Re: Disable Exe and Other File Types from being run/viewed

• Previous message: Arkane: "Re: Disable Exe and Other File Types from being run/viewed"
• In reply to: Steven L Umbach: "Re: Disable Exe and Other File Types from being run/viewed"
• Next in thread: EN: "Re: Disable Exe and Other File Types from being run/viewed"
• Reply: EN: "Re: Disable Exe and Other File Types from being run/viewed"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 21 Mar 2005 14:01:03 -0800

Something just to note - the USB drives/sticks are all FAT32 filesystems, so
xACL modification would fail on them, even if my script was able to detect
when they were plugged in.

One of these 'viruses' that intercepts all .exe execution and such would be
good for this - if only they weren't destructive and were configurable...
like a low-level I/O driver of sorts... am sure other people have had similar
problems.

Hopefully the file-association idea will work and will also allow us to deal
with a few other nuisance filetypes - as the users can't "run" files unless
they double-click - we have no media players or anything so they can't open
the files directly... which as far as I'm concerned, kills many problems with
a single solution... the trick will be making the batch file/parser-thing
intelligent enough to provide configuration and basic access control (so
admins/staff can run whatever w/o interruption).

"Steven L Umbach" wrote:

> From your options your best bet is probably to populate the "only allowed"
> applications list. Programs such as filemon from SysInternals can help you
> track down which executables are used for an application. If you don't want
> them to have access to USB drives, consider disabling USB in the cmos for
> the computer and password protecting the cmose settings which is not
> foolproof but could be a major barrier to access the computers cmos. Also
> keep in mind that Windows 2000 computers can not use Software Restriction
> Policies. --- Steve
>
>
> "Arkane" <Arkane@discussions.microsoft.com> wrote in message
> news:D94B7FDA-7364-4D10-B06B-691378EAF7CE@microsoft.com...
> > Here's the scenario we have :
> > We have several hundred W2K SP4 PCs, several hundred WXP Pro SP1a PCs.
> > Our network is NT4 but we will migrate to AD in-time.
> >
> > I know that with AD Software Policies we can stop users from running
> > applications using policies - however while we currently don't have this
> > capability, does anyone have a good equivalent?
> >
> > The "Don't Run Windows Programs" POLEDIT policy is not feasible as we'd
> > have
> > to list vast arrays of files as it does not accept masks.
> >
> > Using "Only allow following Windows Programs" is equally bad as the range
> > of
> > applications we use really is vast, to track down all of their component
> > .exe
> > files and other components (that must be able to be run) would be a
> > massive
> > task.
> >
> > This restriction, however applied - must work for Network and Removable
> > Drives - now if there's a setting I can put on Removable Drives (Like No
> > Exec
> > on Linux filesystems), then I'd happily do that via a security policy.
> >
> > I'm at my wits end with this one as we use a 'sweeper' which erases these
> > files from our servers, yet the users can still plug in their USB memory
> > sticks and run .exe files or whatever that may be on them. I work at a
> > school
> > so security is something that's better off prevented first (stop them
> > doing
> > something at the start), rather than run around and try and catch it
> > later.
> >
> > Any thoughts?
>
>
>

• Previous message: Arkane: "Re: Disable Exe and Other File Types from being run/viewed"
• In reply to: Steven L Umbach: "Re: Disable Exe and Other File Types from being run/viewed"
• Next in thread: EN: "Re: Disable Exe and Other File Types from being run/viewed"
• Reply: EN: "Re: Disable Exe and Other File Types from being run/viewed"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]