+ Post New Thread
Results 1 to 11 of 11
Windows Thread, Banning exes on USB drives in Technical; I've had a read through a few threads on here about banning exes on USB drives and most seem to ...
  1. #1
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,205
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74

    Banning exes on USB drives

    I've had a read through a few threads on here about banning exes on USB drives and most seem to come to the conclusion that you can ban exes in subfolders even using wildcards. From my testing this does seem to be the case, the only wildcard that works is *.exe which bans them from running exes for anywhere. This works so well that they can't logon so I would have to allow certain areas.

    Has anyone come up with a workable way to do this or is a whitelist the only way to go without third party software?

    Stopping .exe files from being run from a USB stick

    Thanks.


    EDIT

    Oh hang on I've just found this anyone tried it? I'm going to give it a try now.

    http://www.beyondlogic.org/solutions...ust-no-exe.htm


    Well it looks pretty good but unfortunatly there's no way to seperate staff and students so I don't think we can use it
    Last edited by cookie_monster; 23rd October 2009 at 10:23 AM.

  2. #2

    Join Date
    Feb 2006
    Location
    Derbyshire
    Posts
    1,381
    Thank Post
    181
    Thanked 211 Times in 171 Posts
    Rep Power
    65
    Running trustnoexe on our standalones here with no problems, haven't tried it in a domain environment. Could you not just disable the app/service when staff log on? (login script)

  3. #3
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,205
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Could you not just disable the app/service when staff log on? (login script)
    Does it run as a Windows service? If so then no as our staff don't have rights to dissable services.

  4. #4

    Join Date
    Feb 2006
    Location
    Derbyshire
    Posts
    1,381
    Thank Post
    181
    Thanked 211 Times in 171 Posts
    Rep Power
    65
    Can't check easily, sorry - it's running on standalones on one of our residential units offsite, I think it's only launched on login though, so one way or another you ought to be able to stop it from initialising for a specific user group.

  5. #5
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,205
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Ok i'll take a another look.

  6. #6

    Join Date
    Mar 2007
    Posts
    421
    Thank Post
    14
    Thanked 16 Times in 10 Posts
    Rep Power
    19
    We use Software restriction policies here. Using a whitelist basically won't allow any executable unless it is one we know about.

    Sometimes its a pain as staff are forever bringing in some pointless flash animation on a USB pen which is blocked, but we have 'safe' areas to copy these too so they can try them out.

    You have to have a good idea of software in use on your network, but you can bypass a lot by allowing know pathnames (ie C:\Program Files etc)

  7. #7
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,205
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    I enabled a whitelist the other day to test and users couldn't logon anymore probably due to something launching in the logon script I need to look into it.

    Can you share a bit more detail about what you allow/deny to get started? No rush

    Thanks.

  8. #8

    Join Date
    Mar 2007
    Posts
    421
    Thank Post
    14
    Thanked 16 Times in 10 Posts
    Rep Power
    19
    You have to allow:

    Sysvol and Netlogon shares (I used wildcard i.e \\Server?\sysvol) which covers Server1,Server2 etc
    C:\windows and c:\windows\system (defaults to allow these anyway)

    We allow c:\program files by default as only admins can install software

    Everything else in our list is simply executables\applications etc that are on server shares. Along with a few batch files users run on login.

    One peculiarity was in desktop and start menu redirection - we had to allow the source of the desktop/start menu as well as the targets for the applications listed.

    Works well now. In that the users don't like the fact they can't just run any old rubbish that someone gave them on a usb pen

  9. Thanks to GoldenWonder from:

    cookie_monster (27th October 2009)

  10. #9
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,205
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Sometimes its a pain as staff are forever bringing in some pointless flash animation on a USB pen which is blocked, but we have 'safe' areas to copy these too so they can try them out.
    I was thinking of just doing this for students anyway to start.

    Cheers.

  11. #10
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,205
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Quote Originally Posted by GoldenWonder View Post
    You have to allow:

    Sysvol and Netlogon shares (I used wildcard i.e \\Server?\sysvol) which covers Server1,Server2 etc
    C:\windows and c:\windows\system (defaults to allow these anyway)

    We allow c:\program files by default as only admins can install software

    Everything else in our list is simply executables\applications etc that are on server shares. Along with a few batch files users run on login.

    One peculiarity was in desktop and start menu redirection - we had to allow the source of the desktop/start menu as well as the targets for the applications listed.

    Works well now. In that the users don't like the fact they can't just run any old rubbish that someone gave them on a usb pen


    Does this give you issues with web sites ever? I'm thinking back to some intranet software a while back that downloaded an exe to temp but wouldn't run due to software restriction policy.

  12. #11

    Join Date
    Nov 2007
    Location
    Rotherham
    Posts
    1,678
    Thank Post
    122
    Thanked 126 Times in 102 Posts
    Rep Power
    45
    I use the User Defined Rules in McAfee's AV software (Via the Policy server). Allows me to stop MSI, BAT's, CMD, MP3, etc etc from just about anywhere I want (which is USB drives, desktop's, home drives). It's not fool proof but it certainly fools the majority.

SHARE:
+ Post New Thread

Similar Threads

  1. Usb pen drives
    By krisd32 in forum Our Advertisers
    Replies: 3
    Last Post: 15th June 2009, 01:22 PM
  2. USB Pen Drives
    By westleya in forum General Chat
    Replies: 31
    Last Post: 22nd May 2009, 01:50 PM
  3. networking usb drives
    By browolf in forum Wireless Networks
    Replies: 4
    Last Post: 23rd November 2008, 07:10 PM
  4. USB Drives Survey
    By Dos_Box in forum Hardware
    Replies: 29
    Last Post: 26th June 2007, 08:47 AM
  5. USB Drives + Games
    By linuxgirlie in forum Windows
    Replies: 3
    Last Post: 9th February 2006, 11:00 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •