+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 29
Wireless Networks Thread, Software Restriction Policies - Allow ONLY certain software in Technical; What's been everyones experience with allowing only a certain set of software? I'd like to make it so that only ...
  1. #1
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15

    Software Restriction Policies - Allow ONLY certain software

    What's been everyones experience with allowing only a certain set of software? I'd like to make it so that only school applications can be run. No matter how much I try to restrict IE, students are always going to bring in more applications. They'll keep downloading their exe's and their iso's and their vb scripts and running them, but what I'd like to do is make it so only select software applications can be run.

    I tried to block other web browsers etc. and make every user not a local administrator so they didn't have access to installing software, but then they go ahead and either install it to their network drive, or install it to the desktop, and it works perfectly.

    Is there a way to use software restriction policies to only allow a certain set of applications to be run? For example only the preinstalled applications that I install with each image? My only concern is how well software restriction policies work. If they're as good as Apple's parental controls where you click the app you don't want them to run and your good to go, or if you have to hash every single DLL and system file required by each program. For a program like Adobe Premiere or Microsoft Office, that's a few hundred seperate hashes for each program that have to be fed through software restriction. Is it smart enough to just pick up the exe that's allowed, like WinWord.exe for Microsoft Word, realize Word is allowed, and use all features of Word? Or is there a better way that my mind is too busy to think of?

    Thanks!

  2. #2
    joe90bass's Avatar
    Join Date
    Oct 2007
    Location
    S Wales
    Posts
    1,349
    Thank Post
    322
    Thanked 107 Times in 96 Posts
    Rep Power
    50

    Re: Software Restriction Policies - Allow ONLY certain softw

    I used to use software restriction policies. It is a major headache to setup, you need to allow all exes for each app. It does work well though. The only reason I don't use it now is because I recreated the pupil policy from scratch and never got around to putting the very lengthy list of apps back on

  3. #3

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,037
    Thank Post
    209
    Thanked 425 Times in 306 Posts
    Rep Power
    144

    Re: Software Restriction Policies - Allow ONLY certain software

    Software restriction policies in Group Policy will do this, but as mentioned it is tricky to setup.

    We allow all EXE's in the c:\program files and c:\windows directory, as well as a few others that were installed elsewhere. We disallowed everywhere else. It took a while to get the correct list of allowed applications and directories, but once it was setup, it worked a treat.

    Mike.

  4. #4
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    I know this is an old thread but I'm just in the 'thinking' stage about switching from banning certain exe's to a blanket ban then white listing what I want to run.

    Am I right that if I setup a policy then remove all extensions from the 'Default Designated File Types' policy except .exe then that's all that will be banned then I can add more in as necessary?

    Cheers.

  5. #5

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,241
    Thank Post
    239
    Thanked 1,567 Times in 1,249 Posts
    Rep Power
    339
    It's far easier to work on a deny policy rather than an allow policy. Think about it, as the probability is you'll need to deny a few applications only.

    As for alternative browsers, it would be more appropriate to block www.mozilla.org for example using your filtering software.

  6. #6
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Unfortunatly deny doesn't work on USB drives if the exe is more that three or four folders deep. The students are bringing in TOR programs on USB drives and it's getting around all filters, currently our students are going through our Smoothwall and the ISP's Netsweeper software and the can still get on anything with the TOR program.

    If I blanket allow C:\Program Files path, Windows path and Netlogon folders that should be all of the places students need to run exe's from.

  7. #7
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,421
    Thank Post
    10
    Thanked 486 Times in 426 Posts
    Rep Power
    110
    Quote Originally Posted by Michael View Post
    It's far easier to work on a deny policy rather than an allow policy. Think about it, as the probability is you'll need to deny a few applications only.

    As for alternative browsers, it would be more appropriate to block Mozilla.org - Home of the Mozilla Project for example using your filtering software.
    Actually it's the opposite. Much easier to allow applications, as long as users aren't administrators then they will be installed in the normal locations. There are default rules in the allow list that covers the windows folders and program files. We have a handful of additions to the list.

