I am being driven insane by my first SRP that i am trying to implement on our student group.
For group policy testing -I have set up a test user group and i have a test student in there.
I want to dis-allow .exe and .bat from any drive other than C:/
I have tried many ways, but what seems to happen is that i end up blocking the .bat on logon and then all apps on the C: drive.
If we take this one step at a time;
I should be setting the Software restriction to 'Disallowed'. then specifiying the extensions i want to disallow, then specify the drives i want to disallow?
Is that correct so far?
This is driving me mad, i am so pleased i am working on a test group!
Why would you disallow... something that is disallowed by default?
You can choose to have everything unrestricted, except what you say (a blacklist) or allow only the things you want (a whitelist)
Whitelists are more secure, but I didn't set one up here (not sure why, it'd have been quicker...)
I just use a unrestricted default, with Drives O:\, X:\ and Y:\ (Home and 2 static USBDLM assigned usb drive letters) filtering stuff (the default list didn't apply when I tried it out :S)
Works a treat here.
On CC3, the default is to block everything except what's on the whitelist. To be honest, I think that's great. There's no worrying about scripts, exe's and the like and setting up exceptions is easy for the most part. RM's software is actually pretty good at making the neccessary changes so kudos to them for that. :-)
Hope the attached helps.
Thanks for all your help guys.
@ Lithium, thanks. That seemed to be my problem- Disallowing, then trying to set some parameters..... (that and a lack of patience!).
@Kennysarmy, Great stuff, my rule looks identical, except i am having some issues with any drive mapped server shares.
If windows creates the share; ie plug in a USB key, then the policy works fine, but the policy is not currently working on any drive mappings created by logging on.
I could test using a UNC path to the share...any other thoughts?
you could try %homepath%%homeshare% or <driveletter>:* rather than e:\* for example.
Well I've got software restrictions setup and working here, the attached PDF is an export of my settings so you can see how I've done it if anyone wants to.
I went down the Disallowing everything, then adding in the allowed rules where necessary. Everything that needs to run works, and anything else doesn't!!
Like it ....\\Server\%username%$\Originally Posted by rhyds
Many thanks!
Thats pretty much cleared up all my problems with SRP.
Thanks!
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote