Group Policy Software Restriction

[jj99]

Hi Guys im setting up a software restriction policy for september to stop the little angels from running games off memory sticks and etc. We are going for a complete restriction all programs unless we specify them.

We have allowed all windows based programs Office etc and we have list off all programs on out network my question is wether is hould use a "hash" rule or a "path" rule for them. Both seem to have there pro's and con's.

Has anyone implemted the above how do they find it and which rule did they use?

[Gatt]

I have SRP's in place but didnt whitelist all the Windows Apps as this caused all sorts of issues

We disallow by default - so if its not on the list its banned (we use environment variables for key windows folders (%programfiles%, %windir%, etc)

We mainly do path rules with a few exceptions (RM's SuckAss Maker, etc) and in conjunction with a mod'd "hide drives" adm file, we can limit apps running from pen drives (to nil!)

On the whole it is highly effective and works for us

[markwilliamson2001]

To ban on pen drives it might be worth looking at USBDLM. I found it a sinch to deploy and configure, and works a treat. This program combined with a path rule, allowed us to block all our problems. Not sure where I downloaded it from, but I am sure google would help you

To ban from home directories, you need to use %HOMESHARE% (I think) and also a path rule. You can also easily block all vbs or bat files by using
%HOMESHARE%\*.bat (which will also include subdirectories within the users home drive).

HTH
Mark

[azrael78]

To ban on pen drives it might be worth looking at USBDLM. I found it a sinch to deploy and configure, and works a treat. This program combined with a path rule, allowed us to block all our problems. Not sure where I downloaded it from, but I am sure google would help you

To ban from home directories, you need to use %HOMESHARE% (I think) and also a path rule. You can also easily block all vbs or bat files by using
%HOMESHARE%\*.bat (which will also include subdirectories within the users home drive).

HTH
Mark

I'd just like to add weight here by saying USBDLM... works wonders for pencil sticks.

We use it here and it's made our USB drive-letter woes vanish real quickly.
We are also going to implement SRP over summer as well, for us we permit anything EXCEPT where we specify (We have alot of apps, alot of servers and it's quicker for us to deny, than it is to whitelist).

Our students home-folders are mapped to Y: - so we would just deny the drive letter - as opposed to any environment variables.

Our USB sticks live on B: or F: or V: (in the event that B: is used, it moves to F: and in the event that F: is used... it moves to V so we can just deny those drives - it's highly unlikely that a student could get another drive letter for their USB, even if they plugged in 2 sticks. (Which they can't anyway here)

So... for some apps a hash rule may be useful - but for us, I simply plan to use path rules to cover pretty much everything that isn't nailed down.

We are also gonna put in some kind of executable monitor, so we can see what they are running and from where (just so we can see if we missed anything).

HTH,

Az

[altecsole]

We use SRP path rules to ban exe, lnk, cmd, bat etc for all drive except C:\ and one of our mapped drives where students only have read access. This works well and, if reqd, we have added Unrestriced Hash rules for know allowed apps. We use group policy to disallow listed programs from running from the C:\ drive.

[sahmeepee]

We use SRPs too, with the default set to deny access. We then use path rules to open up specific directories.

The basic rule of thumb to apply is: if they can write to a location, it shouldn't be excluded (i.e. permitted) in your SRP. We have had to make a few small exceptions to that for problematic software (IIRC Solidworks likes to extract an executable and then run it from the user's own temp directory)

We also use USBDLM.