problem with software access policy

[goodhead]

We have setup software access policys so that they disallow .exe being run from D:,E:,F:, and from desktops.

We have allowed unrestricted access to the shared area.

This all works fine. The Z:\ which is mapped to the user home dir doesn't work.

I 've set Z: so that it is disallowed, I can still run exe file from this drive.

All other drives are mapped with login scripts.

what going wrong?????

[ajbritton]

I think the best way to do software restriction is on a 'white list' basis. Rather than trying to deny execution from certain paths, do a flat 'deny' from everywhere and then open up specific paths (eg C:\Program Files, C:\Windows etc).

[Norphy]

If you really must blacklist, blacklist the UNC of the shared drive rather than the drive letter.

But ajbritton is right, it is much more logical to block everything and allow a specific set of programs through.

[Gatt]

Agreed, set your SRP to DISALLOWED by default, then open up the programs you want via either PATH or HASH rules.

Hash rules are a better choice, as it prevents kids from renaming the files to an allowed filename so they can run them.

[goodhead]

We have it now to block all.
I'm then adding in paths rules to allow the shared area and the multimedia drive.

When i login as test the software policy is stopping the login script setup the P: and Y: drives.

The rules i set for these 2 drives are using drive letters. Should i be using the unc path to the shared folder?

[Norphy]

Yes

[tarquel]

Just a thought here but i believe drive Z is used in the system for something when it comes to batch / command scripts etc....

Sorry i cant be that clear, but all I can remember is that I was trying to do something using drive Z and when I used a different drive letter, it worked.

Maybe this is why you had:

've set Z: so that it is disallowed, I can still run exe file from this drive.

Nath.

[ChrisH]

We have z: as our home drives wiht no problems.

[tarquel]

Odd...

well whatever it was, I remember we discussed it on here lol

Nath.

[Geoff]

I set removable drives to start at Z: and go backwards, perhaps that's what you were thinking of tarquel?

[goodhead]

thanks guys for your help.
I've just got it to work.

I'm not using disallow all.
To get the home shares drive Z; to work i had to add
Z:\%username% disallow