Link to home
Start Free TrialLog in
Avatar of Jay Newcome
Jay NewcomeFlag for United States of America

asked on

securing XP program execution

I manage student computers in a school district and I need to restrict access to program executables from Flash drives and network shares.  I need to maintain USB access to support document storage, USB digital device access, ...  I make my network shares available through a VPN so students can work at home and transfer files to/from school so I need to be able to block execution of programs from the network share.  Also, we have a prgramming class that I will have to provide some sort of storage to so that they can create and test programs... I can not count on teachers to catch every infraction so this has to be a technical solution.

My environment is Win XP workstations, Win 2K3 R2 servers, active directory.  I have the students and computers in groups.  

I appreciate your help.
Avatar of parnasso
parnasso
Flag of Italy image

The quickest way to prevent execution from USB devices or network shares, is establishing  software restriction policies to avoid execution from a certain drive (this works from Windows XP to Windows 7):

1.Control Panel->Local Security Policy->Software Restriction Policies
2.Click on New software restriction policy
3.Click on Additional rules->New Path Rule
4. Write in the path property H:

Now connect to a network drive using the H: and try to execute something.
ASKER CERTIFIED SOLUTION
Avatar of pjasnos
pjasnos
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You of course need to blacklist ALL unused driveletters in the blacklist-using users.
Avatar of Jay Newcome

ASKER

Sounds like I can do this.  So, to allow all program execution from the C: drive,
would I allow: C:\*  

and to blacklist a drive, would I block H:\*\*.exe   (and do the same for all of the extended drive letters)?

Would I apply this to a User GPO or a COmputer GPO?  Obviously, I would want to all admins to access networked based EXEs...  Would this affect automated updates?

I know that the software olicy tool will calculate hash values to create a whitelist, is there a certral location to find hash values for desirable, or maybe undesirable programs (like UltraSurf)?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Also, if what they're trying to do most often is bypassing internet filtering, then maybe your filter is too strict and perhaps you can adjust it to e.g. allow access to more websites during breaks between classes and remove root of the problem.
Avatar of Ehab Salem
If you have Symantec Endpoint Protection installed on your network, you can use it to do that.
On the SRP - does this apply to Win system files?  For the users desktop, we use folder redirection to a network share, so, the temporary storage for the desktop is C:, but the storage is still the network.  I wonder if copying to the desktop would affect the "program location", or if the SRP would consider it based on a network drive?

I am working to stop bypass of the filter but also stop DOS attacks from the students... As for lowering the level of filtering, well, we are a K12 and I have to filter based upon Board wishes and federal law so my options are not real open to temporary restrictions... I agree that I would rather do less than more, but I have to live within the bounds set for me.
Do you mean SEP?
Thanx - we are going to whitelist apps and blacklist drives to control the student users.  Appreciate the help
SRP - Software Restriction Policy using active directory.  

SEP = another program to buy and support...  thanx anyway.
Just a final note: securing a network at school is a continuous effort, as people may and eventually will find ways around your various protections. Perhaps you can make some of them work for you by setting a prize for "responsible disclosure" - i.e. they get some small prize and pat on the back for reporting a security weakness that they "accidentally" discovered to you and keeping it private until you fix it? Of course, it will need approval from the board etc, but may make your life easier.

A few large companies, e.g. Google, implement such policy for security bug reports concerning their software.