+ Post New Thread
Results 1 to 5 of 5
Windows Thread, MMC has me hornswoggled, have mercy on my poor brain in Technical; We use MMC to lock down various aspects of our XP desktops - I'm hitting a wall with 'Software Restrictions' ...
  1. #1

    Join Date
    Jul 2010
    Location
    South Hadley, Massachusetts, USA
    Posts
    46
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0

    MMC has me hornswoggled, have mercy on my poor brain

    We use MMC to lock down various aspects of our XP desktops - I'm hitting a wall with 'Software Restrictions' however.

    <backstory>
    Students have figured out that if they download a fresh copy of Firefox to their desktop and select 'direct connection - no proxy' they can get around the firewall. Setting my proxy (pfSense) to transparent mode tamped down the problem but caused some other issues such as the inability to block secure sites. [what this means in real life is that students can get to https://www.facebook.com even if the domain is blocked].
    </backstory>

    So I need to prevent unauthorized executable files from running, possibly by means of a Software Restriction path rule in MMC. What I want to tell MMC is 'only allow a program to run if it is located in C:\Program Files\' or failing that 'don't let a program run if it is located in the user profile'.

    What is the path rule syntax I need to do this? So far I've only succeeded in blocking all programs from running.

    Also, we're using roaming profiles on a Samba server in case that makes any difference.

    thanks in advance folks!!

  2. #2
    jamesreedersmith's Avatar
    Join Date
    Sep 2009
    Location
    Ruskington
    Posts
    1,178
    Thank Post
    80
    Thanked 261 Times in 233 Posts
    Rep Power
    78
    Do you mean MMC or Group Policy GP?

  3. #3

    Join Date
    Jul 2010
    Location
    South Hadley, Massachusetts, USA
    Posts
    46
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    I'm using the Group Policy Object editor in MMC.

  4. #4
    User3204's Avatar
    Join Date
    Aug 2006
    Location
    Wirral
    Posts
    769
    Thank Post
    55
    Thanked 66 Times in 62 Posts
    Rep Power
    34
    My router/gateway can't see the internet. So when people try to get around our filtering proxy, they actually get no internet.

    In terms of Software Restriction policies, you need to know where ALL the software you have runs from, BEFORE you implement it. I do mine with a completely separate GPO, for in case I need to disable it.

    I have it set to block everything, except all the allowed areas:
    c:\program files\*\*
    c:\windows\
    g:\ [where I store some network applications]
    \\domain\netlogon [where the logon.cmd is located]

    There's others, but not that I can think of off the top of my head.

  5. #5

    Join Date
    Jul 2010
    Location
    South Hadley, Massachusetts, USA
    Posts
    46
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    I think I got it - allowed all from Program Files, plus a few explicit rules to allow desktop shortcuts in \Documents and Settings\All Users.

    That way when kids download Firefox to their desktop, no cake.

SHARE:
+ Post New Thread

Similar Threads

  1. Change Password MMC
    By Hightower in forum Windows
    Replies: 5
    Last Post: 17th February 2011, 09:11 AM
  2. mmc and computer management
    By kevin_lane in forum Windows
    Replies: 7
    Last Post: 20th June 2009, 01:25 PM
  3. MMC errors.
    By boomam in forum Wireless Networks
    Replies: 6
    Last Post: 3rd October 2008, 02:40 PM
  4. Restricting MMC.
    By boomam in forum Windows
    Replies: 29
    Last Post: 10th January 2008, 07:30 PM
  5. Using the R2 mmc features on a XP pc
    By Kyle in forum Windows
    Replies: 6
    Last Post: 23rd November 2006, 08:38 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •