Wireless Networks Thread, Software Restriction Policies - Allow ONLY certain software in Technical; What's been everyones experience with allowing only a certain set of software? I'd like to make it so that only ...
1st December 2007, 04:11 AM #1
Software Restriction Policies - Allow ONLY certain software
What's been everyones experience with allowing only a certain set of software? I'd like to make it so that only school applications can be run. No matter how much I try to restrict IE, students are always going to bring in more applications. They'll keep downloading their exe's and their iso's and their vb scripts and running them, but what I'd like to do is make it so only select software applications can be run.
I tried to block other web browsers etc. and make every user not a local administrator so they didn't have access to installing software, but then they go ahead and either install it to their network drive, or install it to the desktop, and it works perfectly.
Is there a way to use software restriction policies to only allow a certain set of applications to be run? For example only the preinstalled applications that I install with each image? My only concern is how well software restriction policies work. If they're as good as Apple's parental controls where you click the app you don't want them to run and your good to go, or if you have to hash every single DLL and system file required by each program. For a program like Adobe Premiere or Microsoft Office, that's a few hundred seperate hashes for each program that have to be fed through software restriction. Is it smart enough to just pick up the exe that's allowed, like WinWord.exe for Microsoft Word, realize Word is allowed, and use all features of Word? Or is there a better way that my mind is too busy to think of?
1st December 2007, 09:37 AM #2
Re: Software Restriction Policies - Allow ONLY certain softw
I used to use software restriction policies. It is a major headache to setup, you need to allow all exes for each app. It does work well though. The only reason I don't use it now is because I recreated the pupil policy from scratch and never got around to putting the very lengthy list of apps back on
1st December 2007, 07:48 PM #3
Re: Software Restriction Policies - Allow ONLY certain software
Software restriction policies in Group Policy will do this, but as mentioned it is tricky to setup.
We allow all EXE's in the c:\program files and c:\windows directory, as well as a few others that were installed elsewhere. We disallowed everywhere else. It took a while to get the correct list of allowed applications and directories, but once it was setup, it worked a treat.
27th November 2009, 12:31 PM #4
I know this is an old thread but I'm just in the 'thinking' stage about switching from banning certain exe's to a blanket ban then white listing what I want to run.
Am I right that if I setup a policy then remove all extensions from the 'Default Designated File Types' policy except .exe then that's all that will be banned then I can add more in as necessary?
27th November 2009, 12:35 PM #5
It's far easier to work on a deny policy rather than an allow policy. Think about it, as the probability is you'll need to deny a few applications only.
As for alternative browsers, it would be more appropriate to block www.mozilla.org for example using your filtering software.
27th November 2009, 12:43 PM #6
Unfortunatly deny doesn't work on USB drives if the exe is more that three or four folders deep. The students are bringing in TOR programs on USB drives and it's getting around all filters, currently our students are going through our Smoothwall and the ISP's Netsweeper software and the can still get on anything with the TOR program.
If I blanket allow C:\Program Files path, Windows path and Netlogon folders that should be all of the places students need to run exe's from.
27th November 2009, 01:00 PM #7
Actually it's the opposite. Much easier to allow applications, as long as users aren't administrators then they will be installed in the normal locations. There are default rules in the allow list that covers the windows folders and program files. We have a handful of additions to the list.
Originally Posted by Michael
%AllUsersProfile%\Desktop\ Path Unrestricted
%AllUsersProfile%\Start Menu\ Path Unrestricted
%AppData% Path Unrestricted
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% Path Unrestricted
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\ProgramFilesDir% Path Unrestricted
%SystemRoot%\System32\nvcplui.exe Path Disallowed
%SystemRoot%\System32\runas.exe Path Disallowed
%UserProfile%\Desktop\ Path Unrestricted
%UserProfile%\Local Settings\Temp\ Path Disallowed
%UserProfile%\Start Menu\ Path Unrestricted
*.mdb Path Unrestricted
Apart from these we have a few additions for application shares etc. The desktop one looks like it's allowing students to run exe files from there, but it is redirected to their home folder on a server that blocks exe files.
Thanks to DMcCoy from:
cookie_monster (27th November 2009)
27th November 2009, 01:07 PM #8
Although I would agree with your theory, in practice I've never found it to be the case. Schools always insist on using older applications which do not always adhere to modern standards!
27th November 2009, 01:33 PM #9
Originally Posted by Michael
With our move last year to Citrix and our planned move to x64 Citrix units next year we've filtered out most of the dross apps so I'm hoping this should work.
Thanks for the list DMcCoy.
27th November 2009, 01:37 PM #10
I notice that when an exe is restricted that it is logged in the local station event log. Do you have any way of collecting these events or logging them in the server event log or will I have to look into a wmi script?
Do you also need to allow Netlogon shares for logon scripts?
Last edited by cookie_monster; 27th November 2009 at 01:47 PM.
27th November 2009, 02:05 PM #11
\\domain.name will do to cover GPOs and Netlogon scripts, you can specify the servers if you wish.
Originally Posted by cookie_monster
27th November 2009, 02:18 PM #12
Should that be \\domain.name\* or any wildcards required?
Also I'm having trouble getting a path rule to work that will allow a drive letter, I'd like to allow exe's on the S:\ drive in any folder is that possible?
I think I've sorted that now it wouldn't let me ban a mapped network drive, I could allow a local drive letter like I:\ for a pen drive though. When I allow the UNC path rather than a mapped drive letter it seems to be ok.
Last edited by cookie_monster; 27th November 2009 at 03:30 PM.
27th November 2009, 03:43 PM #13
\\domain.name will cover any files and subfolders
Originally Posted by cookie_monster
\\server\share will do the same, no need for * etc unless you want to restrict to specific folders or types.
29th November 2009, 12:41 PM #14
We deny here, only allowing apps to be run from our apps server and c:/program files
29th November 2009, 01:33 PM #15
So wild card on a path rule is only used for if you want to restrict certain files and folder within that path so if it is used without the wild the whole path with everything in will run ok
By MyDejaVu in forum Windows
Last Post: 13th June 2013, 02:02 PM
By ChrisH in forum How do you do....it?
Last Post: 28th January 2010, 10:40 AM
Last Post: 20th April 2007, 07:38 PM
By wesleyw in forum Windows
Last Post: 12th December 2006, 12:35 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)