+ Post New Thread
Results 1 to 10 of 10
Windows Thread, Need to stop students from opening Firefox in Technical; I need to prevent students from using Firefox. I have prevented it in group policy by not allowing them to ...
  1. #1

    Join Date
    Apr 2010
    Location
    Virginia
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Question Need to stop students from opening Firefox

    I need to prevent students from using Firefox. I have prevented it in group policy by not allowing them to run an .exe from jump drives or their student folders (Software Restrictions) and by putting firefox.exe on the "Don't run specified Windows applications" (System). The C drive is also hidden via GPO. All this is working.
    Now they have discovered that if they click on Start | All Programs | and double click on StartUp a Windows Explorer window will be opened and they can use the Up Button to navigate to Program Files\Mozilla, copy firefox.exe and paste it right back in the same folder and boom, they can double-click and run the setup which does not pick up any proxy and off to Facebook they go.
    I cannot get rid of the Standard Buttons bar (to get rid the Up button) because it gets rid of it in IE, too and they must have access to the File menu.

    I know this is a long post but I cannot find the answer to this anywhere and thought others here might have faced this one.

    TIA!
    Pam

  2. #2

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,658
    Thank Post
    858
    Thanked 646 Times in 429 Posts
    Rep Power
    498
    Why not create an SRP Hash Rule for firefox.exe - this will then ensure that FF cannot be run anywhere, even if renamed (eg to FF.exe)

  3. #3

    Andrew_C's Avatar
    Join Date
    Sep 2005
    Location
    Winchester
    Posts
    2,961
    Thank Post
    64
    Thanked 374 Times in 284 Posts
    Rep Power
    158
    Why not embrace a standards compliant browser and then deal with Farcebook via either a technological fix (Firewall, Smoothwall etc) or make it a classroom management (ie someone else's) problem?

  4. #4

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    Might be a daft question, but why do you have it installed if you don't want it to be used?

    If it's there because some groups need it but most don't then change the permissions on the .exe so that instead of allowing "users" read/execute you only allow "firefox_users" permissions on the file

    If it needs to be there for everyone but only at certain times of the day then set scheduled tasks to remove the users read permission at (say) 09:00 and restore it at (say) 15:00

  5. #5

    Join Date
    Sep 2007
    Posts
    90
    Thank Post
    7
    Thanked 32 Times in 17 Posts
    Rep Power
    19
    Or, instead of using a "blacklisting" approach, whereby executing from every location is allowed by default, except from the locations you specify,
    use a "whitelisting" approach, where everything is denyed by default except specified locations. you then allow certain locations such as the windows folder,
    the %programfiles% folder and any network path's where your applications arre installed.

    As a general security rule of thumb: do not allow execute where users have read/write access, and do not allow write access where users have execute rights.
    They should have one or the other but never both.

  6. #6

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,658
    Thank Post
    858
    Thanked 646 Times in 429 Posts
    Rep Power
    498
    Quote Originally Posted by srochford View Post
    If it needs to be there for everyone but only at certain times of the day then set scheduled tasks to remove the users read permission at (say) 09:00 and restore it at (say) 15:00
    How do you do that!?

  7. #7
    box_l's Avatar
    Join Date
    May 2007
    Location
    Herefordshire
    Posts
    427
    Thank Post
    68
    Thanked 90 Times in 75 Posts
    Rep Power
    61
    Would it not be better if there was no way out of the network other than the proxy?
    That way, even if they ran firefox, they would still have to use your proxy, and therefore be filtered/blocked the way you want.
    Default gateway aet in DHCP and so on.

    BoX

  8. #8

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    Quote Originally Posted by Gatt View Post
    How do you do that!?
    In a machine startup script:

    Code:
    if exist %windir%\ff_allow.cmd goto got_allow
    echo cacls "c:\program files\mozilla firefox\firefox.exe" /e /g users:r > %windir%\ff_allow.cmd
    at 15:00 /every:m,t,w,th,f %windir%\ff_allow.cmd
    
    :got_allow
    if exist %windir%\ff_deny.cmd goto end
    echo cacls "c:\program files\mozilla firefox\firefox.exe" /e /r users: > %windir%\ff_deny.cmd
    at 09:00 /every:m,t,w,th,f %windir%\ff_deny.cmd
    
    :end
    first chunk checks to see if the "allow" script exists; if not, it creates the script and schedules it at 15:00

    second chunk checks for the "deny" script; if not, it creates it and schedules it for 09:00

    It's not perfect - if the machine is switched off at 09:00 or 15:00 then it won't run. You could have a more complex script to run every time the machine starts up and checks the time and sets permission appropriately or you could just have a script which runs every 5 minutes and checks the time and sets perms.

  9. #9
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15
    Quote Originally Posted by PJack View Post
    they can double-click and run the setup which does not pick up any proxy and off to Facebook they go.
    Wait, they can run the Setup file for Firefox? Or the Firefox executable itself? If they can run the Setup and successfully install it, that may be another issue. I like to start at most secure, rather than most convenient when doing Software Restrictions. I start at everything restricted, and then only allow locations like Program Files to allow executables to be ran. I then just have to make sure that none of the places I allow to run executables allow users to write, because then they can place an exe of their choice into the folder that has execute permissions and run whatever they like. rvdmast covered this 4 posts up.

  10. #10
    James2k's Avatar
    Join Date
    Jan 2008
    Location
    New Malden
    Posts
    59
    Thank Post
    1
    Thanked 3 Times in 3 Posts
    Rep Power
    14
    If you use sophos enterprise console you can stop firefox loading from anywhere.

    Just have a look at the application control.

SHARE:
+ Post New Thread

Similar Threads

  1. Stop Students compressing their Home area.
    By maniac in forum How do you do....it?
    Replies: 8
    Last Post: 14th July 2009, 09:32 AM
  2. Stop explorer opening up lots of windows
    By dezt in forum How do you do....it?
    Replies: 3
    Last Post: 22nd May 2008, 02:05 PM
  3. Stop students form deleting their signatures.
    By FN-GM in forum Educational Software
    Replies: 32
    Last Post: 17th March 2008, 07:59 AM
  4. Replies: 14
    Last Post: 11th March 2008, 01:54 PM
  5. Stop students stealing mice
    By adamyoung in forum How do you do....it?
    Replies: 70
    Last Post: 21st February 2006, 08:49 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •