+ Post New Thread
Results 1 to 6 of 6
Windows Thread, Group Policy Software Restriction in Technical; Hi Guys im setting up a software restriction policy for september to stop the little angels from running games off ...
  1. #1
    jj99's Avatar
    Join Date
    Jun 2008
    Location
    Stamford
    Posts
    89
    Thank Post
    8
    Thanked 2 Times in 2 Posts
    Rep Power
    13

    Group Policy Software Restriction

    Hi Guys im setting up a software restriction policy for september to stop the little angels from running games off memory sticks and etc. We are going for a complete restriction all programs unless we specify them.

    We have allowed all windows based programs Office etc and we have list off all programs on out network my question is wether is hould use a "hash" rule or a "path" rule for them. Both seem to have there pro's and con's.

    Has anyone implemted the above how do they find it and which rule did they use?

  2. #2

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,659
    Thank Post
    858
    Thanked 646 Times in 429 Posts
    Rep Power
    498
    I have SRP's in place but didnt whitelist all the Windows Apps as this caused all sorts of issues

    We disallow by default - so if its not on the list its banned (we use environment variables for key windows folders (%programfiles%, %windir%, etc)

    We mainly do path rules with a few exceptions (RM's SuckAss Maker, etc) and in conjunction with a mod'd "hide drives" adm file, we can limit apps running from pen drives (to nil!)

    On the whole it is highly effective and works for us

  3. #3

    Join Date
    Sep 2005
    Posts
    153
    Thank Post
    1
    Thanked 4 Times in 4 Posts
    Rep Power
    19
    To ban on pen drives it might be worth looking at USBDLM. I found it a sinch to deploy and configure, and works a treat. This program combined with a path rule, allowed us to block all our problems. Not sure where I downloaded it from, but I am sure google would help you

    To ban from home directories, you need to use %HOMESHARE% (I think) and also a path rule. You can also easily block all vbs or bat files by using
    %HOMESHARE%\*.bat (which will also include subdirectories within the users home drive).

    HTH
    Mark

  4. #4
    azrael78's Avatar
    Join Date
    Sep 2007
    Location
    Devon
    Posts
    383
    Thank Post
    47
    Thanked 37 Times in 33 Posts
    Rep Power
    21
    Quote Originally Posted by markwilliamson2001 View Post
    To ban on pen drives it might be worth looking at USBDLM. I found it a sinch to deploy and configure, and works a treat. This program combined with a path rule, allowed us to block all our problems. Not sure where I downloaded it from, but I am sure google would help you

    To ban from home directories, you need to use %HOMESHARE% (I think) and also a path rule. You can also easily block all vbs or bat files by using
    %HOMESHARE%\*.bat (which will also include subdirectories within the users home drive).

    HTH
    Mark
    I'd just like to add weight here by saying USBDLM... works wonders for pencil sticks.

    We use it here and it's made our USB drive-letter woes vanish real quickly.
    We are also going to implement SRP over summer as well, for us we permit anything EXCEPT where we specify (We have alot of apps, alot of servers and it's quicker for us to deny, than it is to whitelist).

    Our students home-folders are mapped to Y: - so we would just deny the drive letter - as opposed to any environment variables.

    Our USB sticks live on B: or F: or V: (in the event that B: is used, it moves to F: and in the event that F: is used... it moves to V so we can just deny those drives - it's highly unlikely that a student could get another drive letter for their USB, even if they plugged in 2 sticks. (Which they can't anyway here)

    So... for some apps a hash rule may be useful - but for us, I simply plan to use path rules to cover pretty much everything that isn't nailed down.

    We are also gonna put in some kind of executable monitor, so we can see what they are running and from where (just so we can see if we missed anything).

    HTH,

    Az

  5. #5
    altecsole's Avatar
    Join Date
    Jun 2005
    Location
    Morecambe, Lancashire, UK.
    Posts
    281
    Thank Post
    39
    Thanked 36 Times in 26 Posts
    Rep Power
    25
    We use SRP path rules to ban exe, lnk, cmd, bat etc for all drive except C:\ and one of our mapped drives where students only have read access. This works well and, if reqd, we have added Unrestriced Hash rules for know allowed apps. We use group policy to disallow listed programs from running from the C:\ drive.

  6. #6
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    33
    We use SRPs too, with the default set to deny access. We then use path rules to open up specific directories.

    The basic rule of thumb to apply is: if they can write to a location, it shouldn't be excluded (i.e. permitted) in your SRP. We have had to make a few small exceptions to that for problematic software (IIRC Solidworks likes to extract an executable and then run it from the user's own temp directory)

    We also use USBDLM.

SHARE:
+ Post New Thread

Similar Threads

  1. Software restriction policy, half working?
    By FN-GM in forum Windows
    Replies: 13
    Last Post: 10th December 2007, 12:22 PM
  2. Software Restriction Policy
    By cookie_monster in forum Windows
    Replies: 2
    Last Post: 27th November 2007, 12:54 PM
  3. CC3 Software Restriction Policy
    By cookie_monster in forum Network and Classroom Management
    Replies: 8
    Last Post: 12th June 2007, 10:28 AM
  4. Software Restriction Policy (w2k3) - path question
    By indiegirl in forum How do you do....it?
    Replies: 5
    Last Post: 19th October 2006, 05:05 PM
  5. GPo - Software Restriction Policy
    By Gatt in forum Wireless Networks
    Replies: 26
    Last Post: 23rd January 2006, 01:53 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •