Solved

Prevent students running exe files from anywhere other than C:\Program Files

Posted on 2013-06-05
3
626 Views
Last Modified: 2013-06-20
Dear Experts,

I've recently inherited the support of a large secondary school, and it looks as though students have the ability to run executable files from various locations.

I've locked down their networked drives using file screening, but is there a way I can prevent users from running exes that are downloaded from the net and presumably run from temp internet files?

Ideally I like to restrict the running of exes to the C:\Program Files folder only.

Any advice gratefully received.
0
Comment
Question by:andymellor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Accepted Solution

by:
apreed earned 167 total points
ID: 39221847
Try Group Policy setting
"User Configuration/Administrative Templates/System/Run only specified Windows applications"
for whitelisting - you'll need a pretty good whitelist to start from.

You can also blacklist using the "Don't run specified Windows applications" in the same section, but don't think this is good in your scenario.

TechNet article here... Software Restrictions in Group Policy
0
 
LVL 8

Assisted Solution

by:Sushant Gulati
Sushant Gulati earned 167 total points
ID: 39221856
I would advise you to check under
User Configuration > Administrative Templates > Windows Components > Windows Explorer

There are many set of policies you can use to restrict/prevent users not to install anything under the C: drive.

You can restrict access to the drive in My Computer.

Or

Create a new OU, make users part of the OU and apply this GPO Link.
Under Computer Config > Windows Settings > Security Settings > Software Restriction Policies

Here is the good example given in this website for your better understanding.

http://www.mechbgon.com/srp/

Let me know if there is still confusion..!!

~SG~
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 166 total points
ID: 39224029
Hi.

Apreed's link is the way to go: software restriction policies. If your clients run enterprise versions of windows, you could even take applocker which is nearly the same but even better.
For applocker on terminal servers, you only need the standard edition of 2008 R2 or 2012 server.

All other policies mentioned are not suitable for this as their description clearly shows they still can be circumvented.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question