    %AllUsersProfile%\Desktop\ Path Unrestricted
    %AllUsersProfile%\Start Menu\ Path Unrestricted
    %AppData% Path Unrestricted
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% Path Unrestricted
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\ProgramFilesDir% Path Unrestricted
    %SystemRoot%\System32\nvcplui.exe Path Disallowed
    %SystemRoot%\System32\runas.exe Path Disallowed
    %UserProfile%\Desktop\ Path Unrestricted
    %UserProfile%\Local Settings\Temp\ Path Disallowed
    %UserProfile%\Start Menu\ Path Unrestricted
    *.mdb Path Unrestricted

    Apart from these we have a few additions for application shares etc. The desktop one looks like it's allowing students to run exe files from there, but it is redirected to their home folder on a server that blocks exe files.

  8. Thanks to DMcCoy from:

    cookie_monster (27th November 2009)

  9. #8

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,241
    Thank Post
    239
    Thanked 1,567 Times in 1,249 Posts
    Rep Power
    339
    Although I would agree with your theory, in practice I've never found it to be the case. Schools always insist on using older applications which do not always adhere to modern standards!

  10. #9
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Quote Originally Posted by Michael View Post
    Although I would agree with your theory, in practice I've never found it to be the case. Schools always insist on using older applications which do not always adhere to modern standards!

    With our move last year to Citrix and our planned move to x64 Citrix units next year we've filtered out most of the dross apps so I'm hoping this should work.

    Thanks for the list DMcCoy.

  11. #10
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    I notice that when an exe is restricted that it is logged in the local station event log. Do you have any way of collecting these events or logging them in the server event log or will I have to look into a wmi script?

    Do you also need to allow Netlogon shares for logon scripts?
    Last edited by cookie_monster; 27th November 2009 at 12:47 PM.

  12. #11
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,421
    Thank Post
    10
    Thanked 486 Times in 426 Posts
    Rep Power
    110
    Quote Originally Posted by cookie_monster View Post
    I notice that when an exe is restricted that it is logged in the local station event log. Do you have any way of collecting these events or logging them in the server event log or will I have to look into a wmi script?

    Do you also need to allow Netlogon shares for logon scripts?
    \\domain.name will do to cover GPOs and Netlogon scripts, you can specify the servers if you wish.

  13. #12
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Should that be \\domain.name\* or any wildcards required?

    Also I'm having trouble getting a path rule to work that will allow a drive letter, I'd like to allow exe's on the S:\ drive in any folder is that possible?

    Thanks.


    EDIT


    I think I've sorted that now it wouldn't let me ban a mapped network drive, I could allow a local drive letter like I:\ for a pen drive though. When I allow the UNC path rather than a mapped drive letter it seems to be ok.
    Last edited by cookie_monster; 27th November 2009 at 02:30 PM.

  14. #13
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,421
    Thank Post
    10
    Thanked 486 Times in 426 Posts
    Rep Power
    110
    Quote Originally Posted by cookie_monster View Post
    Should that be \\domain.name\* or any wildcards required?

    Also I'm having trouble getting a path rule to work that will allow a drive letter, I'd like to allow exe's on the S:\ drive in any folder is that possible?

    Thanks.


    EDIT


    I think I've sorted that now it wouldn't let me ban a mapped network drive, I could allow a local drive letter like I:\ for a pen drive though. When I allow the UNC path rather than a mapped drive letter it seems to be ok.
    \\domain.name will cover any files and subfolders
    \\server\share will do the same, no need for * etc unless you want to restrict to specific folders or types.

  15. #14
    rh91uk's Avatar
    Join Date
    Sep 2008
    Location
    UK
    Posts
    871
    Thank Post
    137
    Thanked 132 Times in 114 Posts
    Rep Power
    35
    We deny here, only allowing apps to be run from our apps server and c:/program files

  16. #15
    ful56_uk's Avatar
    Join Date
    Mar 2008
    Location
    Essex
    Posts
    554
    Thank Post
    105
    Thanked 23 Times in 21 Posts
    Rep Power
    17
    So wild card on a path rule is only used for if you want to restrict certain files and folder within that path so if it is used without the wild the whole path with everything in will run ok

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 172
    Last Post: 13th June 2013, 01:02 PM
  2. Help write a guide for Software restriction policies for USB
    By ChrisH in forum How do you do....it?
    Replies: 7
    Last Post: 28th January 2010, 09:40 AM
  3. Replies: 11
    Last Post: 20th April 2007, 06:38 PM
  4. Software Restriction Policies
    By wesleyw in forum Windows
    Replies: 14
    Last Post: 12th December 2006, 11:35 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •