+ Post New Thread
Results 1 to 9 of 9
Windows Thread, I want to allow a specific program to run from USB in Technical; Hi I have a "Prevent removable media source for any install" in place to prevent users from running executables from ...
  1. #1
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,285
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30

    I want to allow a specific program to run from USB

    Hi I have a "Prevent removable media source for any install" in place to prevent users from running executables from cd-roms, memory sticks and the like.

    I wish to trial some 4GB USB 2.0 Hi-Speed DataTraveler Locker w/Encryption sticks but they look like they rely on the software running as an executable from the stick itself - which of course will get denied.

    Is there a way to right a policy which will ALLOW just that ONE particular exe to run?

    Cheers.

  2. #2

    Join Date
    Sep 2006
    Posts
    38
    Thank Post
    1
    Thanked 8 Times in 6 Posts
    Rep Power
    17
    You can create a software restriction policy in your GPO. then disallow e:\*.* f:\*.* g:\*.* then allow e:\autorun.exe or whatever you need

  3. Thanks to Dageezah from:

    kennysarmy (7th December 2010)

  4. #3
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,285
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    Thanks....

  5. #4

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,630
    Thank Post
    890
    Thanked 1,313 Times in 798 Posts
    Blog Entries
    1
    Rep Power
    441
    Also with that you can create a signature of a file to authorise which means it has to be the correct program regardless of file name.

  6. #5

    Join Date
    Jun 2010
    Posts
    198
    Thank Post
    9
    Thanked 25 Times in 24 Posts
    Rep Power
    21
    Quote Originally Posted by Dageezah View Post
    You can create a software restriction policy in your GPO. then disallow e:\*.* f:\*.* g:\*.* then allow e:\autorun.exe or whatever you need
    I did this using the hash file signature of Truecrypt portable although the exe was allowed to run I still hit the problem that the user needed admin rights to install the Truecrypt driver file.

    I need some way to install the driver via a script to all my workstations prior to the user inserting their USB stick with Truecrypt portable.

    Kili

  7. #6
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,774
    Thank Post
    212
    Thanked 263 Times in 213 Posts
    Rep Power
    67
    Am I right in thinking that you could use the software restriction policy to deny all exes on the usb drive (stopping all unwanted programs inc viruses) but then put a hash of the particular exe as an allow. The hash being more specific will override the general deny all.

    the hash process is easy btw, whilst in gpedit just point to the exe and bam (over simplified). if you want the autorun to work you will have to specify that as well but it may leave you vunerable to viruses.

  8. #7

    Join Date
    Jun 2010
    Posts
    198
    Thank Post
    9
    Thanked 25 Times in 24 Posts
    Rep Power
    21
    Quote Originally Posted by chazzy2501 View Post
    Am I right in thinking that you could use the software restriction policy to deny all exes on the usb drive (stopping all unwanted programs inc viruses) but then put a hash of the particular exe as an allow. The hash being more specific will override the general deny all.

    the hash process is easy btw, whilst in gpedit just point to the exe and bam (over simplified). if you want the autorun to work you will have to specify that as well but it may leave you vunerable to viruses.
    Yes your right that's how it all works.

    I don't see an autorun.inf file for Truecrypt traveller in the program files which is what where using but yes your also right we don't want autorun.inf available either

  9. #8

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,630
    Thank Post
    890
    Thanked 1,313 Times in 798 Posts
    Blog Entries
    1
    Rep Power
    441
    Quote Originally Posted by chazzy2501 View Post
    Am I right in thinking that you could use the software restriction policy to deny all exes on the usb drive (stopping all unwanted programs inc viruses) but then put a hash of the particular exe as an allow. The hash being more specific will override the general deny all.

    the hash process is easy btw, whilst in gpedit just point to the exe and bam (over simplified). if you want the autorun to work you will have to specify that as well but it may leave you vunerable to viruses.
    Yeh you just tell the hash to be an allow (as you can hash denies too)

  10. #9

    Join Date
    Jun 2010
    Posts
    198
    Thank Post
    9
    Thanked 25 Times in 24 Posts
    Rep Power
    21
    Ah I see the autorun.inf file in the root of the usb stick. We have autorun blocked so no joy in that direction

SHARE:
+ Post New Thread

Similar Threads

  1. SIMS a better way to run the program?
    By chazzy2501 in forum Windows
    Replies: 4
    Last Post: 5th July 2010, 10:57 AM
  2. Run program as non-administrator
    By ronanian in forum Windows Server 2008
    Replies: 4
    Last Post: 29th March 2010, 05:56 PM
  3. Program keeps trying to run MSI installer
    By Skinny in forum Educational Software
    Replies: 1
    Last Post: 18th February 2010, 10:58 AM
  4. Run script if specific hardware present
    By djones in forum Scripts
    Replies: 7
    Last Post: 14th March 2008, 03:50 PM
  5. Replies: 4
    Last Post: 15th December 2006, 12:14 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •