Software Restriction Policies

Hi,

I'm trying to block most p2p programs on a domain (2003) using hash rules.

My question is; are there any place with a list of hash keys to p2p programs? So that i dont have to download all kinda p2p programs and generate the cryptographic file fingerprint's myself.

Or is there a other way to block p2p traffic? That does not involving closing ports or buying new equipment :p
LVL 4
aerion85Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

andrew_aj1Commented:
The best way is to block the ports. You should not have any open ports that you do not need for security purposes.
It is basically impossible to do what you want to do. There are plenty of P2P programs out there and there are new programs/updates being released all time time. It would be a full time job looking up P2P programs and blocking them.
Another option you may want to consider is preventing your users from installing applications at all.
I hope this helps. Good luck.
0
aerion85Author Commented:
Yea, we're trying to prevent it.. hehe. We've hidden the whole local disk. (C:), and made it inaccessible.
The users cant install programs at all. But they can run them, so they're smart enough to just zip/unzip them on the network drive they have.. for storing documents.
0
aerion85Author Commented:
It's no problem for the users to get past the port blocking though, just using a tunnel or so. So it wont help that much.
I know we can use traffic shaping, but this require new equipment to be bought. Not an option.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

andrew_aj1Commented:
As you said traffic shaping is a good solution, but it does cost some to get setup.
The next thing to do would be to go to the human level. Setup rules and regulations for computer use - if not already done. Tell them that this activity is against business policy and possibly illegal (depending on what they are downloading). If the activity continues you will have to punish those employees. Depending on how your company is setup this may take a while, but it most likely the best solution.
Good luck.
0
aerion85Author Commented:
If things were that easy.. this is a school. The students does not have their own username. So we cant really bust them neither.

And the law here states that we cannot monitor user movements.

So the only way i can do this is by blocking the hash on exe files. Or find a policy that denies running exe files from removable sources. Does that exist?
0
andrew_aj1Commented:
That makes it quite difficult. There may be a way to block exe files on removable drives, but there are plenty of reasons not to do this such as blocking of programs you want to run.
Do to the restrictions the only way would really be traffic shaping.
To help reduce the number of students from doing this you could inform and demonstrate these programs to the teachers to have them monitor the students while on the computers.
I know this is not the answer you want, but it is the only way that I can think of.
I hope this helps. Good luck.
0
aerion85Author Commented:
"There may be a way to block exe files on removable drives" <- this would be the best solution. There should not be ANY exe files on their network share.. only documents.

If you know how to do this, please tell me. This would help alot :D
0
andrew_aj1Commented:
I did a quick search on this and did not find any results. I was not sure if this was possible or not because I never done it. Sorry.
There are many reasons that this would not be a good solution. One would be if you had a computer programming class - these students would not be able to execute their programs. Another would be if a student was using some portable application (http://portableapps.com/ ) such as open office for their school work.
0
aerion85Author Commented:
Okay, i will continue searching for this though. Preventing users from running exe files from network shares sounds like the perfect solution in my case.

Thanks for the help. I will accept the answer if no one got a better answer for me. I'll close it in 2-3 days.  
0
andrew_aj1Commented:
I just thought of another solution. You can setup a script to run every so often to forcefully remove any exe files from the network drive. This may not stop them, but could cause them plenty of issues doing this. But for the reasons I stated already this may not be the solution.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
aerion85Author Commented:
I kinda find a solution that'd work in my setting.

Set Disallowed as default in GPO. And just add exceptions for the applications my students use.
0
aerion85Author Commented:
Thanks for trying to help at least :D
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.