Re: Prevent users running executables from pen drives
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 09/23/04
- Next message: Steven L Umbach: "Re: How do I check whether IPSec is enabled on machine or not"
- Previous message: vikram: "How do I check whether IPSec is enabled on machine or not"
- In reply to: andy smart: "Re: Prevent users running executables from pen drives"
- Next in thread: andy smart: "Re: Prevent users running executables from pen drives"
- Reply: andy smart: "Re: Prevent users running executables from pen drives"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 23 Sep 2004 07:01:49 GMT
The fact that they are power users will not be a problem with SRP. I think you will
find using it will be very productive. See the link below for a great paper on
implementing SRP. One gotcha I came access is that shortcuts are restricted also with
SRP as are a lot of other files. So if you create an allowed path rule to a folder
and the application does not run, make sure that the shortcut has a rule to allow it
to run. I suggest that shortcuts be all placed in the all users profile as a user can
not write to that folder and remove power users write permissions to it also. You can
also exempt local administrators from SRP with the enforcement policy so that they
can access the computer like normal. Be sure to set up a test OU to tweak your
settings. --- Steve
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
"andy smart" <anonymus@discussions.microsoft.com> wrote in message
news:citr7c$jlp$2@newsfeed.th.ifl.net...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Thanks Steve
>
> We are using XP pro on our 2003 domain so this looks like a winner to
> be, apart from the fact that we do need the users to have either 'power
> user' rights on our XP boxes because of what we might term 'legacy'
> software. But we lock down the desktops so they can't access control
> panel so it might prove to be an effective solution!
>
> Steven L Umbach wrote:
> | The best solution I know of would be to use XP Pro computers and
> Software Restriction
> | Policies. SRP can be configured to allow users to run only authorized
> applications
> | via certificate, hash, or path rules. If a user had a default
> disallowed policy and
> | paths to say only specific program files folder for allowed
> applications, and the
> | associated shortcuts in the all users profiles they would not be able
> to execute a
> | file on a USB drive or copied to their profile folders. If SRP are
> applied under
> | computer configuration they can also apply to local administrators if
> need be by
> | configuring the enforcement rule. XP Pro computers can have their
> Group Policy
> | features applied in a W2K domain. I don't know of a good solution in
> W2K. About the
> | best you can do is to make sure users are not local administrators and
> try modifying
> | the Windows Applications policy settings under user
> configuration/system to populate
> | the allowed only or disallowed list. --- Steve
> |
> |
> | "andy smart" <anonymus@discussions.microsoft.com> wrote in message
> | news:cis296$7as$1@newsfeed.th.ifl.net...
> |
> | Hi
> |
> | I've seen lots of postings from people who want to prevent users writing
> | to their usb pen drives, we want our users to read and right - but not
> | run programs. Does anybody have any solutions for this (being in the
> | educational sector 'free' would be nice)
> |
> | thanks
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBUnAsqmlxlf41jHgRAq5eAKDlsq8F8pxMT1YfbZ91Zw9A9n0iBACeLUVq
> LNJt8ikRThgHTX96XpZlr4c=
> =eIhr
> -----END PGP SIGNATURE-----
- Next message: Steven L Umbach: "Re: How do I check whether IPSec is enabled on machine or not"
- Previous message: vikram: "How do I check whether IPSec is enabled on machine or not"
- In reply to: andy smart: "Re: Prevent users running executables from pen drives"
- Next in thread: andy smart: "Re: Prevent users running executables from pen drives"
- Reply: andy smart: "Re: Prevent users running executables from pen drives"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
