Sign in with
Sign up | Sign in
Your question

Prevent users running executables from pen drives

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
September 22, 2004 7:29:58 PM

Archived from groups: microsoft.public.win2000.security (More info?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

I've seen lots of postings from people who want to prevent users writing
to their usb pen drives, we want our users to read and right - but not
run programs. Does anybody have any solutions for this (being in the
educational sector 'free' would be nice)

thanks
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBUYxmqmlxlf41jHgRAjmYAKDd1Dc7IE3BwL91Dv8KJD1OtiApZACfeZsP
gUuUuYxrlCDY0m4u5NyLI3w=
=U1bv
-----END PGP SIGNATURE-----
Anonymous
a b 8 Security
September 23, 2004 7:03:04 AM

Archived from groups: microsoft.public.win2000.security (More info?)

The best solution I know of would be to use XP Pro computers and Software Restriction
Policies. SRP can be configured to allow users to run only authorized applications
via certificate, hash, or path rules. If a user had a default disallowed policy and
paths to say only specific program files folder for allowed applications, and the
associated shortcuts in the all users profiles they would not be able to execute a
file on a USB drive or copied to their profile folders. If SRP are applied under
computer configuration they can also apply to local administrators if need be by
configuring the enforcement rule. XP Pro computers can have their Group Policy
features applied in a W2K domain. I don't know of a good solution in W2K. About the
best you can do is to make sure users are not local administrators and try modifying
the Windows Applications policy settings under user configuration/system to populate
the allowed only or disallowed list. --- Steve


"andy smart" <anonymus@discussions.microsoft.com> wrote in message
news:cis296$7as$1@newsfeed.th.ifl.net...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi
>
> I've seen lots of postings from people who want to prevent users writing
> to their usb pen drives, we want our users to read and right - but not
> run programs. Does anybody have any solutions for this (being in the
> educational sector 'free' would be nice)
>
> thanks
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBUYxmqmlxlf41jHgRAjmYAKDd1Dc7IE3BwL91Dv8KJD1OtiApZACfeZsP
> gUuUuYxrlCDY0m4u5NyLI3w=
> =U1bv
> -----END PGP SIGNATURE-----
Anonymous
a b 8 Security
September 23, 2004 11:41:48 AM

Archived from groups: microsoft.public.win2000.security (More info?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks Steve

We are using XP pro on our 2003 domain so this looks like a winner to
be, apart from the fact that we do need the users to have either 'power
user' rights on our XP boxes because of what we might term 'legacy'
software. But we lock down the desktops so they can't access control
panel so it might prove to be an effective solution!

Steven L Umbach wrote:
| The best solution I know of would be to use XP Pro computers and
Software Restriction
| Policies. SRP can be configured to allow users to run only authorized
applications
| via certificate, hash, or path rules. If a user had a default
disallowed policy and
| paths to say only specific program files folder for allowed
applications, and the
| associated shortcuts in the all users profiles they would not be able
to execute a
| file on a USB drive or copied to their profile folders. If SRP are
applied under
| computer configuration they can also apply to local administrators if
need be by
| configuring the enforcement rule. XP Pro computers can have their
Group Policy
| features applied in a W2K domain. I don't know of a good solution in
W2K. About the
| best you can do is to make sure users are not local administrators and
try modifying
| the Windows Applications policy settings under user
configuration/system to populate
| the allowed only or disallowed list. --- Steve
|
|
| "andy smart" <anonymus@discussions.microsoft.com> wrote in message
| news:cis296$7as$1@newsfeed.th.ifl.net...
|
| Hi
|
| I've seen lots of postings from people who want to prevent users writing
| to their usb pen drives, we want our users to read and right - but not
| run programs. Does anybody have any solutions for this (being in the
| educational sector 'free' would be nice)
|
| thanks
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBUnAsqmlxlf41jHgRAq5eAKDlsq8F8pxMT1YfbZ91Zw9A9n0iBACeLUVq
LNJt8ikRThgHTX96XpZlr4c=
=eIhr
-----END PGP SIGNATURE-----
Related resources
Anonymous
a b 8 Security
September 23, 2004 11:41:49 AM

Archived from groups: microsoft.public.win2000.security (More info?)

The fact that they are power users will not be a problem with SRP. I think you will
find using it will be very productive. See the link below for a great paper on
implementing SRP. One gotcha I came access is that shortcuts are restricted also with
SRP as are a lot of other files. So if you create an allowed path rule to a folder
and the application does not run, make sure that the shortcut has a rule to allow it
to run. I suggest that shortcuts be all placed in the all users profile as a user can
not write to that folder and remove power users write permissions to it also. You can
also exempt local administrators from SRP with the enforcement policy so that they
can access the computer like normal. Be sure to set up a test OU to tweak your
settings. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/m...


"andy smart" <anonymus@discussions.microsoft.com> wrote in message
news:citr7c$jlp$2@newsfeed.th.ifl.net...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Thanks Steve
>
> We are using XP pro on our 2003 domain so this looks like a winner to
> be, apart from the fact that we do need the users to have either 'power
> user' rights on our XP boxes because of what we might term 'legacy'
> software. But we lock down the desktops so they can't access control
> panel so it might prove to be an effective solution!
>
> Steven L Umbach wrote:
> | The best solution I know of would be to use XP Pro computers and
> Software Restriction
> | Policies. SRP can be configured to allow users to run only authorized
> applications
> | via certificate, hash, or path rules. If a user had a default
> disallowed policy and
> | paths to say only specific program files folder for allowed
> applications, and the
> | associated shortcuts in the all users profiles they would not be able
> to execute a
> | file on a USB drive or copied to their profile folders. If SRP are
> applied under
> | computer configuration they can also apply to local administrators if
> need be by
> | configuring the enforcement rule. XP Pro computers can have their
> Group Policy
> | features applied in a W2K domain. I don't know of a good solution in
> W2K. About the
> | best you can do is to make sure users are not local administrators and
> try modifying
> | the Windows Applications policy settings under user
> configuration/system to populate
> | the allowed only or disallowed list. --- Steve
> |
> |
> | "andy smart" <anonymus@discussions.microsoft.com> wrote in message
> | news:cis296$7as$1@newsfeed.th.ifl.net...
> |
> | Hi
> |
> | I've seen lots of postings from people who want to prevent users writing
> | to their usb pen drives, we want our users to read and right - but not
> | run programs. Does anybody have any solutions for this (being in the
> | educational sector 'free' would be nice)
> |
> | thanks
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBUnAsqmlxlf41jHgRAq5eAKDlsq8F8pxMT1YfbZ91Zw9A9n0iBACeLUVq
> LNJt8ikRThgHTX96XpZlr4c=
> =eIhr
> -----END PGP SIGNATURE-----
Anonymous
a b 8 Security
September 23, 2004 3:25:51 PM

Archived from groups: microsoft.public.win2000.security (More info?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven L Umbach wrote:
| The fact that they are power users will not be a problem with SRP. I
think you will
| find using it will be very productive. See the link below for a great
paper on
| implementing SRP. One gotcha I came access is that shortcuts are
restricted also with
| SRP as are a lot of other files. So if you create an allowed path rule
to a folder
| and the application does not run, make sure that the shortcut has a
rule to allow it
| to run. I suggest that shortcuts be all placed in the all users
profile as a user can
| not write to that folder and remove power users write permissions to
it also. You can
| also exempt local administrators from SRP with the enforcement policy
so that they
| can access the computer like normal. Be sure to set up a test OU to
tweak your
| settings. --- Steve
|
|
http://www.microsoft.com/technet/prodtechnol/winxppro/m...
|
|
| "andy smart" <anonymus@discussions.microsoft.com> wrote in message
| news:citr7c$jlp$2@newsfeed.th.ifl.net...
|
| Thanks Steve
|
| We are using XP pro on our 2003 domain so this looks like a winner to
| be, apart from the fact that we do need the users to have either 'power
| user' rights on our XP boxes because of what we might term 'legacy'
| software. But we lock down the desktops so they can't access control
| panel so it might prove to be an effective solution!
|
| Steven L Umbach wrote:
| | The best solution I know of would be to use XP Pro computers and
| Software Restriction
| | Policies. SRP can be configured to allow users to run only authorized
| applications
| | via certificate, hash, or path rules. If a user had a default
| disallowed policy and
| | paths to say only specific program files folder for allowed
| applications, and the
| | associated shortcuts in the all users profiles they would not be able
| to execute a
| | file on a USB drive or copied to their profile folders. If SRP are
| applied under
| | computer configuration they can also apply to local administrators if
| need be by
| | configuring the enforcement rule. XP Pro computers can have their
| Group Policy
| | features applied in a W2K domain. I don't know of a good solution in
| W2K. About the
| | best you can do is to make sure users are not local administrators and
| try modifying
| | the Windows Applications policy settings under user
| configuration/system to populate
| | the allowed only or disallowed list. --- Steve
| |
| |
| | "andy smart" <anonymus@discussions.microsoft.com> wrote in message
| | news:cis296$7as$1@newsfeed.th.ifl.net...
| |
| | Hi
| |
| | I've seen lots of postings from people who want to prevent users writing
| | to their usb pen drives, we want our users to read and right - but not
| | run programs. Does anybody have any solutions for this (being in the
| | educational sector 'free' would be nice)
| |
| | thanks
Thanks for the tip steve, I'll test it out
andy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBUqSuqmlxlf41jHgRAg5MAKCqSmk5S5ijNQP8p4GlNip072nmVwCfQCS8
fXkjqQoZL1hMDprVq5tN9Vo=
=rDGK
-----END PGP SIGNATURE-----
!