Re: Disable Exe and Other File Types from being run/viewed
From: Arkane (Arkane_at_discussions.microsoft.com)
Date: 03/21/05
- Next message: Arkane: "Re: Disable Exe and Other File Types from being run/viewed"
- Previous message: Steven L Umbach: "Re: Disable Exe and Other File Types from being run/viewed"
- In reply to: Steven L Umbach: "Re: Disable Exe and Other File Types from being run/viewed"
- Next in thread: Arkane: "Re: Disable Exe and Other File Types from being run/viewed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 21 Mar 2005 13:57:04 -0800
Thank you both for your responses here.
Lots of good ideas and practical advice, unfortunately the key issue is not
blocking .exe/etc... files from the local hard disk (as these are under our
control and everyone has READ access anyway), it would serve no purpose for
us to restrict the local hard disk anymore than it already is (no-one has any
kind of access except READ and only Domain Admins have FULL). I've thought of
writing aforementioned scripts to lock down those .exe files but as everyone
needs to be able to run them - it would be pointless to do so. Our users
cannot access explorer to navigate to any hard disks anyway as that's
restricted via policy, it's also a hidden drive letter and is also restricted
so they can't navigate to it even if they were really smart - the command
prompt and friends are also disabled. (However command-script processing is
not - so we can still use the login script - although if I were to use KiX,
would I still need this setting to be enabled?).
The problem lies entirely with USB drives/etc... we can't prevent their use
as it's a requirement for them.
If anyone else has any other good ideas or solutions I'd be more than happy
to listen/read. However, based on some research and poking around I may have
found a somewhat unsual solution (assuming my testing works).
You change the .exe (and whatever other filetype) file association to point
to a 'stub' program, a batch file or whatever, then you simply ask the batch
file to parse what it was given in terms of EXE file to run, if that file
lives on the C drive or a specific network drive, then we can simply run the
program - if it doesn't live there (as in must be a USB stick or somewhere
else, like a disk), then we just exit - no errors, no messages, just a clean
exit. (At least for now).
Failing that (if it doesn't work and I'm not sure why it wouldn't), then my
only other alternative is to populate the 'Users can only run following apps'
list... which is good for us as we can lock the students right down but the
staff and admins (us) will still have full control of what we can/can't run.
I have NO idea if my 'file-association' thing would work, we can push out
registry settings as admins or anything else as admins if needed - it's just
a case of how much hassle it all is...
I will test this tomorrow and will let you know if interested.
"Steven L Umbach" wrote:
> From your options your best bet is probably to populate the "only allowed"
> applications list. Programs such as filemon from SysInternals can help you
> track down which executables are used for an application. If you don't want
> them to have access to USB drives, consider disabling USB in the cmos for
> the computer and password protecting the cmose settings which is not
> foolproof but could be a major barrier to access the computers cmos. Also
> keep in mind that Windows 2000 computers can not use Software Restriction
> Policies. --- Steve
>
>
> "Arkane" <Arkane@discussions.microsoft.com> wrote in message
> news:D94B7FDA-7364-4D10-B06B-691378EAF7CE@microsoft.com...
> > Here's the scenario we have :
> > We have several hundred W2K SP4 PCs, several hundred WXP Pro SP1a PCs.
> > Our network is NT4 but we will migrate to AD in-time.
> >
> > I know that with AD Software Policies we can stop users from running
> > applications using policies - however while we currently don't have this
> > capability, does anyone have a good equivalent?
> >
> > The "Don't Run Windows Programs" POLEDIT policy is not feasible as we'd
> > have
> > to list vast arrays of files as it does not accept masks.
> >
> > Using "Only allow following Windows Programs" is equally bad as the range
> > of
> > applications we use really is vast, to track down all of their component
> > .exe
> > files and other components (that must be able to be run) would be a
> > massive
> > task.
> >
> > This restriction, however applied - must work for Network and Removable
> > Drives - now if there's a setting I can put on Removable Drives (Like No
> > Exec
> > on Linux filesystems), then I'd happily do that via a security policy.
> >
> > I'm at my wits end with this one as we use a 'sweeper' which erases these
> > files from our servers, yet the users can still plug in their USB memory
> > sticks and run .exe files or whatever that may be on them. I work at a
> > school
> > so security is something that's better off prevented first (stop them
> > doing
> > something at the start), rather than run around and try and catch it
> > later.
> >
> > Any thoughts?
>
>
>
- Next message: Arkane: "Re: Disable Exe and Other File Types from being run/viewed"
- Previous message: Steven L Umbach: "Re: Disable Exe and Other File Types from being run/viewed"
- In reply to: Steven L Umbach: "Re: Disable Exe and Other File Types from being run/viewed"
- Next in thread: Arkane: "Re: Disable Exe and Other File Types from being run/viewed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
