
    Description I Love Science Sampler
    Date last modified 14/01/2008 04:44:23
    Illustrator 10 web publishing
    Security Level Unrestricted
    Description Illustrator 10 web publishing
    Date last modified 14/01/2008 04:44:56
    Iscope 4
    Security Level Unrestricted
    Description Iscope 4
    Date last modified 14/01/2008 04:46:53
    Launcher program (Go.exe) for Oxford University Press 'Oxford Reading Tree Stage 2'. Allows the title to run from local CD as well as from VCD.
    Security Level Unrestricted
    Description Launcher program (Go.exe) for Oxford University Press 'Oxford Reading Tree Stage 2'. Allows the title to run from local CD as well as from VCD.
    Date last modified 14/01/2008 04:46:49
    Launcher program (Start.exe) for Sherston Software 'Decimal Games'. Allows the title to run from local CD as well as from VCD.
    Security Level Unrestricted
    Description Launcher program (Start.exe) for Sherston Software 'Decimal Games'. Allows the title to run from local CD as well as from VCD.
    Date last modified 14/01/2008 04:46:08
    Launcher program for the Essential Languages range. Allows the title to run from local CD, as well as from VCD.
    Security Level Unrestricted
    Description Launcher program for the Essential Languages range. Allows the title to run from local CD, as well as from VCD.
    Date last modified 14/01/2008 04:46:36
    Launcher program for the Essential Languages range. Allows the title to run from local CD, as well as from VCD.
    Security Level Unrestricted
    Description Launcher program for the Essential Languages range. Allows the title to run from local CD, as well as from VCD.
    Date last modified 14/01/2008 04:46:41
    Launcher program for the Essential Languages range. Allows the title to run from local CD, as well as from VCD.
    Security Level Unrestricted
    Description Launcher program for the Essential Languages range. Allows the title to run from local CD, as well as from VCD.
    Date last modified 14/01/2008 04:46:22
    Launchpad Removal.EXE (1.0.2.32); Launchpad Removal.EXE; Launchpad Removal Program; Launchpad Removal Program; SanDisk Corporation
    Security Level Unrestricted
    Description Launchpad Removal
    Date last modified 02/05/2012 08:41:25
    LaunchPad.exe (1.6.1.2); LaunchPad; LaunchPad Application; LaunchPad Application;
    Security Level Unrestricted
    Description LaunchPad
    Date last modified 02/05/2012 08:41:00
    LaunchU3.exe (1.6.1.1)
    Security Level Unrestricted
    Description Launch U3
    Date last modified 02/05/2012 08:17:09
    Livewire
    Security Level Unrestricted
    Description Livewire
    Date last modified 14/01/2008 04:44:37
    Math-A-Maze.exe (1.6.0.0); Math-A-Maze; Math-A-Maze; Reasonable Games
    Security Level Unrestricted
    Description
    Date last modified 24/06/2013 14:52:23
    Memory-Map-Europe-eng.msi; 19154 KB; 22/09/2009 10:27:44
    Security Level Unrestricted
    Description
    Date last modified 22/05/2014 10:32:36
    NTVDM.EXE (6.1.7600.16385); NTVDM.EXE; NTVDM.EXE; Microsoft® Windows® Operating System; Microsoft Corporation
    Security Level Unrestricted
    Description NTVDM.EXE (Oregen)
    Date last modified 21/05/2012 12:49:17
    Rawprints
    Security Level Unrestricted
    Description Pawprints
    Date last modified 14/01/2008 04:46:12
    PCB Wizard 3
    Security Level Unrestricted
    Description PCB Wizard 3
    Date last modified 14/01/2008 04:45:00
    PPC.exe (5.2.3790.3959); PPC.exe; PushPrinterConnection application; Microsoft® Windows® Operating System; Microsoft Corporation
    Security Level Unrestricted
    Description
    Date last modified 22/08/2012 17:03:10
    Projector.exe (8.0.0.178); Projector; Macromedia Projector; Director 8 Shockwave Studio; Macromedia, Inc.
    Security Level Unrestricted
    Description
    Date last modified 11/03/2014 08:21:42
    Projector.exe (8.0.0.178); Projector; Macromedia Projector; Director 8 Shockwave Studio; Macromedia, Inc.
    Security Level Unrestricted
    Description
    Date last modified 11/03/2014 08:21:54
    Projector.exe (9.0.0.383); Projector; Macromedia Projector; Director MX; Macromedia, Inc.
    Security Level Unrestricted
    Description
    Date last modified 10/03/2014 13:45:42
    ragent.msi; 6386 KB; 13/10/2008 09:14:03
    Security Level Unrestricted
    Description
    Date last modified 22/05/2014 10:41:51
    Read and Write 6.0
    Security Level Unrestricted
    Description Read and Write 6.0
    Date last modified 14/01/2008 04:45:51
    Read and Write 6.0 - Teacher
    Security Level Unrestricted
    Description Read and Write 6.0 - Teacher
    Date last modified 14/01/2008 04:44:33
    Read and Write 6.0 - Tour
    Security Level Unrestricted
    Description Read and Write 6.0 - Tour
    Date last modified 14/01/2008 04:44:28
    Robolab
    Security Level Unrestricted
    Description Robolab
    Date last modified 14/01/2008 04:45:56
    SAFlashPlayer.exe (6.0.21.0); Macromedia Flash Player 6.0; Macromedia Flash Player 6.0 r21; Shockwave Flash; Macromedia, Inc.
    Security Level Unrestricted
    Description
    Date last modified 24/06/2013 14:53:48
    SAFlashPlayer.exe (9.0.115.0); Adobe Flash Player 9.0; Adobe Flash Player 9.0 r115; Shockwave Flash; Adobe Systems, Inc.
    Security Level Unrestricted
    Description Think You Know
    Date last modified 30/03/2012 10:32:38
    SAFlashPlayer.exe (9.0.45.0); Adobe Flash Player 9.0; Adobe Flash Player 9.0 r45; Shockwave Flash; Adobe Systems, Inc.
    Security Level Unrestricted
    Description
    Date last modified 24/06/2013 14:51:22
    SwFlsh32.exe (5.0.30.0); Flash; Flash Player 5.0 r30; Flash 5.0; Macromedia, Inc.
    Security Level Unrestricted
    Description
    Date last modified 11/03/2014 08:21:33
    The Flight Experience
    Security Level Unrestricted
    Description The Flight Experience
    Date last modified 14/01/2008 04:46:17
    timer-stopwatch-cl (1.4.0.0); timer-stopwatch-cl; TimeMe's Timer Stopwatch CL; TimeMe's Timer Stopwatch CL; TimeMe
    Security Level Unrestricted
    Description
    Date last modified 24/06/2013 14:51:09
    U3AccessGrant.exe (1.6.1.1); U3AccessGrant; U3AccessGrant Application; U3AccessGrant Application;
    Security Level Unrestricted
    Description U3AccessGrant
    Date last modified 02/05/2012 08:41:47
    Wellington Square Level 1
    Security Level Unrestricted
    Description Wellington Square Level 1
    Date last modified 14/01/2008 04:45:13
    Wellington Square Level 2
    Security Level Unrestricted
    Description Wellington Square Level 2
    Date last modified 14/01/2008 04:45:27
    Wellington Square Level 3
    Security Level Unrestricted
    Description Wellington Square Level 3
    Date last modified 14/01/2008 04:45:18
    Wellington Square Level 4
    Security Level Unrestricted
    Description Wellington Square Level 4
    Date last modified 14/01/2008 04:45:09
    Wellington Square Level 5
    Security Level Unrestricted
    Description Wellington Square Level 5
    Date last modified 14/01/2008 04:45:22
    Wordbar 1.2.8
    Security Level Unrestricted
    Description Wordbar 1.2.8
    Date last modified 14/01/2008 04:44:41
    WordSrch.exe (2.0.0.2); WordSrch; Wordsearch Generator Software; Wordsearch Creator; CSFsoftware Solutions
    Security Level Unrestricted
    Description
    Date last modified 24/06/2013 14:51:34

