Skip to main content

Disabling running EXE files from removable drives

More
18 years 1 month ago #18255 by Maki
Hi there,

Following recommendations from Smurf i decided to join this forum and it has been very useful so far.

Now i have a problem, I'm working as technician in a secondary school and as probably all of you know, kids like to play instead of learn and spend more time finding ways of getting away with it than with anything else. We're all been there, aren't we?

The problem is that we are now trying to isolate this matter and we've set up software restrictions over local disks and network resources to stop them from installing any kind of software. We have used hash rules for all the exe files they used and so on. But I suppose that if the version of the demo changes, so is the file and the hash rule will not be applied to it.

Is there any way we can stop them from running exe files from the removable drives (pen drives) without stoping them to use these drives for backup purposes? And can we stop them from installing those game demos on their pen drives while connected to the network pcs?

Thanks in advance to all,

Cheers

Ed

"Appear weak when you are strong and strong when you are weak"
More
18 years 1 month ago #18265 by Alans
hi, welcome to the site,
if you use a firewall like Kerio, then u can set some rules for running any .exe files.

always Face your Fears...
More
18 years 1 month ago #18270 by Maki
we don't have a firewall like that here, but we are going to implement ISA 2004 to monitor all traffic in and out within the next month or so.

Cheers

Ed

"Appear weak when you are strong and strong when you are weak"
More
18 years 1 month ago #18271 by Smurf

we don't have a firewall like that here, but we are going to implement ISA 2004 to monitor all traffic in and out within the next month or so.

Cheers

Ed


Hi Ed,

ISA wont help ya in this case. The firewall that Alans must have been talking about (i have never come across it either) has to be a client firewall which can be used to stop exe's from running ?

Alans, please correct me if i am wrong there.

My initial thoughts on the subject was Group Policies, if you could setup a policy to define allowed applications to run and stop everything else. Without checking though i cannot remember if Group Policies supports this.

Alternatively there are other packages on the market that can restrict applications from running. Websense has their Client Policy Manager which is quite good but i have no idea on costs to deploy something like that.

It may be worth doing a little research into if GPO can do this, i aint got time though at the moment to look into it, if you are struggling in a few days i will have some time to spare.

Cheers

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
18 years 1 month ago #18272 by Starfire
Can you not restrict what you can open and what you can run on a directory by directory level with AD ? If not then there is bound to be software that will help you do it. Just locking down won't stop them as they will just drill down and run things from explorer.

Maybe if you were to lock down any way of getting under the desktop to run the executables? start-run, Winkey-E, remove explorer, that sort of thing. Make it so they can only access docs on the pen drives from apps like word, excell, access, etc which cannot be used to run an exe.
Take out the floppys, cd roms. Any PDFs they need access to can have an admin create a shortcut to their pen drive when it's plugged in and store the shortcut in their network directory.

The beauty of kids is that they are incredibly inquisitive and love to push the boundaries of your knowledge. This isn't a bad thing, just irritating from your point of view. But at the end of the day you have to remember that by pushing these boundaries, they are learning at the same time which is what they are there for at the end of the day. (can you tell I have 3 small children) You're always gonna get a smarta$$ and I am sure most of the members here were once ex smarta$$es at school/college.

When I was at uni there was a first year cs that swapped over the 1st year socialogy accounts with unix admin accounts and vice versa. Excellent stuff!
More
18 years 1 month ago #18274 by Smurf

Maybe if you were to lock down any way of getting under the desktop to run the executables? start-run, Winkey-E, remove explorer, that sort of thing. Make it so they can only access docs on the pen drives from apps like word, excell, access, etc which cannot be used to run an exe.!


Hi Starfire,

Unfortunatley its not that simple. The issues with Word, Excel, etc... is that you can embed objects into them. Its simple to take a Word document and drag and drop explorer.exe into it. Then you can go to another machine and open Word and then just run the object from Word.

The only real way to combate this issue is to block the execution of the files which is one technique that HIDS does to help protect your systems. Group Policy allows you to list files that can be ran but it takes ages to compile the list, especially saying that Word can open loads of different files in the process. Other products on the market have already defined these things for, as in a previous post, Websense Client Policy Manager will have predefined lists of applications in predefined categories so you can say, Allow Word Processors, for example.

The other thing with Websense CPM you can do with it is build a base system and say, everything on here now you can run, anything added after block, i am pretty sure GPO cannot do that though as i'm sure its a manual config to list allowed apps. I am sure there are other software products that do the same thing though.

A lot of work there if you go the GPO route.

Cheers

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.171 seconds