Prevent users running executables from pen drives

Archived from groups: microsoft.public.win2000.security (More info?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

I've seen lots of postings from people who want to prevent users writing
to their usb pen drives, we want our users to read and right - but not
run programs. Does anybody have any solutions for this (being in the
educational sector 'free' would be nice)

thanks
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBUYxmqmlxlf41jHgRAjmYAKDd1Dc7IE3BwL91Dv8KJD1OtiApZACfeZsP
gUuUuYxrlCDY0m4u5NyLI3w=
=U1bv
-----END PGP SIGNATURE-----
4 answers Last reply
More about prevent users running executables drives
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    The best solution I know of would be to use XP Pro computers and Software Restriction
    Policies. SRP can be configured to allow users to run only authorized applications
    via certificate, hash, or path rules. If a user had a default disallowed policy and
    paths to say only specific program files folder for allowed applications, and the
    associated shortcuts in the all users profiles they would not be able to execute a
    file on a USB drive or copied to their profile folders. If SRP are applied under
    computer configuration they can also apply to local administrators if need be by
    configuring the enforcement rule. XP Pro computers can have their Group Policy
    features applied in a W2K domain. I don't know of a good solution in W2K. About the
    best you can do is to make sure users are not local administrators and try modifying
    the Windows Applications policy settings under user configuration/system to populate
    the allowed only or disallowed list. --- Steve


    "andy smart" <anonymus@discussions.microsoft.com> wrote in message
    news:cis296$7as$1@newsfeed.th.ifl.net...
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Hi
    >
    > I've seen lots of postings from people who want to prevent users writing
    > to their usb pen drives, we want our users to read and right - but not
    > run programs. Does anybody have any solutions for this (being in the
    > educational sector 'free' would be nice)
    >
    > thanks
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.2.5 (MingW32)
    > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
    >
    > iD8DBQFBUYxmqmlxlf41jHgRAjmYAKDd1Dc7IE3BwL91Dv8KJD1OtiApZACfeZsP
    > gUuUuYxrlCDY0m4u5NyLI3w=
    > =U1bv
    > -----END PGP SIGNATURE-----
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Thanks Steve

    We are using XP pro on our 2003 domain so this looks like a winner to
    be, apart from the fact that we do need the users to have either 'power
    user' rights on our XP boxes because of what we might term 'legacy'
    software. But we lock down the desktops so they can't access control
    panel so it might prove to be an effective solution!

    Steven L Umbach wrote:
    | The best solution I know of would be to use XP Pro computers and
    Software Restriction
    | Policies. SRP can be configured to allow users to run only authorized
    applications
    | via certificate, hash, or path rules. If a user had a default
    disallowed policy and
    | paths to say only specific program files folder for allowed
    applications, and the
    | associated shortcuts in the all users profiles they would not be able
    to execute a
    | file on a USB drive or copied to their profile folders. If SRP are
    applied under
    | computer configuration they can also apply to local administrators if
    need be by
    | configuring the enforcement rule. XP Pro computers can have their
    Group Policy
    | features applied in a W2K domain. I don't know of a good solution in
    W2K. About the
    | best you can do is to make sure users are not local administrators and
    try modifying
    | the Windows Applications policy settings under user
    configuration/system to populate
    | the allowed only or disallowed list. --- Steve
    |
    |
    | "andy smart" <anonymus@discussions.microsoft.com> wrote in message
    | news:cis296$7as$1@newsfeed.th.ifl.net...
    |
    | Hi
    |
    | I've seen lots of postings from people who want to prevent users writing
    | to their usb pen drives, we want our users to read and right - but not
    | run programs. Does anybody have any solutions for this (being in the
    | educational sector 'free' would be nice)
    |
    | thanks
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.5 (MingW32)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFBUnAsqmlxlf41jHgRAq5eAKDlsq8F8pxMT1YfbZ91Zw9A9n0iBACeLUVq
    LNJt8ikRThgHTX96XpZlr4c=
    =eIhr
    -----END PGP SIGNATURE-----
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    The fact that they are power users will not be a problem with SRP. I think you will
    find using it will be very productive. See the link below for a great paper on
    implementing SRP. One gotcha I came access is that shortcuts are restricted also with
    SRP as are a lot of other files. So if you create an allowed path rule to a folder
    and the application does not run, make sure that the shortcut has a rule to allow it
    to run. I suggest that shortcuts be all placed in the all users profile as a user can
    not write to that folder and remove power users write permissions to it also. You can
    also exempt local administrators from SRP with the enforcement policy so that they
    can access the computer like normal. Be sure to set up a test OU to tweak your
    settings. --- Steve

