Block execution of exe files from certain drives


Recommended Posts

Hi Guys,

I know that you can allow/disallow software using 'Software Restriction' rules however using a path rule i am unable to block a exe from running on a per drive basis

What i am aiming to do is to disallow students from running any applications unless its from the C:/ S:/ H:/ P:/ drives how would i go about this?

Explain to me then the magical permissions that can be set on removable drives? last i heard they were FAT...

I know this can be accomplished with a GPO but for some reason my GPO isnt working correctly

Firstly, you can FORMAT removable drives as NTFS.

And secondly as you did not provide us with information regarding the removable drives and fat file system, its a bit hard for me to cover all scenarios.

Unfortunately before you can play around with permission you need to convert your drives to NTFS. I'm pretty sure there is a windows command to convert any FAT/FAT32 drive to NTFS. (http://technet.microsoft.com/en-us/library/bb456984.aspx)

Now assuming you have formatted your drives as NTFS. Im assuming your Students are in a common security group. So you goto the server with the removable drives, browse to the folders you DONT want to access. Right click on those folders, and goto the Security tab and add DENY permissions.

Although this might be unrelated, try using Windows SteadyState. I have helped my uncle a lot with that when his coworkers screw around and download every little "codec" or "activeXhelper1.2.3.34342.886.exe"

Ok ill clear it up... the removable drives are CLIENT side, these drives are 100% out of my control and i can not convert/set permissions on them, the only solution so far is such as DaDog suggested or working out this Software Restriction Policy in a GPO for the students.

I know i can block EXEs with hashes and such but i need to know what path rule to use to block a whole drive and all sub directories

I believe the OP is attempting to prevent end users from running applications from USB flash drives/removable hard drives, perhaps web browsers that circumvent GPOs, hacking software, or whatever.

I've personally looked at accomplishing this myself -- although it's been several months, so it's not the most fresh in my head. That said, I believe you will need some third-party software to lock down USB ports.

I know that this really doesn't accomplish your goal -- you probably want end users to be able to save documents, work, etc to their flash drive.

The only suggestion I have is either A) network storage (with a quota) or B) have end users email themselves the work as an attachment.

Hopefully someone else will have some better suggestions than I do.

  • 3 weeks later...
  semaja2.net said:
I know that you can allow/disallow software using 'Software Restriction' rules however using a path rule i am unable to block a exe from running on a per drive basis

Thats exactly what you need. It does this perfectly as I block students running exe's from a large amount of areas using GP.

Basically you would make the base policy dissallow and then you add path rules for the drives you want exe's to be blocked from :)

Take a look at:

http://www.edugeek.net/forums/windows/2623...hrough-gpo.html

for some tips from others that wanted to block usb drives etc.

I use GP to block exe's from temp internet files and that helps prevent them doing a "run" on a exe from the net.

(Shameless plug - check the site on my sig as its specifically for IT professionals working in education :) )

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Missing the Streets of Rage 2 Classic, the link provided its for Streets of Rage Classic both are free
    • Mastodon updates terms of service to ban AI model training on user data by David Uzondu Mastodon has updated its terms of service to explicitly prohibit scraping its platform to train artificial intelligence models. The new rules, which kick in on July 1, make it perfectly clear that using automated tools to slurp up user data from its main server, Mastodon.social, for LLM training is a big no-no. Neowin received a copy of an email sent to users, notifying them of the change, which introduces new language prohibiting the "scraping of user data for unauthorized purposes, e.g., archival or large language model (LLM) training." Here's a snippet from the updated terms of service: This policy change comes at a time when users are getting increasingly ###### off about their public posts becoming free fuel for the AI gold rush. In fact, this is probably good news for the same crowd over on Bluesky that freaked out after a massive, user-traceable dataset of their public posts was compiled and uploaded for AI research. AI bot scraping has become a huge problem for everyone from giants like Reddit, which is now suing Anthropic, makers of Claude, for training on its posts without a license, to even Neowin readers, like Gerowen, who noted how a swarm of bots, including one Claudebot (you don't say!), hammered his personal server with over 700,000 requests in 24 hours, putting a huge strain on his "home NAS running on an old PC tower in the back woods of Kentucky." It is important to remember that Mastodon is a federated network. These new terms apply specifically to the Mastodon.social server, which is operated directly by Mastodon gGmbH. This means that while users on the main instance are now protected, those on other independent servers in the "fediverse" will only get the same protection if their instance administrators adopt similar terms. The company is globally enforcing a new minimum age requirement of 16 for all users, raising it from the previous limit of 13.
    • Keep in mind that updates for it end on Oct 13, 2026. While this may not matter much for those who don't care about features, it might for fixes, and it certainly would for security.
  • Recent Achievements

    • Explorer
      JaviAl went up a rank
      Explorer
    • Reacting Well
      Cole Multipass earned a badge
      Reacting Well
    • Reacting Well
      JLP earned a badge
      Reacting Well
    • Week One Done
      Rhydderch earned a badge
      Week One Done
    • Experienced
      dismuter went up a rank
      Experienced
  • Popular Contributors

    1. 1
      +primortal
      699
    2. 2
      ATLien_0
      275
    3. 3
      Michael Scrip
      219
    4. 4
      +FloatingFatMan
      190
    5. 5
      Steven P.
      146
  • Tell a friend

    Love Neowin? Tell a friend!