Printable View
We have setup software access policys so that they disallow .exe being run from D:,E:,F:, and from desktops.
We have allowed unrestricted access to the shared area.
This all works fine. The Z:\ which is mapped to the user home dir doesn't work.
I 've set Z: so that it is disallowed, I can still run exe file from this drive.
All other drives are mapped with login scripts.
what going wrong?????
I think the best way to do software restriction is on a 'white list' basis. Rather than trying to deny execution from certain paths, do a flat 'deny' from everywhere and then open up specific paths (eg C:\Program Files, C:\Windows etc).
If you really must blacklist, blacklist the UNC of the shared drive rather than the drive letter.
But ajbritton is right, it is much more logical to block everything and allow a specific set of programs through.
Agreed, set your SRP to DISALLOWED by default, then open up the programs you want via either PATH or HASH rules.
Hash rules are a better choice, as it prevents kids from renaming the files to an allowed filename so they can run them.
We have it now to block all.
I'm then adding in paths rules to allow the shared area and the multimedia drive.
When i login as test the software policy is stopping the login script setup the P: and Y: drives.
The rules i set for these 2 drives are using drive letters. Should i be using the unc path to the shared folder?
Yes
Just a thought here but i believe drive Z is used in the system for something when it comes to batch / command scripts etc....
Sorry i cant be that clear, but all I can remember is that I was trying to do something using drive Z and when I used a different drive letter, it worked.
Maybe this is why you had:
Nath.Quote:
've set Z: so that it is disallowed, I can still run exe file from this drive.
We have z: as our home drives wiht no problems.
Odd...
well whatever it was, I remember we discussed it on here lol
Nath.
I set removable drives to start at Z: and go backwards, perhaps that's what you were thinking of tarquel?
thanks guys for your help.
I've just got it to work.
I'm not using disallow all.
To get the home shares drive Z; to work i had to add
Z:\%username% disallow