    http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx


    "andy smart" <anonymus@discussions.microsoft.com> wrote in message
    news:citr7c$jlp$2@newsfeed.th.ifl.net...
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Thanks Steve
    >
    > We are using XP pro on our 2003 domain so this looks like a winner to
    > be, apart from the fact that we do need the users to have either 'power
    > user' rights on our XP boxes because of what we might term 'legacy'
    > software. But we lock down the desktops so they can't access control
    > panel so it might prove to be an effective solution!
    >
    > Steven L Umbach wrote:
    > | The best solution I know of would be to use XP Pro computers and
    > Software Restriction
    > | Policies. SRP can be configured to allow users to run only authorized
    > applications
    > | via certificate, hash, or path rules. If a user had a default
    > disallowed policy and
    > | paths to say only specific program files folder for allowed
    > applications, and the
    > | associated shortcuts in the all users profiles they would not be able
    > to execute a
    > | file on a USB drive or copied to their profile folders. If SRP are
    > applied under
    > | computer configuration they can also apply to local administrators if
    > need be by
    > | configuring the enforcement rule. XP Pro computers can have their
    > Group Policy
    > | features applied in a W2K domain. I don't know of a good solution in
    > W2K. About the
    > | best you can do is to make sure users are not local administrators and
    > try modifying
    > | the Windows Applications policy settings under user
    > configuration/system to populate
    > | the allowed only or disallowed list. --- Steve
    > |
    > |
    > | "andy smart" <anonymus@discussions.microsoft.com> wrote in message
    > | news:cis296$7as$1@newsfeed.th.ifl.net...
    > |
    > | Hi
    > |
    > | I've seen lots of postings from people who want to prevent users writing
    > | to their usb pen drives, we want our users to read and right - but not
    > | run programs. Does anybody have any solutions for this (being in the
    > | educational sector 'free' would be nice)
    > |
    > | thanks
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.2.5 (MingW32)
    > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
    >
    > iD8DBQFBUnAsqmlxlf41jHgRAq5eAKDlsq8F8pxMT1YfbZ91Zw9A9n0iBACeLUVq
    > LNJt8ikRThgHTX96XpZlr4c=
    > =eIhr
    > -----END PGP SIGNATURE-----
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Steven L Umbach wrote:
    | The fact that they are power users will not be a problem with SRP. I
    think you will
    | find using it will be very productive. See the link below for a great
    paper on
    | implementing SRP. One gotcha I came access is that shortcuts are
    restricted also with
    | SRP as are a lot of other files. So if you create an allowed path rule
    to a folder
    | and the application does not run, make sure that the shortcut has a
    rule to allow it
    | to run. I suggest that shortcuts be all placed in the all users
    profile as a user can
    | not write to that folder and remove power users write permissions to
    it also. You can
    | also exempt local administrators from SRP with the enforcement policy
    so that they
    | can access the computer like normal. Be sure to set up a test OU to
    tweak your
    | settings. --- Steve
    |
    |
    http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
    |
    |
    | "andy smart" <anonymus@discussions.microsoft.com> wrote in message
    | news:citr7c$jlp$2@newsfeed.th.ifl.net...
    |
    | Thanks Steve
    |
    | We are using XP pro on our 2003 domain so this looks like a winner to
    | be, apart from the fact that we do need the users to have either 'power
    | user' rights on our XP boxes because of what we might term 'legacy'
    | software. But we lock down the desktops so they can't access control
    | panel so it might prove to be an effective solution!
    |
    | Steven L Umbach wrote:
    | | The best solution I know of would be to use XP Pro computers and
    | Software Restriction
    | | Policies. SRP can be configured to allow users to run only authorized
    | applications
    | | via certificate, hash, or path rules. If a user had a default
    | disallowed policy and
    | | paths to say only specific program files folder for allowed
    | applications, and the
    | | associated shortcuts in the all users profiles they would not be able
    | to execute a
    | | file on a USB drive or copied to their profile folders. If SRP are
    | applied under
    | | computer configuration they can also apply to local administrators if
    | need be by
    | | configuring the enforcement rule. XP Pro computers can have their
    | Group Policy
    | | features applied in a W2K domain. I don't know of a good solution in
    | W2K. About the
    | | best you can do is to make sure users are not local administrators and
    | try modifying
    | | the Windows Applications policy settings under user
    | configuration/system to populate
    | | the allowed only or disallowed list. --- Steve
    | |
    | |
    | | "andy smart" <anonymus@discussions.microsoft.com> wrote in message
    | | news:cis296$7as$1@newsfeed.th.ifl.net...
    | |
    | | Hi
    | |
    | | I've seen lots of postings from people who want to prevent users writing
    | | to their usb pen drives, we want our users to read and right - but not
    | | run programs. Does anybody have any solutions for this (being in the
    | | educational sector 'free' would be nice)
    | |
    | | thanks
    Thanks for the tip steve, I'll test it out
    andy
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.5 (MingW32)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFBUqSuqmlxlf41jHgRAg5MAKCqSmk5S5ijNQP8p4GlNip072nmVwCfQCS8
    fXkjqQoZL1hMDprVq5tN9Vo=
    =rDGK
    -----END PGP SIGNATURE-----
Ask a new question

Read More

Security Microsoft PGP Windows