Software Restriction Policies

aerion85
aerion85 used Ask the Experts™
on
Hi,

I'm trying to block most p2p programs on a domain (2003) using hash rules.

My question is; are there any place with a list of hash keys to p2p programs? So that i dont have to download all kinda p2p programs and generate the cryptographic file fingerprint's myself.

Or is there a other way to block p2p traffic? That does not involving closing ports or buying new equipment :p
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2008

Commented:
The best way is to block the ports. You should not have any open ports that you do not need for security purposes.
It is basically impossible to do what you want to do. There are plenty of P2P programs out there and there are new programs/updates being released all time time. It would be a full time job looking up P2P programs and blocking them.
Another option you may want to consider is preventing your users from installing applications at all.
I hope this helps. Good luck.

Author

Commented:
Yea, we're trying to prevent it.. hehe. We've hidden the whole local disk. (C:), and made it inaccessible.
The users cant install programs at all. But they can run them, so they're smart enough to just zip/unzip them on the network drive they have.. for storing documents.

Author

Commented:
It's no problem for the users to get past the port blocking though, just using a tunnel or so. So it wont help that much.
I know we can use traffic shaping, but this require new equipment to be bought. Not an option.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2008

Commented:
As you said traffic shaping is a good solution, but it does cost some to get setup.
The next thing to do would be to go to the human level. Setup rules and regulations for computer use - if not already done. Tell them that this activity is against business policy and possibly illegal (depending on what they are downloading). If the activity continues you will have to punish those employees. Depending on how your company is setup this may take a while, but it most likely the best solution.
Good luck.

Author

Commented:
If things were that easy.. this is a school. The students does not have their own username. So we cant really bust them neither.

And the law here states that we cannot monitor user movements.

So the only way i can do this is by blocking the hash on exe files. Or find a policy that denies running exe files from removable sources. Does that exist?
Top Expert 2008

Commented:
That makes it quite difficult. There may be a way to block exe files on removable drives, but there are plenty of reasons not to do this such as blocking of programs you want to run.
Do to the restrictions the only way would really be traffic shaping.
To help reduce the number of students from doing this you could inform and demonstrate these programs to the teachers to have them monitor the students while on the computers.
I know this is not the answer you want, but it is the only way that I can think of.
I hope this helps. Good luck.

Author

Commented:
"There may be a way to block exe files on removable drives" <- this would be the best solution. There should not be ANY exe files on their network share.. only documents.

If you know how to do this, please tell me. This would help alot :D
Top Expert 2008

Commented:
I did a quick search on this and did not find any results. I was not sure if this was possible or not because I never done it. Sorry.
There are many reasons that this would not be a good solution. One would be if you had a computer programming class - these students would not be able to execute their programs. Another would be if a student was using some portable application (http://portableapps.com/ ) such as open office for their school work.

Author

Commented:
Okay, i will continue searching for this though. Preventing users from running exe files from network shares sounds like the perfect solution in my case.

Thanks for the help. I will accept the answer if no one got a better answer for me. I'll close it in 2-3 days.  
Top Expert 2008
Commented:
I just thought of another solution. You can setup a script to run every so often to forcefully remove any exe files from the network drive. This may not stop them, but could cause them plenty of issues doing this. But for the reasons I stated already this may not be the solution.

Author

Commented:
I kinda find a solution that'd work in my setting.

Set Disallowed as default in GPO. And just add exceptions for the applications my students use.

Author

Commented:
Thanks for trying to help at least :D

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial