Block execution of exe files from certain drives

[semaja2.net]

Hi Guys,

I know that you can allow/disallow software using 'Software Restriction' rules however using a path rule i am unable to block a exe from running on a per drive basis

What i am aiming to do is to disallow students from running any applications unless its from the C:/ S:/ H:/ P:/ drives how would i go about this?

[PermaSt0ne]

which version of windows you running?

[semaja2.net]

Clients XP, Servers 2003STD + 2002

[Skoey]

Maybe you should just deny Student logins access to the applications on the drives they arent meant to be running apps from, using permissions!

[semaja2.net]

Explain to me then the magical permissions that can be set on removable drives? last i heard they were FAT...

I know this can be accomplished with a GPO but for some reason my GPO isnt working correctly

[Skoey]

Firstly, you can FORMAT removable drives as NTFS.

And secondly as you did not provide us with information regarding the removable drives and fat file system, its a bit hard for me to cover all scenarios.

Unfortunately before you can play around with permission you need to convert your drives to NTFS. I'm pretty sure there is a windows command to convert any FAT/FAT32 drive to NTFS. (http://technet.microsoft.com/en-us/library/bb456984.aspx)

Now assuming you have formatted your drives as NTFS. Im assuming your Students are in a common security group. So you goto the server with the removable drives, browse to the folders you DONT want to access. Right click on those folders, and goto the Security tab and add DENY permissions.

[Gary2MBz]

Although this might be unrelated, try using Windows SteadyState. I have helped my uncle a lot with that when his coworkers screw around and download every little "codec" or "activeXhelper1.2.3.34342.886.exe"

[semaja2.net]

Ok ill clear it up... the removable drives are CLIENT side, these drives are 100% out of my control and i can not convert/set permissions on them, the only solution so far is such as DaDog suggested or working out this Software Restriction Policy in a GPO for the students.

I know i can block EXEs with hashes and such but i need to know what path rule to use to block a whole drive and all sub directories

[Skoey]

AFAIK What you are attempting to do is not possible within the scenario you explained.

[SAXD]

I believe the OP is attempting to prevent end users from running applications from USB flash drives/removable hard drives, perhaps web browsers that circumvent GPOs, hacking software, or whatever.

I've personally looked at accomplishing this myself -- although it's been several months, so it's not the most fresh in my head. That said, I believe you will need some third-party software to lock down USB ports.

I know that this really doesn't accomplish your goal -- you probably want end users to be able to save documents, work, etc to their flash drive.

The only suggestion I have is either A) network storage (with a quota) or B) have end users email themselves the work as an attachment.

Hopefully someone else will have some better suggestions than I do.

[1337ish]

  semaja2.net said:

I know that you can allow/disallow software using 'Software Restriction' rules however using a path rule i am unable to block a exe from running on a per drive basis

Thats exactly what you need. It does this perfectly as I block students running exe's from a large amount of areas using GP.

Basically you would make the base policy dissallow and then you add path rules for the drives you want exe's to be blocked from :)

Take a look at:

http://www.edugeek.net/forums/windows/2623...hrough-gpo.html

for some tips from others that wanted to block usb drives etc.

I use GP to block exe's from temp internet files and that helps prevent them doing a "run" on a exe from the net.

(Shameless plug - check the site on my sig as its specifically for IT professionals working in education :) )