Ben Scott wrote: > For all our PCs, users don't have admin rights, and they can't > create files or folders under C:\ -- in their user profile only. So I > suppose I could (in theory) just tell Windows to only allow execution > under C:\WINDOWS, C:\Program Files, any apps which insist on > installing under C:\, and that would do it, right?
Correct, just set a default execute policy of "Deny" and allow only C:\Program Files and C:\WINDOWS. Keep in mind that folders inherit the execute permissions of their parent: Allowing execution from C:\ will automatically allow execution from %USERPROFILE% unless you take such things into account. Of course, you will also need to allow execution from CIFS shares, if you have applications that need to run from such things. Oh, and optical drives. I don't think your users will, but some educational institutions like to play CD-based games. One really, really annoying caveat I've run into: By default .lnk files are considered executables that will be blocked if you set a default policy of "Deny". Kinda makes the Start Menu hard to use... I've had to either remove appropriate entry from the list of banned executables or put %USERPROFILE%\Start Menu and %ALLUSERSPROFILE%\Start Menu in the allowed list. As you've noticed, the policy allows you to use environment variables. > How does it interact with network shares or "drives"? We've got > some shares open to user writing, and others which are network-shared > software and are read-only. Would I target the shares, the mapped > drives, or both? If it has to be mapped drives, what's to keep a user > from remapping T:\ (our IT Library) to their home directory to bypass > these access controls? Software restrictions apply to network shares as well as physical drives. I don't know how it works with regard to mapped drives vs CIFS shares, so I target both. You can also deny or allow execution based on cryptographic checksum and X.509 signatures. -- Phil Brutsche [email protected] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