  6. #6
    nickbro's Avatar
    Join Date
    Jul 2010
    Location
    Gilwern, Wales
    Posts
    3,582
    Thank Post
    39
    Thanked 513 Times in 443 Posts
    Rep Power
    115
    Path Rules
    %LogonServer%\SysVol\*
    Security Level Unrestricted
    Description Allows logon scripts to run.
    Date last modified 21/01/2002 08:29:14
    %programfiles%\*
    Security Level Unrestricted
    Description Included in case the Program Files folder is not located on the System Drive.
    Date last modified 21/01/2002 08:29:29
    %programfiles%\Adobe\Illustrator 10\Plug-ins
    Security Level Disallowed
    Description Illustrator 10 Plug-ins
    Date last modified 14/05/2003 12:13:13
    %programfiles%\Common Files\Adobe\Web
    Security Level Disallowed
    Description Illustrator 10
    Date last modified 14/05/2003 12:10:37
    %programfiles(x86)%\*
    Security Level Unrestricted
    Description Included in case the Program Files folder is not located on the System Drive (64Bit)
    Date last modified 28/03/2011 10:49:58
    %programfiles(x86)%\Common Files\Adobe\Web
    Security Level Disallowed
    Description 64Bit security restriction
    Date last modified 28/03/2011 10:49:59
    %SafeLocation0%\*
    Security Level Unrestricted
    Description Used to by-pass Software Restrictions. WARNING: DO NOT DELETE.
    Date last modified 21/01/2002 08:23:22
    %SafeLocation1%\*
    Security Level Unrestricted
    Description Used to by-pass Software Restrictions. WARNING: DO NOT DELETE.
    Date last modified 02/04/2002 14:44:05
    %systemdrive%\$recycle.bin\*
    Security Level Disallowed
    Description Prevent software from running in recycle bin
    Date last modified 30/07/2007 14:18:07
    %SystemDrive%\*
    Security Level Unrestricted
    Description Allows programs to run if they are installed on the workstation's hard disk.
    Date last modified 21/01/2002 08:23:52
    %systemdrive%\documents and settings\*
    Security Level Disallowed
    Description Prevent software from running from User profile
    Date last modified 25/07/2007 15:01:25
    %systemdrive%\recycler
    Security Level Disallowed
    Description Terminal server security restrictions
    Date last modified 21/09/2007 10:35:37
    %SystemDrive%\temp\*
    Security Level Disallowed
    Description Disable access to temp directory on the system drive.
    Date last modified 07/06/2004 12:16:12
    %systemdrive%\users\*
    Security Level Disallowed
    Description Prevent software from executing from the users profile area
    Date last modified 24/01/2008 13:11:40
    %systemroot%\profiles\*
    Security Level Disallowed
    Description Part of Terminal server security restrictions
    Date last modified 21/09/2007 10:34:23
    %SystemRoot%\repair\*
    Security Level Disallowed
    Description System utilities are installed into this directory.
    Date last modified 21/01/2002 08:26:41
    %SystemRoot%\System32\dllcache\*
    Security Level Disallowed
    Description Executables located in the Windows directory are cached here in case they are deleted.
    Date last modified 21/01/2002 08:20:03
    %SystemRoot%\temp\*
    Security Level Disallowed
    Description Temporary directory used by Offline files.
    Date last modified 21/01/2002 08:19:04
    %SystemRoot%\Temp0
    Security Level Disallowed
    Description Lets Go
    Date last modified 14/05/2003 12:19:42
    %userprofile%\appdata\local\*
    Security Level Disallowed
    Description Prevents software from running from within zip archives on vista
    Date last modified 06/03/2009 09:39:35
    %userprofile%\appdata\local\temp\*
    Security Level Disallowed
    Description
    Date last modified 10/05/2012 15:09:44
    %userprofile%\local settings\*
    Security Level Disallowed
    Description Prevent running exe from local profile when logged off
    Date last modified 01/07/2004 11:11:39
    %userprofile%\Local Settings\Temporary Internet Files\*
    Security Level Disallowed
    Description Prevents executables embedded in documents from running
    Date last modified 23/01/2008 16:46:04
    %UserProfile\Local Settings\Temp\*.tmp
    Security Level Unrestricted
    Description Allow SIMS to use self-registration for DLLs during installation
    Date last modified 10/09/2004 10:13:40
    \\%userdnsdomain%\sysvol
    Security Level Unrestricted
    Description Allows logon scripts to run
    Date last modified 24/01/2008 09:08:14
    C:\WINDOWS\Smart Spender Preferences
    Security Level Disallowed
    Description Smart Spender 1.0
    Date last modified 14/05/2003 12:21:30
    D:\*.mp3
    Security Level Disallowed
    Description Block MP3s on USB Key
    Date last modified 30/03/2012 10:43:22
    E:\*.mp3
    Security Level Disallowed
    Description Block MP3 on E
    Date last modified 30/03/2012 10:43:35
    E:\LaunchU3.exe
    Security Level Unrestricted
    Description
    Date last modified 30/04/2012 14:10:14

