I block optical drives as well. I don't want people using that to get around the restrictions.
If they have an app on CD, we'll generally copy the contents of the CD to a folder in C:\Program Files since everything under there is unblocked. If the program somehow doesn't work that way and *has* to run off the CD (very rare), I'll create a hash exception for the specific executables required. Using software restriction policies does create additional work. You have to measure that additional work against the time you're saving by not having users run dangerous, time-wasting, or bandwidth-consuming crap and figure out which you spend the most time on. In our case, we believe that software restrictions have saved us time overall. -----Original Message----- From: Phil Brutsche [mailto:[email protected]] Sent: Tuesday, February 10, 2009 7:53 PM To: NT System Admin Issues Subject: Re: Software restriction policies (was: CNN P2P client) Ben Scott wrote: > For all our PCs, users don't have admin rights, and they can't > create files or folders under C:\ -- in their user profile only. So I > suppose I could (in theory) just tell Windows to only allow execution > under C:\WINDOWS, C:\Program Files, any apps which insist on > installing under C:\, and that would do it, right? Correct, just set a default execute policy of "Deny" and allow only C:\Program Files and C:\WINDOWS. Keep in mind that folders inherit the execute permissions of their parent: Allowing execution from C:\ will automatically allow execution from %USERPROFILE% unless you take such things into account. Of course, you will also need to allow execution from CIFS shares, if you have applications that need to run from such things. Oh, and optical drives. I don't think your users will, but some educational institutions like to play CD-based games. One really, really annoying caveat I've run into: By default .lnk files are considered executables that will be blocked if you set a default policy of "Deny". Kinda makes the Start Menu hard to use... I've had to either remove appropriate entry from the list of banned executables or put %USERPROFILE%\Start Menu and %ALLUSERSPROFILE%\Start Menu in the allowed list. As you've noticed, the policy allows you to use environment variables. > How does it interact with network shares or "drives"? We've got > some shares open to user writing, and others which are network-shared > software and are read-only. Would I target the shares, the mapped > drives, or both? If it has to be mapped drives, what's to keep a user > from remapping T:\ (our IT Library) to their home directory to bypass > these access controls? Software restrictions apply to network shares as well as physical drives. I don't know how it works with regard to mapped drives vs CIFS shares, so I target both. You can also deny or allow execution based on cryptographic checksum and X.509 signatures. -- Phil Brutsche [email protected] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
