Wireless Networks Thread, Software Restriction Policies - Allow ONLY certain software in Technical; You can kill off the network drives issue by using file restriction policies on the fileserver (2003R2+).
We prevent the ...
29th November 2009, 01:01 PM #16
You can kill off the network drives issue by using file restriction policies on the fileserver (2003R2+).
We prevent the saving of executable content to student homedirs.
Regarding Tor - stick them in detention/get the parents in. The parents agreed to an AUP that their kids would be held to, I assume?
29th November 2009, 05:59 PM #17
Originally Posted by pete
We do already use FSRM to ban the saving of exe's but I wasn't trying to ban them from being run from network drives I needed to alow it.
As for TOR it no longer matters as I've whitelisted all exe's that I want them to run so now they can't run any exe's from pen drives or anywhere else, that goes for games as well
1st December 2009, 07:13 PM #18
Now that you have exe's locked down and you ban any high risk exe's like cmd.exe, MMC and regedit do you allow students access to the C: drive. As an ordinary user still of course.
2nd December 2009, 01:22 PM #19
C: Is still hidden with group policy, although you can still see it with various non logo compliant applications anyway. Users have standard rights so they can't do much even with access.
2nd December 2009, 03:22 PM #20
Originally Posted by DMcCoy
Yes GIMP drives me around the bend with that and Kompozer the old version didn't obey the ban then the new one did now the beta doesn't
3rd February 2010, 03:31 PM #21
- Rep Power
I use the policy element in The USER system part of AD, "run only allowed windows applications" You then enter the names of executables allowed to run on your network by the students. Works great here
Originally Posted by link470
14th April 2010, 11:08 AM #22
Just thought I'd join up so that I could post my thanks for this thread.
I'm a techy geek in Suffolk, who's been having trouble with students using Firefox, when I want them to use IE! This is all due to proxy server being installed. Once I got the GPO for that sorted, I became aware that they could use Portable from USB.
Having spent hours looking through threads for pushing through a drive letter, and closing that off, I came across this, and the solution was excellent for what we wanted.
I take my hat off to you guys.....Thanks so much, and I'll be back!!
5th July 2010, 02:13 PM #23
Don't mean to bump such an old thread...
Basically the kids have got hold of stress_relief.exe and stress_relief.zip. I want to block/disable all zip files and just the stress_relief.exe. They store it into their H: (Home) drive, and try to hide it in different folders so we can't see it...
Can anyone help a simpleton out. I know you have to create a rule but that is whizzing over my head..
Thanks guys and gals.
9th July 2010, 09:51 AM #24
Can anyone help on this? Please? Pretty please with cherries on top?
9th July 2010, 10:35 AM #25
File restriction by hash rule in GPO should sort this, as the app will always have the same hash.
User Configuration/Windows Settings/Security Settings/Software Restriction Policies/Additional Rules, right click - New hash rule, then browse to a copy of the file.
9th July 2010, 11:16 AM #26
But is that file/path name user specific or does it just ban that whole exe on the network?
9th July 2010, 11:45 AM #27
The path rule disallows it running from that path for any user to whom that gpo applies.
Originally Posted by sippo
The hash rule will prevent that executable (renamed or not) from running anywhere for any user to whom that gpo applies.
Hash rule can be subverted by new versions / recompiling the app to change the hash only.
There's also (on 2003R2+) filtering options on the fileserver - we block executables in student user areas, for example.
9th July 2010, 12:04 PM #28
Thanks Pete. Where can I find the filtering options in 2003r2?
9th July 2010, 04:29 PM #29
Administrative Tools > File Server Resource Manager > File Screening Management.
Look at the default templates, create a test folder tree and have a play. I'd advise against applying them at the root of the homedir folder tree, since you may wish to differentiate between groups of users. Ours has driveletter:\users\usergroup01 and we apply the template at the usergroup01 (or 02, 03) level.
By MyDejaVu in forum Windows
Last Post: 13th June 2013, 01:02 PM
By ChrisH in forum How do you do....it?
Last Post: 28th January 2010, 09:40 AM
Last Post: 20th April 2007, 06:38 PM
By wesleyw in forum Windows
Last Post: 12th December 2006, 11:35 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)