Disabling running EXE files from removable drives

Hi guys and thanks for your prompt replies,

I don't see any problem in getting any software that'll do the job for us but until that happen, we were wondering if we could do something throught the GPO to prevent the users from do it.

If I understood your point Smurf, the Websense CPM software will allow only to run certain apps from any client machine. Does it uses some sort of apps lists for this? And am I right thinking that will be able to define any extra apps we'd like to allow to be run?

Thanks

Ed

Hi Ed,

You are correct. You are familiar with Websense for Internet Filtering as you used to use it at your previous job, well CPM has the same category sets for applications that Websense has already classified for you. You also have the option of adding additional applications to the lists (similar to the Custom/User Defined in the Internet Filtering) and you also have the option of making a default build which you then say, everything on this machine can now run, anything added after this build date will not.

It also helps to mitigate against day zero threats with unknown viruses/worms/rootkits so it will protect you against all sorts of threats aswell as stopping users from running unwanted applications. This can also assist in enforcing licensing to ensure that you comply with that side of things aswell.

www.websense.com/global/en/ProductsServi...ClientPolicyManager/

The GPO route is possible but is very tricky to compile your list, its trial and error to ensure that you have a complete list for each application you want to allow. If i do get a min i will look at it again to refresh my memory but from what i can remember its not an easy task.

Cheers

Righty, I have just been doing some reading on this and somthing that Starfire said got me thinking.

Can you not restrict what you can open and what you can run on a directory by directory level with AD ?

There are four methods of identifying the application when using Software Restrictions through GPO;

• Hash—A cryptographic fingerprint of the file.
• Certificate—A software publisher certificate used to digitally sign a file.
• Path—The local or universal naming convention (UNC) path of where the file is stored.
• Zone—Internet Zone

You can say if they are allowed to run or not. This is where i was saying it would get tricky and be a very lenghty process. If you wanted to specify everything that is allowed to run then it could take forever, especially if you are talking about things like Word which invoke other executables also.

Anyhow, back to what Starfire got me thinking about. As you can see, one of the methods of specifying the application to run is a Path. This got me thinking if you could specify a path of C:\Program Files (And possibly C:\Windows) to allow everything to run. The default XP restrictions wont allow normal users to install applications to these locations. If you also run anything off your network shares you would have to add them as a path.

Don't quote me on this but it could be a way of simplifying the task ? May be worth checking it out (and letting us know how you get on if you try it )

Take a look at this Technet Article for more detailed info on Software Restrictions

www.microsoft.com/technet/prodtechnol/wi...intain/rstrplcy.mspx

Cheers

Thanks Smurf,

I knew you'd be on the case...

We do have in place restrictions via HASH rules and Paths for system roots and shares but it looks like there is still a flaw on it.

We'll give it another go with the paths and I'll keep you posted. I've email my boss the CPM site for him to check it out, thanks.

As a curiosity, any of you has used wildcards for this purpose before? Will this work?

Cheers

Alans, please correct me if i am wrong there.

you are right Smurf, kerio is a client firewall.
thanx for this point.

Hi Ed,

Sorry, we have never done anything with software restrictions. The issue we have is that we don't have total ownership of the systems once they are installed. If a member of staff wants to add some key stage 1 software, then thats upto them.

If we did implement software restrictions, they wouldn't be able to install the software which would require our time to add this to the list, etc..., etc..., etc... and it would cost the school.

Let us know how you go on

Cheers