+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 29 of 29
Wireless Networks Thread, Software Restriction Policies - Allow ONLY certain software in Technical; You can kill off the network drives issue by using file restriction policies on the fileserver (2003R2+). We prevent the ...
  1. #16


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,534
    Thank Post
    271
    Thanked 752 Times in 590 Posts
    Rep Power
    218
    You can kill off the network drives issue by using file restriction policies on the fileserver (2003R2+).
    We prevent the saving of executable content to student homedirs.

    Regarding Tor - stick them in detention/get the parents in. The parents agreed to an AUP that their kids would be held to, I assume?

  2. #17
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,185
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    73
    Quote Originally Posted by pete View Post
    You can kill off the network drives issue by using file restriction policies on the fileserver (2003R2+).
    We prevent the saving of executable content to student homedirs.

    Regarding Tor - stick them in detention/get the parents in. The parents agreed to an AUP that their kids would be held to, I assume?


    We do already use FSRM to ban the saving of exe's but I wasn't trying to ban them from being run from network drives I needed to alow it.
    As for TOR it no longer matters as I've whitelisted all exe's that I want them to run so now they can't run any exe's from pen drives or anywhere else, that goes for games as well

  3. #18
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,185
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    73
    @ DMcCoy

    Now that you have exe's locked down and you ban any high risk exe's like cmd.exe, MMC and regedit do you allow students access to the C: drive. As an ordinary user still of course.

  4. #19
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,386
    Thank Post
    10
    Thanked 483 Times in 423 Posts
    Rep Power
    110
    C: Is still hidden with group policy, although you can still see it with various non logo compliant applications anyway. Users have standard rights so they can't do much even with access.

  5. #20
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,185
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    73
    Quote Originally Posted by DMcCoy View Post
    C: Is still hidden with group policy, although you can still see it with various non logo compliant applications anyway. Users have standard rights so they can't do much even with access.

    Yes GIMP drives me around the bend with that and Kompozer the old version didn't obey the ban then the new one did now the beta doesn't

  6. #21

    Join Date
    Sep 2009
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by link470 View Post
    What's been everyones experience with allowing only a certain set of software? I'd like to make it so that only school applications can be run. No matter how much I try to restrict IE, students are always going to bring in more applications. They'll keep downloading their exe's and their iso's and their vb scripts and running them, but what I'd like to do is make it so only select software applications can be run.

    I tried to block other web browsers etc. and make every user not a local administrator so they didn't have access to installing software, but then they go ahead and either install it to their network drive, or install it to the desktop, and it works perfectly.

    Is there a way to use software restriction policies to only allow a certain set of applications to be run? For example only the preinstalled applications that I install with each image? My only concern is how well software restriction policies work. If they're as good as Apple's parental controls where you click the app you don't want them to run and your good to go, or if you have to hash every single DLL and system file required by each program. For a program like Adobe Premiere or Microsoft Office, that's a few hundred seperate hashes for each program that have to be fed through software restriction. Is it smart enough to just pick up the exe that's allowed, like WinWord.exe for Microsoft Word, realize Word is allowed, and use all features of Word? Or is there a better way that my mind is too busy to think of?

    Thanks!
    I use the policy element in The USER system part of AD, "run only allowed windows applications" You then enter the names of executables allowed to run on your network by the students. Works great here

  7. #22

    aerospacemango's Avatar
    Join Date
    Apr 2010
    Location
    Northants
    Posts
    1,994
    Thank Post
    283
    Thanked 248 Times in 199 Posts
    Blog Entries
    2
    Rep Power
    294
    Hi guys,

    Just thought I'd join up so that I could post my thanks for this thread.

    I'm a techy geek in Suffolk, who's been having trouble with students using Firefox, when I want them to use IE! This is all due to proxy server being installed. Once I got the GPO for that sorted, I became aware that they could use Portable from USB.

    Having spent hours looking through threads for pushing through a drive letter, and closing that off, I came across this, and the solution was excellent for what we wanted.

    I take my hat off to you guys.....Thanks so much, and I'll be back!!

  8. #23
    sippo's Avatar
    Join Date
    May 2008
    Location
    Swindon, Wiltshire
    Posts
    1,633
    Thank Post
    126
    Thanked 170 Times in 123 Posts
    Rep Power
    92
    Don't mean to bump such an old thread...

    Basically the kids have got hold of stress_relief.exe and stress_relief.zip. I want to block/disable all zip files and just the stress_relief.exe. They store it into their H: (Home) drive, and try to hide it in different folders so we can't see it...

    Can anyone help a simpleton out. I know you have to create a rule but that is whizzing over my head..

    Thanks guys and gals.

  9. #24
    sippo's Avatar
    Join Date
    May 2008
    Location
    Swindon, Wiltshire
    Posts
    1,633
    Thank Post
    126
    Thanked 170 Times in 123 Posts
    Rep Power
    92
    Can anyone help on this? Please? Pretty please with cherries on top?

  10. #25

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,484
    Thank Post
    133
    Thanked 488 Times in 436 Posts
    Rep Power
    138
    File restriction by hash rule in GPO should sort this, as the app will always have the same hash.

    User Configuration/Windows Settings/Security Settings/Software Restriction Policies/Additional Rules, right click - New hash rule, then browse to a copy of the file.

    Ban!

  11. #26
    sippo's Avatar
    Join Date
    May 2008
    Location
    Swindon, Wiltshire
    Posts
    1,633
    Thank Post
    126
    Thanked 170 Times in 123 Posts
    Rep Power
    92
    But is that file/path name user specific or does it just ban that whole exe on the network?

  12. #27


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,534
    Thank Post
    271
    Thanked 752 Times in 590 Posts
    Rep Power
    218
    Quote Originally Posted by sippo View Post
    But is that file/path name user specific or does it just ban that whole exe on the network?
    The path rule disallows it running from that path for any user to whom that gpo applies.
    The hash rule will prevent that executable (renamed or not) from running anywhere for any user to whom that gpo applies.

    Hash rule can be subverted by new versions / recompiling the app to change the hash only.

    There's also (on 2003R2+) filtering options on the fileserver - we block executables in student user areas, for example.

  13. Thanks to pete from:

    sippo (9th July 2010)

  14. #28
    sippo's Avatar
    Join Date
    May 2008
    Location
    Swindon, Wiltshire
    Posts
    1,633
    Thank Post
    126
    Thanked 170 Times in 123 Posts
    Rep Power
    92
    Thanks Pete. Where can I find the filtering options in 2003r2?

  15. #29


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,534
    Thank Post
    271
    Thanked 752 Times in 590 Posts
    Rep Power
    218
    Administrative Tools > File Server Resource Manager > File Screening Management.

    Look at the default templates, create a test folder tree and have a play. I'd advise against applying them at the root of the homedir folder tree, since you may wish to differentiate between groups of users. Ours has driveletter:\users\usergroup01 and we apply the template at the usergroup01 (or 02, 03) level.

  16. Thanks to pete from:

    sippo (12th July 2010)

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Replies: 172
    Last Post: 13th June 2013, 01:02 PM
  2. Help write a guide for Software restriction policies for USB
    By ChrisH in forum How do you do....it?
    Replies: 7
    Last Post: 28th January 2010, 09:40 AM
  3. Replies: 11
    Last Post: 20th April 2007, 06:38 PM
  4. Software Restriction Policies
    By wesleyw in forum Windows
    Replies: 14
    Last Post: 12th December 2006, 11:35 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •