Re: File Level Blocking



I believe McAfee Virusscan 8 lets you do this. There are probably other
ways as well, involving third party software. SRP is the only way I can
think of without adding non-Microsoft software.

You are correct that you could also run a script that just monitors for the
existence of such files. A simple DIR in a batch file, perhaps, with FIND
and/or FC commands to filter permitted files out of the results.

You might also be able to use local group policy to change the NTFS file
permissions on all files except for permitted file extensions, e.g. have one
that removes all permissions for *.* in certain folders, then another one
that adds permissions allowing access to *.lnk etc. With this method, you
could probably write forbidden files to the drive and access them for maybe
half an hour, but then the permissions would be revoked on the files.

You don't want to push large amounts of NTFS file permissions via AD group
policy, but you can run a script that uses the SECEDIT command to import and
apply a security template / database you created using MMC.EXE and the
Security Templates and Security Configuration and Analysis add-ins. Be
careful and test thoroughly, as this is a good way to screw up all the
systems on your network simultaneously.


"Alex" <x929@xxxxxxxxxxxxx> wrote in message
news:%23%23xkOtSeGHA.4304@xxxxxxxxxxxxxxxxxxxxxxx
I have thought about SRP. But it is way too restrictive. I am just not sure
if there is a better way. Maybe soft restrictions where we would just
monitor and modify the hard set policies accordingly. I dont know. It would
be nice to get an official response as to why this isnt being addressed by
MS. My initial thought was simply that I might have missed something
between Server SP 1 and R2.

ac


"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23fMjjoReGHA.3484@xxxxxxxxxxxxxxxxxxxxxxx
The closest you probably could come within the native operating system is
to use Software Restriction Policies that is available in XP Pro and
Windows 2003 where you can use path, hash and certificate rules and also
modify the designated file types list. The link below explains how to use
and deploy Software Restriction Policies. FYI and user that is a local
administrator can bypass SRP by booting the computer into Safe Mode. SRP
should not be implemented however without extensive testing to make sure
they work as planned and do not overly restrict the user. Also desktop
shortcuts [.lnk files] by default are included in the designated file
types. When tweaking SRP it will help to check the application log for
SRP events if problems arise and also use the free filemon tool from
SysInternals to see what files are accessed/executed when a user tries to
run an application. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx -
-- Software Restriction Policies

"Alex" <x929@xxxxxxxxxxxxx> wrote in message
news:OMft%23WReGHA.380@xxxxxxxxxxxxxxxxxxxxxxx
Is there a way to lock down all file types with the exception of a
"whitelist" on a Windows Server?
I want to actually specify what file extentions are allowed to execute
on a server. I.E. .exe, .doc, .xls but I want to block everything else.

TIA

Alex








.