  7. #7
    nickbro's Avatar
    Join Date
    Jul 2010
    Location
    Gilwern, Wales
    Posts
    3,582
    Thank Post
    39
    Thanked 513 Times in 443 Posts
    Rep Power
    115
    Seems there might also be AppLocker as well

    AppLocker Documentation for Windows 7 and Windows Server 2008 R2

  8. Thanks to nickbro from:

    TheScarfedOne (10th August 2014)

  9. #8

    Join Date
    Apr 2012
    Posts
    50
    Thank Post
    0
    Thanked 6 Times in 5 Posts
    Rep Power
    6
    In windows 7/8 you probably want to be using applocker.

    You can run it in audit mode and it'll just log to a custom event log.

    I've been trying to set up a ruleset at work (as we used to use SRP a lot with XP) and haven't really done much since moving to windows 7.

    As nick says, you probably want to deny all by default, allow network shares that you put stuff on (i.e. sysvol), and allow c:\, then deny folders that end users can write to. (and use the auditing mode to see if you've missed anything before you go live)

    Accesschk/accessenum from File and Disk Utilities: Sysinternals Center can be useful in finding places where students have write access.

  10. Thanks to minimoo from:

    TheScarfedOne (10th August 2014)

  11. #9
    MordyT's Avatar
    Join Date
    Sep 2012
    Location
    In a computer
    Posts
    491
    Thank Post
    44
    Thanked 74 Times in 69 Posts
    Rep Power
    21
    AppLocker needs enterprise / ultimate - not win7 pro. For most, that means back to SRP

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 6
    Last Post: 19th September 2012, 10:47 PM
  2. does anyone have any idea how to prevent exe's being run from usb drives on rm cc3
    By Oaktech in forum Network and Classroom Management
    Replies: 6
    Last Post: 13th June 2012, 12:38 PM
  3. Replies: 3
    Last Post: 21st March 2012, 12:10 PM
  4. Replies: 10
    Last Post: 1st July 2009, 08:58 PM
  5. prevent running .exe from ZIP files
    By theaman in forum Windows Server 2000/2003
    Replies: 6
    Last Post: 11th June 2009, 01:21 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •