While we are on this subject, don't forget to block scripts from running in appdata also. Seeing a fair amount of VBS inside word docs targeting that directory tree.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Bud Durland Sent: Tuesday, April 11, 2017 10:22 AM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] Running exe from APPDATA..TEMP directory Vendors like to run from %appdata% because any user can put files there; no need to get corporate IT (or permission) to install the app. Bud Durland | Director of Information Technology Direct: 518.324.4850 | Cell: 518.726.0967 | Fax: 518.561.0017 | b...@mrpcap.com<mailto:b...@mrpcap.com> 1 Plant St., Plattsburgh, NY 12901 Website<http://www.mrpcap.com/> | Twitter<https://www.twitter.com/weatherchem> | LinkedIn<https://www.linkedin.com/company/mold-rite-plastics-inc.?trk=biz-companies-cym> | YouTube<https://www.youtube.com/user/wreichheld> From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of David McSpadden Sent: Monday, April 10, 2017 10:25 To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] Running exe from APPDATA..TEMP directory Have a vendor that want so run his app from the APPDATA..TEMP directory. I have a GPO that denied .exe from running there or subfolders of there. Any reason I should allow this? I have the exact folder and program name but it's opening up an exception to my rule?? Any thoughts? David McSpadden System Administrator Indiana Members Credit Union P: 317.554.8190 [Description: Description: imcu email icon]<http://imcu.com/> [Description: Description: facebook email icon] <https://www.facebook.com/IndianaMembersCU> [Description: Description: twitter email icon] <https://twitter.com/IndMembersCU> [Description: Description: email logo] [http://www.amuletsolutions.com/images/mcp.gif]<http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjFztf-tePJAhXK5iYKHcPtAxEQjRwIBw&url=http://www.amuletsolutions.com/awards.aspx&bvm=bv.110151844,d.amc&psig=AFQjCNHkrx8CednTEOOq4zUxYyrRUGzUsg&ust=1450459757284499> This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. ________________________________ NOTE -- This message contains legally privileged and confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Thank you.