Interesting there are several threads on here documenting that flaw and I observed it as well. Are you using a whitelist rather than a blacklist so all exes are banned everywhere except where you specify or allowing them everywhere except where you specify they're banned.
All I'm doing is using the software restriction policy and in the path typing somethng like E:\*.exe. I did the same for other extensions such as dll, bat, msi, etc.
Don't forget to select "disallowed"
Ah XP clients? I still get the issue here it's banned in the top three folders of the path any deeper and I can run an exe.
Actually I have about 400 XP spk2 clients and the rest Win Vista. Started deploying Win 7 recently for a total of about 10 Win 7. It works in all of them. If you have any other question, let me know. Happy to help. I know how it feels!
as you can see by my user name i am a kid you all are pretty good coders yet my firiend has a .bat file which can still operate with these scripts in place and with the settings applied
We have got a number of netbooks for the kids starting in September some running XP home and some running Windows 7 starter. The netbooks will be standalone and wont be on the domain, the kids will logon with a standard (restricted) account is there anyway to stop the kids from running exe, bat, swf etc from usb and the homefolders. I have seen the various methods using GPO but the home versions dont have gpo support. I am at present running a Cyber-D's Autodelete on logon which remove exe's etc from the home folder.
IME the GPO methods don't fully work anyway. It would require a third-party paid-for solution.
I've had a few suggestiions for Sophos, but it can only be made to scan additional filetypes for viruses. It won't block filetypes outright.
Even Faronics don't have a product that can do this. I asked them at BETT last year.
This should be really simple. Just deny access to files matching U:\*.swf with subfolders. How hard can that be?
I've added a file screening policy to the Server 2008 file server, to block .swf and executables, which at least keeps them off the server and irritates the pupils.
I use sophos and Ranger on the network which seems to work more or less. its the standalone netbooks i have the problems with, they have no gpo support and standalone sophos which does not run policies. It looks like i am just going to have use the auto-delete which deletes from the homedrive / desktop etc not memory sticks unless they have them plugged in at logon, but does not stop them running them
will keep looking
Big thanks for this, I've just implemented it for the first time and its working great.
All I did was
- User configuration >> Windows Settings >> Security Settings >> Software restriction policies (right click >> New software restriction policy)
- Under Additional rules (right click >> New path rule) Add
U:\ (this is our mapped my documents drive)
And thats it :)
You can ofcourse use FSRM to do the job on the servers (usefull as it will then E-mail you to tell you who is attempting to do what).
Apart from that another vote here for using USBDLM and windows group policy.
How do you do this on 2008 R2?
Not read whole thread - But you can use Group Policy software restriction policys to prevent certain file types such as .exe from running. As well as this you can setup FSRM on the file server to prevent these file types from being saved on the network.
Originally Posted by rsim8123
Here's a bit of guide I quickly found from google that might help setup
The Basics of Windows Server 2008 FSRM (File Server Resource Manager) - Jose Barreto's Blog - Site Home - TechNet Blogs
Using Software Restriction Policies to Protect Against Unauthorized Software
I also use FRSM to prevent them saving executables and .swf files to the share. It's another deterrent for them and reduces storage space waste. If you use DFS, like I do, then you also have to set identical policies on each server that hosts the share.
I've found another loophole the darlings are exploiting. They can embed .swf files in Office documents. Does anyone know of a way to stop this?
As this is still one of the top google returns on this question I thought I'd post the information I found most helpful on this issue.
Using the information from the TechNet article below I had success.
Chapter 6: Software Restriction Policy for Windows XP Clients
A mistake I was doing was typing in the file path and specifying the type of files.
So, f:\*.exe simply blocked exe files from running in the root of the F drive.
What I needed to do was to block exe files from running on the F drive completely, no mater what level of folder they were in.
So, f:\ would achieve this, but it wasn't blocking anything.
For that, I actually had to read the instruction properly, and take note of the sections titled "DLL checking" "Skip administrators" and "Defining executables". These sections are within "The File path rule"
After doing that it worked.
I'm also going to look at a couple of other possibilities that may assist people, but more when I know I've achieved what I want.