hawc (13th July 2013)
I have done several searches going on for the last hour, and I have not been able to find a definite answer, maybe I have, and I just missed it. I am at work also, so I have been getting interuptted with quick issues/questions. Anyways back to the question at hand.
I would like this to be done through GP, if possible.
Have a drive associated with a usb key. So everytime billy plugs his usb key in, it is always going to be a T: drive mapping.
Secondly, I would like to block ALL exe files from being run from that drive letter.
Can someone please help I have searchad, and searched and searched some more, for answers and was unscuccessful ops:
hawc (13th July 2013)
You could use the software restirction policy in GPO to block exe files on drive T: but you cannot associate a drive letter VIA GPO.
I use usbdlm to manage what drive letter is associated to removable devices.
djm968 wrote "You could use the software restirction policy in GPO to block exe files on drive T: ."
How mate? you little dancer if i can get this sorted (having already managed to map all usb pens to B:with usbdlm i'll be home and dry.
@Gambit usbdlm is a doddle to use and works brilliantly google it and hopefully djm968 will fill in the rest of the gaps around the gpo bit.
In the Machine Policy set the file types you want restricted (just enable software restrictions + add any if you like) and on the User Policy set the drive letter in Software resrictions > Additional Rules - you have to specify the drive letter - paths don't work.
I was just about to say.... :; Cheers Mark
Thanks for all the help guys...
I have finally got this setup and working as it should... Although I have noticed one issue that I cant figure out how to fix, I have googled it but no luck in finding any soultions. heres the issue
Currently when a student tries to run an .exe file from the root of his/her usb drive it comes up with an error *good sign* but if they open a sub folder they can run .exe files without any issues *bad sign*. How do I deny all sub folders from running .exe files, just like what was done to the root??? Is this possible?
There is a way of doing it i think, I an sure i have read it on here somewhere when we were looking into it. I think if you search you'll find it. It may be to do with the file path in the software restriction policy. I guess you have blocked *.exe? Well i imagine you need to block file structures further down. So i guess its its defining the path in the restriction policy, but to be honest someone else will have to help you withthat as i am not sure how to get it right.
TBH, I think you're doing it backwards. By the sounds of it, you have it set up to "allow all except"
It is much more effective to set it up to "deny all except". This means that only programs in predefined areas would be allowed thereby automatically denying anything store in (say) personal areas, removable drives, CDs and shared areas.
By default, when you set up a deny SRP it allows everything in the Program Files and Windows folders to be run. You'd also need to allow %allusersprofile%, any shared application path you have (using the UNC, not the drive letter) and the NETLOGON share of your domain. There is a post on here which details the SRP we use at my place, I'll search it out.
Have alook at this post
Can this be installed through GPO inany way?I use usbdlm to manage what drive letter is associated to removable devices
I'd like to know how it can be done if possible or if anyone had installed this domain wide.
Something I need to do too. The folder needs to be copied over to the %Program Files% folder and the batch file run from that folder to install and start the service - shouldn't be too hard.
Keep me informed please markSomething I need to do too. The folder needs to be copied over to the %Program Files% folder and the batch file run from that folder to install and start the service - shouldn't be too hard.
Have a look at this post noww
There are currently 1 users browsing this thread. (0 members and 1 guests)