RE: Active Directory Question

From: Jannie Hanekom (j_hanekom_at_hotmail.com)
Date: 01/12/04

  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #171" 
    To: <focus-ms@securityfocus.com>
Date: Mon, 12 Jan 2004 15:26:28 -0000

    Hi Simon

    In my experience, persistent users will discover pretty quickly that they
    can get around this by simply renaming files. If you still want that type
    of protection through GPO's, I'm afraid the only solution is to either block
    specific, exact names or to compile a comprehensive list of allowed
    executables and only allow those.

    There are some weird apps that monitor the titles of all windows on the
    desktop and forcibly close them if they match the list; A colleague once
    tested one of these out and it seemed to work fairly effectively - it is
    also immune to renamed executables (but not custom-compiled executables).
    Only problem was that it was very aggressive: e-mails, IE windows, Word
    documents or anything else that contained the target string in its title
    were also instantly closed. If however you still feel that way inclined,
    try http://www.plevna.f9.co.uk/tindex.htm. Google ads also suggest this:
    http://www.reflex-magnetics.com/products/disknetpro/.

    On the MS front, SMS 2.0's software metering facility has a rather kludgy
    but effective blocking mechanism that blocks/allows executables based on the
    executable's binary properties.

    The most effective way IMO is to remove the source of these types of files:
    disable the removable drives (see previous threads), block executables on
    e-mail gateways, etc.

    I've been wanting to test out another theory in a large environment, but
    haven't had a chance: setting the "Traverse Folder/Execute file" ACL flag
    to "Deny" on end-users' temporary and home directories appears to stop
    arbitrary web downloads and e-mail attachments from executing. This might
    also prove quite effective against many e-mail worms, and is what *nix
    protagonists have been telling us for years... If you want a file to
    execute, you should have to explicitly make it executable. (Note that this
    only works for binary executables; script files still run normally.)

    Hope that helps.

    Jannie

    -----Original Message-----
    From: Simon Taplin [mailto:simont@pop.co.za]
    Sent: 10 January 2004 17:16
    To: focus-ms@securityfocus.com
    Subject: Active Directory Question

    Is is possible to setup a policy on Win2000 Active Directory whereby you can
    use wildcards to deny users access to running certain programs, for example
    blocking userss running setup*.*

    Thanks
    Simon 

    ---
This email is hopefully virus free as it has been
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.558 / Virus Database: 350 - Release Date: 2004/01/02
 
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #171"