Software restriction policies on USB sticks
I have not posted for a while because of personal reasons but have been reading the forums when i got chance.
I have followed a few posts on setting up software restriction policies on users USB sticks. I have set it using USBAdmin that all USB sticks use the letter U:. I want to block all exe from running from this drive letter. My confusions is how o stop all exe from the drive. I know in the policy i can set it to block U:\*.exe but do i need to repeat this so it covers a lotof sub folder options ie; U:\*\*.exe and U:\*\*\*.exe and so on or is there a way of doing it only once so it blocks all exe no matter what level of folder the exe is in.
( i have just read my own question and not even sure if i have answered myself with my examples) Could someone help please?
Re: Software restriction policies on USB sticks
I recently did this, and yes you need to specify for each level
U:\*.exe
U:\*\*.exe
U:\*\*\*.exe
etc., for as many sub folders as you wish, I only went 5 sub folders deep, I figured most kids would give up after that. This was the only way I know of.
Re: Software restriction policies on USB sticks
I think it's better to put a blanket block on executable and then create exceptions for the areas that users are allowed to launch EXEs from.
Re: Software restriction policies on USB sticks
Hmm there must be an easier way with the first examples :( . That does seem rather rubbish if you ask me.
Re: Software restriction policies on USB sticks
With my security hat on, ajbrittons default deny method is a better solution. Although it'll be slightly more annoying to implement.
Re: Software restriction policies on USB sticks
I wonder if that trust no exe program would be a bit more flexible ?
Re: Software restriction policies on USB sticks
Had all sorts of problems with trust-no-exe - my machines just cycled in the end there were so many errors.
Re: Software restriction policies on USB sticks
Re: Software restriction policies on USB sticks
My solution is switch to Vista, it has built in removable device filtering etc so you can stop certin things being run and used etc, may not be everything you need but worth looking into with other solutions
Re: Software restriction policies on USB sticks
@John - wheres the software restriction policy to prevent exe's? AFAIK vista only blocks devices or sets read/write permissions on selected devices. blocking devices can be done with adm on 2k/xp
Re: Software restriction policies on USB sticks
I had the same problem at work. After looking (and trying) several methods I've found the best is to white list method mentioned.
All exe are blocked by default. I made sure to add all the recommended paths from MS and it seems to have worked as advertised. Just make sure you test out the policy first! :D
Re: Software restriction policies on USB sticks
Quote:
Originally Posted by CyberNerd
@John - wheres the software restriction policy to prevent exe's? AFAIK vista only blocks devices or sets read/write permissions on selected devices. blocking devices can be done with adm on 2k/xp
I did put that it probably won't do everything you need to, and it won't but it can be useful and I suspect they will build upon it.
