Solved

securing XP program execution

Posted on 2011-03-10
12
533 Views
Last Modified: 2012-05-11
I manage student computers in a school district and I need to restrict access to program executables from Flash drives and network shares.  I need to maintain USB access to support document storage, USB digital device access, ...  I make my network shares available through a VPN so students can work at home and transfer files to/from school so I need to be able to block execution of programs from the network share.  Also, we have a prgramming class that I will have to provide some sort of storage to so that they can create and test programs... I can not count on teachers to catch every infraction so this has to be a technical solution.

My environment is Win XP workstations, Win 2K3 R2 servers, active directory.  I have the students and computers in groups.  

I appreciate your help.
0
Comment
Question by:Stephen York
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 4

Expert Comment

by:parnasso
ID: 35094844
The quickest way to prevent execution from USB devices or network shares, is establishing  software restriction policies to avoid execution from a certain drive (this works from Windows XP to Windows 7):

1.Control Panel->Local Security Policy->Software Restriction Policies
2.Click on New software restriction policy
3.Click on Additional rules->New Path Rule
4. Write in the path property H:

Now connect to a network drive using the H: and try to execute something.
0
 
LVL 10

Accepted Solution

by:
pjasnos earned 500 total points
ID: 35094935
You can use Software Restriction policy to only allow whitelisted applications to be run by users.
As for those students in the group that needs programming tools and computers in group where  programming classes are run, these restrictions should probably be changed to blacklist of locations you do not wish users to run programs from.
Note, that whitelist is much more secure - users with access to programming tools can write a program bypassing the restrictions, as SRPs are implemented in usermode and can be patched-away in memory if a programmer knows what he/she is doing.

You can find more info about SRPs in the link below - setting them up correctly is a laborious, but worthwile.
http://technet.microsoft.com/en-us/library/bb457006.aspx
0
 
LVL 10

Expert Comment

by:pjasnos
ID: 35094956
You of course need to blacklist ALL unused driveletters in the blacklist-using users.
0
 
LVL 1

Author Comment

by:Stephen York
ID: 35097670
Sounds like I can do this.  So, to allow all program execution from the C: drive,
would I allow: C:\*  

and to blacklist a drive, would I block H:\*\*.exe   (and do the same for all of the extended drive letters)?

Would I apply this to a User GPO or a COmputer GPO?  Obviously, I would want to all admins to access networked based EXEs...  Would this affect automated updates?

I know that the software olicy tool will calculate hash values to create a whitelist, is there a certral location to find hash values for desirable, or maybe undesirable programs (like UltraSurf)?
0
 
LVL 10

Assisted Solution

by:pjasnos
pjasnos earned 500 total points
ID: 35098520
* There's no central location, but gpedit.msc in Windows 7 can generate those rules automatically if pointed to a folder with the apps you need. (and said rules will work with win XP - obviously system files are different, but programs in most cases the same). Some antivirus products may allow you to enable detection of some undesirable software (they would then treat them as viruses and block execution) - enabling it might be a good addition to SRP.

* As for sysadmins, you can set the Enforcement setting so that none of the rules are enforced for users with administrative privileges

* SRPs are per-computer settings.

* Also, just allowing whole C: may not be a good idea unless you have some other restrictions - copying a file from a USB drive to the desktop and double-clicking is something that users may figure out very quickly.

In general, keeping "undesirable" programs away from your network is a continous fight, especially in a school environment.  In cases where they need access to programming tools, you as are at a significant disadvantage.

I would obviously strongly recommend testing all this on some small sample of computers before implementing network-wide.
0
 
LVL 10

Expert Comment

by:pjasnos
ID: 35098662
Also, if what they're trying to do most often is bypassing internet filtering, then maybe your filter is too strict and perhaps you can adjust it to e.g. allow access to more websites during breaks between classes and remove root of the problem.
0
 
LVL 14

Expert Comment

by:Ehab Salem
ID: 35120859
If you have Symantec Endpoint Protection installed on your network, you can use it to do that.
0
 
LVL 1

Author Comment

by:Stephen York
ID: 35128079
On the SRP - does this apply to Win system files?  For the users desktop, we use folder redirection to a network share, so, the temporary storage for the desktop is C:, but the storage is still the network.  I wonder if copying to the desktop would affect the "program location", or if the SRP would consider it based on a network drive?

I am working to stop bypass of the filter but also stop DOS attacks from the students... As for lowering the level of filtering, well, we are a K12 and I have to filter based upon Board wishes and federal law so my options are not real open to temporary restrictions... I agree that I would rather do less than more, but I have to live within the bounds set for me.
0
 
LVL 14

Expert Comment

by:Ehab Salem
ID: 35128240
Do you mean SEP?
0
 
LVL 1

Author Closing Comment

by:Stephen York
ID: 35158940
Thanx - we are going to whitelist apps and blacklist drives to control the student users.  Appreciate the help
0
 
LVL 1

Author Comment

by:Stephen York
ID: 35158951
SRP - Software Restriction Policy using active directory.  

SEP = another program to buy and support...  thanx anyway.
0
 
LVL 10

Expert Comment

by:pjasnos
ID: 35190630
Just a final note: securing a network at school is a continuous effort, as people may and eventually will find ways around your various protections. Perhaps you can make some of them work for you by setting a prize for "responsible disclosure" - i.e. they get some small prize and pat on the back for reporting a security weakness that they "accidentally" discovered to you and keeping it private until you fix it? Of course, it will need approval from the board etc, but may make your life easier.

A few large companies, e.g. Google, implement such policy for security bug reports concerning their software.
0

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now