Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Detecting unapproved executables on a Windows Domain

Posted on 2011-09-17
3
Medium Priority
?
288 Views
Last Modified: 2012-05-12
I am looking for a super low-cost (if not free) way of detecting when an unapproved executable (exe, bat, com, etc) is launched on any workstations and servers within the domain.  This looks like a client side monitor solution would be needed.  I would want to provide a list of approved exe files, then receive reports on any that do not fit the list.  I could then add them as approved or add them to a list of banned executables that the client side solution would block from execuating.  This almost sounds like an AV solution, but we already use VIPRE and so replacing it with a different AV solution is not possible at this point.
0
Comment
Question by:murryc
3 Comments
 
LVL 12

Accepted Solution

by:
mwochnick earned 2000 total points
ID: 36555220
you could try something like this
- little more - control whats installed
http://4sysops.com/archives/free-manageengine-desktop-central-client-management-software/
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 36555287
Another way (totally free) is to make all users limited (restricted) users so they cannot install software. Make sure the administrator password of the machines is unassailable (easy to do) and make sure all users have difficult passwords. ... Thinkpads_User
0
 
LVL 4

Expert Comment

by:duffme
ID: 36556075
If you want to do this for free the baseline and monitoring will likely take some work.  You can set restrictions however in Group Policy with Softare Restriction Policies.  If all of your machines are Windows Server 2008R2 and Win7 Enterprise/Ultimate you can also use AppLocker in Group Policy.  You would probably need to scan Security Event Logs to gather a baseline of what is being run.
http://technet.microsoft.com/en-us/library/cc779607(WS.10).aspx

Mind you this is not a trivial thing to do.  Baselining is required and when you consider dependencies (DLLs and such) it can be tricky to get everything just right and make changes.  

Whitelisting is being used as an approach to viruses and other malware.  I am not aware of any cheap or free way to do this other than the policies I mentioned above, which also lack the management features of third party solutions.  I will say that users generally don't take too kindly to being completely locked down ;)
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question