Be happy "%DAYJOB%"="" is not true -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Wednesday, February 11, 2009 1:13 AM To: NT System Admin Issues Subject: Software restriction policies (was: CNN P2P client)
On Tue, Feb 10, 2009 at 12:33 PM, John Hornbuckle <[email protected]> wrote: > This is why we've started using software restriction policies that > only allow explicit programs to run. That's been on my list of things to plan, test, and deploy for like two years. Can't seem to get around to it. :-( Anyone want to offer insights/tips on this process? Beyond "test first", of course? :) For all our PCs, users don't have admin rights, and they can't create files or folders under C:\ -- in their user profile only. So I suppose I could (in theory) just tell Windows to only allow execution under C:\WINDOWS, C:\Program Files, any apps which insist on installing under C:\, and that would do it, right? How does it interact with network shares or "drives"? We've got some shares open to user writing, and others which are network-shared software and are read-only. Would I target the shares, the mapped drives, or both? If it has to be mapped drives, what's to keep a user from remapping T:\ (our IT Library) to their home directory to bypass these access controls? Finding the time to test the above theory is the tricky part. :-( Seems like everything's happening all at once at %DAYJOB% right now.... -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ *** The information in this e-mail is confidential and intended solely for the individual or entity to whom it is addressed. If you have received this e-mail in error please notify the sender by return e-mail delete this e-mail and refrain from any disclosure or action based on the information. *** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
