+ Post New Thread
Results 1 to 3 of 3
Windows Thread, GPO to Block Specific executables in Technical; Morning all, We've got a staff member who has managed to install Firefox on one of our locked down workstations. ...
  1. #1

    Join Date
    Mar 2009
    Location
    Walsall, UK
    Posts
    13
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0

    GPO to Block Specific executables

    Morning all,

    We've got a staff member who has managed to install Firefox on one of our locked down workstations. I wiped it off once, but just 10-15 minutes later, it was back. We use Ranger so it should be blocking it's installation, but after a look through his USB stick via RRC, I noticed two files which look like LanSchool disable scripts (Seems to kill "teacher.exe"?). My colleague said they could be normal files used by LanSchool, but I'm a bit of a security freak. We don't use LanSchool, but this staffer may have come from a school that was using it, and I'm concerned he may have Ranger disable scripts somewhere if he feels restricted by Ranger (we have workstations pretty well locked down).

    This is a bit of a security issue for obvious reasons, that, and the staffer isn't following policy by filling out a change request and getting it cleared by my boss for it's installation. The PC is on a VLAN that has no direct access to the internet but has ISA's Firewall Client installed, so would not having the proxy option set, but be querying ISA directly using the firewall client get around the filtering WebMarshal does?

    Finally, is there a blacklist for specific executables in Group Policy anywhere? There are all manner of programs installed on all of our workstations so want to avoid a whitelist-only approach if it's possible.

    Thanks in advance.

  2. #2

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,823
    Thank Post
    146
    Thanked 572 Times in 516 Posts
    Rep Power
    154
    You should be able to block the files using Group Policy, both with a hash rule and a path rule. I have .exe banned from USB drive letters (we use USBDLM to keep these consistent), you should also be able to block this file extension. Also, I have a Group Policy which sets the permissions on the C: and C:\Program Files directories to stop staff from installing software here, but doesn't stop software from working correctly.

  3. #3

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,750
    Thank Post
    918
    Thanked 1,336 Times in 816 Posts
    Blog Entries
    1
    Rep Power
    448
    Firstly, what OS is the client? xp?
    You want to take a look at AppLocker (w7) and SRP
    SRP is xp+ (works on w7 too) and sounds like the ideal thing for you. You can specify UNC paths where exes are allowed to run from for example and put X/Z/F: *Disallowed* rules to block stick programs for example.

SHARE:
+ Post New Thread

Similar Threads

  1. Block youtube but allow specific channels?
    By pete in forum Internet Related/Filtering/Firewall
    Replies: 31
    Last Post: 8th November 2011, 04:54 PM
  2. Block Internet, At Lunch, Specific OUs.
    By RichCowell in forum Internet Related/Filtering/Firewall
    Replies: 24
    Last Post: 12th March 2010, 05:29 PM
  3. AD: Block user settings GPO inheritance based on computer location
    By morganw in forum Windows Server 2000/2003
    Replies: 0
    Last Post: 23rd October 2009, 11:48 AM
  4. block specific websites via proxy
    By rocknrollstar in forum Windows
    Replies: 13
    Last Post: 15th June 2009, 04:36 AM
  5. Replies: 10
    Last Post: 21st November 2006, 02:47 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •