Windows Thread, Group Policy Software Restriction in Technical; Hi Guys im setting up a software restriction policy for september to stop the little angels from running games off ...
25th June 2008, 08:30 PM #1
Group Policy Software Restriction
Hi Guys im setting up a software restriction policy for september to stop the little angels from running games off memory sticks and etc. We are going for a complete restriction all programs unless we specify them.
We have allowed all windows based programs Office etc and we have list off all programs on out network my question is wether is hould use a "hash" rule or a "path" rule for them. Both seem to have there pro's and con's.
Has anyone implemted the above how do they find it and which rule did they use?
25th June 2008, 08:38 PM #2
I have SRP's in place but didnt whitelist all the Windows Apps as this caused all sorts of issues
We disallow by default - so if its not on the list its banned (we use environment variables for key windows folders (%programfiles%, %windir%, etc)
We mainly do path rules with a few exceptions (RM's SuckAss Maker, etc) and in conjunction with a mod'd "hide drives" adm file, we can limit apps running from pen drives (to nil!)
On the whole it is highly effective and works for us
25th June 2008, 09:32 PM #3
- Rep Power
To ban on pen drives it might be worth looking at USBDLM. I found it a sinch to deploy and configure, and works a treat. This program combined with a path rule, allowed us to block all our problems. Not sure where I downloaded it from, but I am sure google would help you
To ban from home directories, you need to use %HOMESHARE% (I think) and also a path rule. You can also easily block all vbs or bat files by using
%HOMESHARE%\*.bat (which will also include subdirectories within the users home drive).
26th June 2008, 09:32 AM #4
I'd just like to add weight here by saying USBDLM... works wonders for pencil sticks.
Originally Posted by markwilliamson2001
We use it here and it's made our USB drive-letter woes vanish real quickly.
We are also going to implement SRP over summer as well, for us we permit anything EXCEPT where we specify (We have alot of apps, alot of servers and it's quicker for us to deny, than it is to whitelist).
Our students home-folders are mapped to Y: - so we would just deny the drive letter - as opposed to any environment variables.
Our USB sticks live on B: or F: or V: (in the event that B: is used, it moves to F: and in the event that F: is used... it moves to V so we can just deny those drives - it's highly unlikely that a student could get another drive letter for their USB, even if they plugged in 2 sticks. (Which they can't anyway here)
So... for some apps a hash rule may be useful - but for us, I simply plan to use path rules to cover pretty much everything that isn't nailed down.
We are also gonna put in some kind of executable monitor, so we can see what they are running and from where (just so we can see if we missed anything).
26th June 2008, 09:35 AM #5
We use SRP path rules to ban exe, lnk, cmd, bat etc for all drive except C:\ and one of our mapped drives where students only have read access. This works well and, if reqd, we have added Unrestriced Hash rules for know allowed apps. We use group policy to disallow listed programs from running from the C:\ drive.
26th June 2008, 08:00 PM #6
We use SRPs too, with the default set to deny access. We then use path rules to open up specific directories.
The basic rule of thumb to apply is: if they can write to a location, it shouldn't be excluded (i.e. permitted) in your SRP. We have had to make a few small exceptions to that for problematic software (IIRC Solidworks likes to extract an executable and then run it from the user's own temp directory)
We also use USBDLM.
By FN-GM in forum Windows
Last Post: 10th December 2007, 12:22 PM
By cookie_monster in forum Windows
Last Post: 27th November 2007, 12:54 PM
By cookie_monster in forum Network and Classroom Management
Last Post: 12th June 2007, 10:28 AM
By indiegirl in forum How do you do....it?
Last Post: 19th October 2006, 05:05 PM
By Gatt in forum Wireless Networks
Last Post: 23rd January 2006, 01:53 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread