+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 44
Windows Thread, Stopping .exe files from being run from a USB stick in Technical; I think this has been covered many times but i can't seem to find older posts when i search, Is ...
  1. #1
    Kyle's Avatar
    Join Date
    Jan 2006
    Posts
    972
    Thank Post
    91
    Thanked 14 Times in 13 Posts
    Rep Power
    21

    Stopping .exe files from being run from a USB stick

    I think this has been covered many times but i can't seem to find older posts when i search,

    Is there a way to stop kids from running exe files from the usb keys they bring into school? We don't want to ban them altogether but wondered if there is away to stop this.

    Sorry if this has been answered before but i can't find it.

  2. #2

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180

    Re: Stopping .exe files from being run from a USB stick

    A quick forum search using "executables" and "usb" as the keywords (make sure you check the 'all' box) turns up a few

  3. #3
    Kyle's Avatar
    Join Date
    Jan 2006
    Posts
    972
    Thank Post
    91
    Thanked 14 Times in 13 Posts
    Rep Power
    21

    Re: Stopping .exe files from being run from a USB stick

    Not for me it dont :-(

  4. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

  5. #5
    rrichmond's Avatar
    Join Date
    Jul 2007
    Location
    Brisbane
    Posts
    108
    Thank Post
    3
    Thanked 7 Times in 7 Posts
    Rep Power
    16

    Re: Stopping .exe files from being run from a USB stick

    Preventing students running exe, cmd and bat files from their usb drive

    Note: The following information has been taken from http://www.kenji-d.com/technet/ and modified to suit our school situation.

    To do this you need to modify the Local Security Settings.

    1. From the start menu, go to the RUN command window and enter secpol.msc
    2. In the Local Security Settings window, select Software Restrictions Policies, you’ll notice on the right pane that there are no policies defined.
    3. To create a policy, select Action from the toolbar, then select Create New Policies.
    4. Once a policy is created, you’ll notice 5 new objects in the right pane.
    5. Select the Additional Rules Folder, right click and select New Path Rule.
    6. A New Path Rule window appears. Here enter the path of the drive or folder you’d like to enforce restrictions on. After entering a path, make sure the Security level option is set to disallow.
    7. Do this on all drives you wish to prevent this type of action on. For example A:\ D:\ E:\ F:\
    8.Create a rule to prevent the user running executables in their home drive or the desktop. (We provide students with a mapped network drive H:\ Where they can be monitored from. They can run what they want from this drive.)

    a) C:\Documents and Settings\COMMON PART OF STUDENT CODE
    OR
    b) “%UserProfile%” matches C:\Documents and Settings\<User> and all subfolders under this directory.

    (Note: From : http://www.microsoft.com/technet/sec.../xpsgch06.mspx
    Using Wildcards in Path Rules

    A path rule can incorporate the "?" and "*" wildcards. The following examples show wildcards that are applied to different path rules:
    * \\DC – ??\login$ matches \\DC – 01\login$, \\DC – 02\login$, and so on.
    * \Windows matches C:\Windows, D:\Windows, E:\Windows, and all subfolders under each directory.
    * C:\win* matches C:\winnt, C:\windows, C:\windir, and all subfolders under each directory.
    * .vbs matches any application that has this extension in Windows XP Professional.
    * C:\Application Files\*.* matches all application files in the specific subdirectory. )

    9.Once the Paths are entered, the next thing to do is to set the enforcement properties. Select Software Restriction Policies and from the right side select Enforcement. There are two options:

    a) All software files except libraries (such as DLLs) and All Software (Best to select this).
    b) All users except local Administrators.

    It is recommend you leave it as All software files except Libraries. If you select All software files instead, the thumbdrives will NOT be recognized and installed. This may be a good idea if you want to disable access to USB thumbdrives all together.

    The second option is pretty straightforward, restrict everyone except local administrators or else you’ll be locked out too!

    10.Next we go to the Designated File Types values, here we can specify which file extensions to restrict. This window permits you to add or delete file extensions to your need. Delete all except for: BAT, CMD, COM,EXE, REG, and VB. If there are other extentions you ned to add add themin the file extention box and click add. An example maybe for flash files?

    You have now completed the task. Test it as neccessary before deploying,
    You will then need to distribute this as per your situation.

  6. Thanks to rrichmond from:

    aerospacemango (14th April 2010)

  7. #6

    SpuffMonkey's Avatar
    Join Date
    Jul 2005
    Posts
    2,224
    Thank Post
    54
    Thanked 276 Times in 184 Posts
    Rep Power
    133

    Re: Stopping .exe files from being run from a USB stick

    If you've the cash - you could buy DiskNet Pro - it does this and loads of other stuff besides.

  8. #7
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,958
    Thank Post
    248
    Thanked 49 Times in 45 Posts
    Blog Entries
    2
    Rep Power
    46

    Re: Stopping .exe files from being run from a USB stick

    To allocate specific drive letters to USB Devices use USBDLM (Drive Letter Manager)

    Do as rrichmond says only using GPMC on the site (computer group/ OU) rather than the individual machine.

    It's not sufficient to just block the root of the drive, you have to specify subfolders too.

    I'd recommend you check the other linked threads for the full lowdown.

  9. #8
    rrichmond's Avatar
    Join Date
    Jul 2007
    Location
    Brisbane
    Posts
    108
    Thank Post
    3
    Thanked 7 Times in 7 Posts
    Rep Power
    16

    Re: Stopping .exe files from being run from a USB stick

    Quote Originally Posted by mark
    It's not sufficient to just block the root of the drive, you have to specify subfolders too.
    Actually, If you do it the way I suggested, It does ANY folder on the drive in question, not just the root of the drive. I tried this out before publishing the information.

    From: http://www.microsoft.com/technet/sec.../xpsgch06.mspx

    The Path Rule

    A path rule specifies either a folder or a fully qualified path to a program. When a path rule specifies a folder, it matches any program that is contained in that folder and any programs that are contained in subfolders of that folder. Path rules support both local and UNC paths.

  10. Thanks to rrichmond from:

    Oops_my_bad (31st March 2008)

  11. #9
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,958
    Thank Post
    248
    Thanked 49 Times in 45 Posts
    Blog Entries
    2
    Rep Power
    46

    Re: Stopping .exe files from being run from a USB stick

    Well that's interesting then, and contrary to what's been said on here several times, unless I read it incorrectly.

  12. #10
    rrichmond's Avatar
    Join Date
    Jul 2007
    Location
    Brisbane
    Posts
    108
    Thank Post
    3
    Thanked 7 Times in 7 Posts
    Rep Power
    16

    Re: Stopping .exe files from being run from a USB stick

    Yes.. I Noticed that. Forgot to put it in my original post though

  13. #11

    Join Date
    Jun 2007
    Location
    derbyshire
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Stopping .exe files from being run from a USB stick

    cheers m8 just tried your answer and it works a treat - I also work in a school and the only thing I can see is that if 2 devices are connected then the rule will have to be duplicated onto that 2nd drive letter - going through GP should be easy enough to apply to different drive letters

    thanks again

  14. #12

    Join Date
    Mar 2008
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I have Set up software restriction policy ok to stop exes from running from USBs and a drive
    Now I want to stop the students from running exes from their Mydocument folder
    Their folder is on h drive
    Was is the exact path to type into the rule

  15. #13

    Join Date
    Jul 2007
    Location
    Middle-Wales
    Posts
    368
    Thank Post
    2
    Thanked 4 Times in 4 Posts
    Rep Power
    15
    I think you can use the %homeshare%%homepath% variables to specify mydocs, but I'm not sure of the syntax.

  16. Thanks to rhyds from:

    OverWorked (19th March 2010)

  17. #14

    Join Date
    Mar 2008
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks rhyds in rrichmonds post 6 above part 8 is what i need but I would need the syntax clarified

  18. #15

    Join Date
    Oct 2007
    Location
    Cumbria
    Posts
    39
    Thank Post
    9
    Thanked 3 Times in 3 Posts
    Rep Power
    14
    Thanks rrichmond, that works a treat. no more firefox portable here

SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. What's On Your Stick
    By russdev in forum General Chat
    Replies: 19
    Last Post: 23rd January 2008, 09:50 AM
  2. Who is stopping up then?
    By russdev in forum General Chat
    Replies: 13
    Last Post: 7th January 2008, 08:42 PM
  3. Moodle on a stick
    By beeswax in forum Virtual Learning Platforms
    Replies: 1
    Last Post: 23rd November 2007, 09:47 AM
  4. mem stick thats how they should be built
    By russdev in forum Hardware
    Replies: 7
    Last Post: 22nd December 2006, 09:01 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •