+ Post New Thread
Results 1 to 8 of 8
Windows Thread, Software Restriction Policies..arghhhhhh! in Technical; I am being driven insane by my first SRP that i am trying to implement on our student group. For ...
  1. #1

    Join Date
    Mar 2007
    Posts
    130
    Thank Post
    29
    Thanked 5 Times in 4 Posts
    Rep Power
    17

    Software Restriction Policies..arghhhhhh!

    I am being driven insane by my first SRP that i am trying to implement on our student group.

    For group policy testing -I have set up a test user group and i have a test student in there.

    I want to dis-allow .exe and .bat from any drive other than C:/

    I have tried many ways, but what seems to happen is that i end up blocking the .bat on logon and then all apps on the C: drive.

    If we take this one step at a time;

    I should be setting the Software restriction to 'Disallowed'. then specifiying the extensions i want to disallow, then specify the drives i want to disallow?

    Is that correct so far?

    This is driving me mad, i am so pleased i am working on a test group!


  2. #2

    Join Date
    Jul 2007
    Location
    Devon
    Posts
    233
    Thank Post
    8
    Thanked 9 Times in 8 Posts
    Rep Power
    16
    Why would you disallow... something that is disallowed by default?


    You can choose to have everything unrestricted, except what you say (a blacklist) or allow only the things you want (a whitelist)

    Whitelists are more secure, but I didn't set one up here (not sure why, it'd have been quicker...)

    I just use a unrestricted default, with Drives O:\, X:\ and Y:\ (Home and 2 static USBDLM assigned usb drive letters) filtering stuff (the default list didn't apply when I tried it out :S)

    Works a treat here.

  3. #3
    bizzel's Avatar
    Join Date
    Jul 2007
    Location
    Cambridge
    Posts
    654
    Thank Post
    102
    Thanked 204 Times in 72 Posts
    Rep Power
    51
    On CC3, the default is to block everything except what's on the whitelist. To be honest, I think that's great. There's no worrying about scripts, exe's and the like and setting up exceptions is easy for the most part. RM's software is actually pretty good at making the neccessary changes so kudos to them for that. :-)

  4. #4
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,347
    Thank Post
    85
    Thanked 47 Times in 33 Posts
    Rep Power
    31
    Hope the attached helps.
    Attached Images Attached Images

  5. #5

    Join Date
    Mar 2007
    Posts
    130
    Thank Post
    29
    Thanked 5 Times in 4 Posts
    Rep Power
    17
    Thanks for all your help guys.

    @ Lithium, thanks. That seemed to be my problem- Disallowing, then trying to set some parameters..... (that and a lack of patience!).

    @Kennysarmy, Great stuff, my rule looks identical, except i am having some issues with any drive mapped server shares.

    If windows creates the share; ie plug in a USB key, then the policy works fine, but the policy is not currently working on any drive mappings created by logging on.

    I could test using a UNC path to the share...any other thoughts?

  6. #6

    Join Date
    Jul 2007
    Location
    Middle-Wales
    Posts
    368
    Thank Post
    2
    Thanked 4 Times in 4 Posts
    Rep Power
    16
    you could try %homepath%%homeshare% or <driveletter>:* rather than e:\* for example.

  7. #7

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,081
    Thank Post
    210
    Thanked 431 Times in 311 Posts
    Rep Power
    145
    Well I've got software restrictions setup and working here, the attached PDF is an export of my settings so you can see how I've done it if anyone wants to.

    I went down the Disallowing everything, then adding in the allowed rules where necessary. Everything that needs to run works, and anything else doesn't!!
    Attached Files Attached Files

  8. #8

    Join Date
    Mar 2007
    Posts
    130
    Thank Post
    29
    Thanked 5 Times in 4 Posts
    Rep Power
    17
    Quote Originally Posted by rhyds View Post
    you could try %homepath%%homeshare% or <driveletter>:* rather than e:\* for example.
    Like it ....\\Server\%username%$\

    Many thanks!

    Thats pretty much cleared up all my problems with SRP.

    Thanks!



SHARE:
+ Post New Thread

Similar Threads

  1. Help write a guide for Software restriction policies for USB
    By ChrisH in forum How do you do....it?
    Replies: 7
    Last Post: 28th January 2010, 10:40 AM
  2. Confused about software restriction policies
    By MacBriar in forum How do you do....it?
    Replies: 1
    Last Post: 27th February 2008, 10:23 PM
  3. Replies: 11
    Last Post: 20th April 2007, 07:38 PM
  4. Software Restriction Policies
    By wesleyw in forum Windows
    Replies: 14
    Last Post: 12th December 2006, 12:35 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •