Windows Thread, MMC has me hornswoggled, have mercy on my poor brain in Technical; We use MMC to lock down various aspects of our XP desktops - I'm hitting a wall with 'Software Restrictions' ...
6th July 2011, 04:39 PM #1
- Rep Power
MMC has me hornswoggled, have mercy on my poor brain
We use MMC to lock down various aspects of our XP desktops - I'm hitting a wall with 'Software Restrictions' however.
Students have figured out that if they download a fresh copy of Firefox to their desktop and select 'direct connection - no proxy' they can get around the firewall. Setting my proxy (pfSense) to transparent mode tamped down the problem but caused some other issues such as the inability to block secure sites. [what this means in real life is that students can get to https://www.facebook.com even if the domain is blocked].
So I need to prevent unauthorized executable files from running, possibly by means of a Software Restriction path rule in MMC. What I want to tell MMC is 'only allow a program to run if it is located in C:\Program Files\' or failing that 'don't let a program run if it is located in the user profile'.
What is the path rule syntax I need to do this? So far I've only succeeded in blocking all programs from running.
Also, we're using roaming profiles on a Samba server in case that makes any difference.
thanks in advance folks!!
6th July 2011, 04:40 PM #2
Do you mean MMC or Group Policy GP?
6th July 2011, 05:09 PM #3
- Rep Power
I'm using the Group Policy Object editor in MMC.
6th July 2011, 06:29 PM #4
My router/gateway can't see the internet. So when people try to get around our filtering proxy, they actually get no internet.
In terms of Software Restriction policies, you need to know where ALL the software you have runs from, BEFORE you implement it. I do mine with a completely separate GPO, for in case I need to disable it.
I have it set to block everything, except all the allowed areas:
g:\ [where I store some network applications]
\\domain\netlogon [where the logon.cmd is located]
There's others, but not that I can think of off the top of my head.
6th July 2011, 08:25 PM #5
- Rep Power
I think I got it - allowed all from Program Files, plus a few explicit rules to allow desktop shortcuts in \Documents and Settings\All Users.
That way when kids download Firefox to their desktop, no cake.
By Hightower in forum Windows
Last Post: 17th February 2011, 10:11 AM
By kevin_lane in forum Windows
Last Post: 20th June 2009, 02:25 PM
By boomam in forum Wireless Networks
Last Post: 3rd October 2008, 03:40 PM
By boomam in forum Windows
Last Post: 10th January 2008, 08:30 PM
Last Post: 23rd November 2006, 09:38 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread