BAT & VBS
How do you prevent users from executing BAT files from shared network drives? At the moment none of them can execute the cmd.exe or .bat files from their own user area.
Currently under User configuration --> software restrictions.. we have %HOMESHARE%\*.bat which does the trick.
But how would I exactly implement this for the share network drives?
I thought P:\*.bat would do it but it doesn't. I thought I was then being clever by simply putting *.bat and this literally blocked everything from working, i.e. logon scripts, so I had to undo that.
Please can you help?
Unfortunately I don't have the answer but if anyone does I would be eternally grateful!!
If you have Windows Server 2003 R2 or later you could use File Server Resource Manager to create a File Screen which bans them from creating batch files on the network shares you want.
If its that you dont want them executing *.bat files that are already created tag them as hidden files.
Note sure if thats what you wanted, but hope it helps.
%SystemRoot%\System32\cmd.exe in software restrictions stops any bat file from any location. We set this in our pupil GPO so all pupils cannot run bat files.
I have had to put a load of path rules into gpo. So for this example h = home drive
You get the idea put in as many layers as the staff and kids are using.
Don't forget command.com too!
I've figured it out.
In order to block BAT files from network drives, you have to put in the UNC path in the software restriction policy.
Rather than P:\*.bat
It'd be \\servername\sharename\*.bat
I use McAfees Virus Scan with EPO server. Set up some userdefined rules and not only does it stop them it also handilly logs everything to a central location so I can see who has been trying to do things.