Re: File Level Blocking



I believe McAfee Virusscan 8 lets you do this. There are probably other
ways as well, involving third party software. SRP is the only way I can
think of without adding non-Microsoft software.

You are correct that you could also run a script that just monitors for the
existence of such files. A simple DIR in a batch file, perhaps, with FIND
and/or FC commands to filter permitted files out of the results.

You might also be able to use local group policy to change the NTFS file
permissions on all files except for permitted file extensions, e.g. have one
that removes all permissions for *.* in certain folders, then another one
that adds permissions allowing access to *.lnk etc. With this method, you
could probably write forbidden files to the drive and access them for maybe
half an hour, but then the permissions would be revoked on the files.

You don't want to push large amounts of NTFS file permissions via AD group
policy, but you can run a script that uses the SECEDIT command to import and
apply a security template / database you created using MMC.EXE and the
Security Templates and Security Configuration and Analysis add-ins. Be
careful and test thoroughly, as this is a good way to screw up all the
systems on your network simultaneously.


"Alex" <x929@xxxxxxxxxxxxx> wrote in message
news:%23%23xkOtSeGHA.4304@xxxxxxxxxxxxxxxxxxxxxxx
I have thought about SRP. But it is way too restrictive. I am just not sure
if there is a better way. Maybe soft restrictions where we would just
monitor and modify the hard set policies accordingly. I dont know. It would
be nice to get an official response as to why this isnt being addressed by
MS. My initial thought was simply that I might have missed something
between Server SP 1 and R2.

ac


"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23fMjjoReGHA.3484@xxxxxxxxxxxxxxxxxxxxxxx
The closest you probably could come within the native operating system is
to use Software Restriction Policies that is available in XP Pro and
Windows 2003 where you can use path, hash and certificate rules and also
modify the designated file types list. The link below explains how to use
and deploy Software Restriction Policies. FYI and user that is a local
administrator can bypass SRP by booting the computer into Safe Mode. SRP
should not be implemented however without extensive testing to make sure
they work as planned and do not overly restrict the user. Also desktop
shortcuts [.lnk files] by default are included in the designated file
types. When tweaking SRP it will help to check the application log for
SRP events if problems arise and also use the free filemon tool from
SysInternals to see what files are accessed/executed when a user tries to
run an application. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx -
-- Software Restriction Policies

"Alex" <x929@xxxxxxxxxxxxx> wrote in message
news:OMft%23WReGHA.380@xxxxxxxxxxxxxxxxxxxxxxx
Is there a way to lock down all file types with the exception of a
"whitelist" on a Windows Server?
I want to actually specify what file extentions are allowed to execute
on a server. I.E. .exe, .doc, .xls but I want to block everything else.

TIA

Alex








.



Relevant Pages

  • Re: network restrictions
    ... administrators as local administrators have the ability to override ... Software Restriction Policies are ... SRP and other Group Policy is easily applied to domain computers. ... "Christopher S. Coviello" wrote in message ...
    (microsoft.public.windowsxp.security_admin)
  • Re: local policy
    ... You can modify ntfs permissions and use Software Restriction Policies to ... restrict what a user can run on an XP Pro computer. ... Shortcuts are also considered applications with SRP. ... there are many settings including hiding My Network Places, ...
    (microsoft.public.windows.group_policy)
  • Re: Software Restriction Policies and logging
    ... are purely related to SRP. ... I'm the Program Manager for Software Restriction Policies. ... entry in the log file - if there isn't an entry, ... The question I have is in regards to the logging when a deny is applied. ...
    (microsoft.public.windows.terminal_services)
  • Re: Prblm: Cant get Software Restrictions Policies to work as expected
    ... by Software Restriction Policies. ... allowed path then the application will not start via the shortcut. ... > I have a problem to get Software Restriction Policies (SRP) to work as ... > applications that should be runable, i.e. the user gets a message stating ...
    (microsoft.public.win2000.group_policy)
  • Re: Prblm: Cant get Software Restrictions Policies to work as expected
    ... by Software Restriction Policies. ... allowed path then the application will not start via the shortcut. ... > I have a problem to get Software Restriction Policies (SRP) to work as ... > applications that should be runable, i.e. the user gets a message stating ...
    (microsoft.public.windowsxp.security_admin)