Printable View
I think this has been covered many times but i can't seem to find older posts when i search,
Is there a way to stop kids from running exe files from the usb keys they bring into school? We don't want to ban them altogether but wondered if there is away to stop this.
Sorry if this has been answered before but i can't find it.
A quick forum search using "executables" and "usb" as the keywords (make sure you check the 'all' box) turns up a few ;)
Not for me it dont :-(
Preventing students running exe, cmd and bat files from their usb drive
Note: The following information has been taken from http://www.kenji-d.com/technet/ and modified to suit our school situation.
To do this you need to modify the Local Security Settings.
1. From the start menu, go to the RUN command window and enter secpol.msc
2. In the Local Security Settings window, select Software Restrictions Policies, you’ll notice on the right pane that there are no policies defined.
3. To create a policy, select Action from the toolbar, then select Create New Policies.
4. Once a policy is created, you’ll notice 5 new objects in the right pane.
5. Select the Additional Rules Folder, right click and select New Path Rule.
6. A New Path Rule window appears. Here enter the path of the drive or folder you’d like to enforce restrictions on. After entering a path, make sure the Security level option is set to disallow.
7. Do this on all drives you wish to prevent this type of action on. For example A:\ D:\ E:\ F:\
8.Create a rule to prevent the user running executables in their home drive or the desktop. (We provide students with a mapped network drive H:\ Where they can be monitored from. They can run what they want from this drive.)
a) C:\Documents and Settings\COMMON PART OF STUDENT CODE
OR
b) “%UserProfile%” matches C:\Documents and Settings\<User> and all subfolders under this directory.
(Note: From : http://www.microsoft.com/technet/sec.../xpsgch06.mspx
Using Wildcards in Path Rules
A path rule can incorporate the "?" and "*" wildcards. The following examples show wildcards that are applied to different path rules:
* \\DC – ??\login$ matches \\DC – 01\login$, \\DC – 02\login$, and so on.
* \Windows matches C:\Windows, D:\Windows, E:\Windows, and all subfolders under each directory.
* C:\win* matches C:\winnt, C:\windows, C:\windir, and all subfolders under each directory.
* .vbs matches any application that has this extension in Windows XP Professional.
* C:\Application Files\*.* matches all application files in the specific subdirectory. )
9.Once the Paths are entered, the next thing to do is to set the enforcement properties. Select Software Restriction Policies and from the right side select Enforcement. There are two options:
a) All software files except libraries (such as DLLs) and All Software (Best to select this).
b) All users except local Administrators.
It is recommend you leave it as All software files except Libraries. If you select All software files instead, the thumbdrives will NOT be recognized and installed. This may be a good idea if you want to disable access to USB thumbdrives all together.
The second option is pretty straightforward, restrict everyone except local administrators or else you’ll be locked out too!
10.Next we go to the Designated File Types values, here we can specify which file extensions to restrict. This window permits you to add or delete file extensions to your need. Delete all except for: BAT, CMD, COM,EXE, REG, and VB. If there are other extentions you ned to add add themin the file extention box and click add. An example maybe for flash files?
You have now completed the task. Test it as neccessary before deploying,
You will then need to distribute this as per your situation.
If you've the cash - you could buy DiskNet Pro - it does this and loads of other stuff besides.
To allocate specific drive letters to USB Devices use USBDLM (Drive Letter Manager)
Do as rrichmond says only using GPMC on the site (computer group/ OU) rather than the individual machine.
It's not sufficient to just block the root of the drive, you have to specify subfolders too.
I'd recommend you check the other linked threads for the full lowdown.
Actually, If you do it the way I suggested, It does ANY folder on the drive in question, not just the root of the drive. I tried this out before publishing the information.Quote:
Originally Posted by mark
From: http://www.microsoft.com/technet/sec.../xpsgch06.mspx
The Path Rule
A path rule specifies either a folder or a fully qualified path to a program. When a path rule specifies a folder, it matches any program that is contained in that folder and any programs that are contained in subfolders of that folder. Path rules support both local and UNC paths.
Well that's interesting then, and contrary to what's been said on here several times, unless I read it incorrectly.
Yes.. I Noticed that. Forgot to put it in my original post though :lol:
cheers m8 just tried your answer and it works a treat - I also work in a school and the only thing I can see is that if 2 devices are connected then the rule will have to be duplicated onto that 2nd drive letter - going through GP should be easy enough to apply to different drive letters
thanks again
I have Set up software restriction policy ok to stop exes from running from USBs and a drive
Now I want to stop the students from running exes from their Mydocument folder
Their folder is on h drive
Was is the exact path to type into the rule
I think you can use the %homeshare%%homepath% variables to specify mydocs, but I'm not sure of the syntax.
Thanks rhyds in rrichmonds post 6 above part 8 is what i need but I would need the syntax clarified
Thanks rrichmond, that works a treat. no more firefox portable here :)