Solved

Prevent students running exe files from anywhere other than C:\Program Files

Posted on 2013-06-05
3
619 Views
Last Modified: 2013-06-20
Dear Experts,

I've recently inherited the support of a large secondary school, and it looks as though students have the ability to run executable files from various locations.

I've locked down their networked drives using file screening, but is there a way I can prevent users from running exes that are downloaded from the net and presumably run from temp internet files?

Ideally I like to restrict the running of exes to the C:\Program Files folder only.

Any advice gratefully received.
0
Comment
Question by:andymellor
3 Comments
 
LVL 4

Accepted Solution

by:
apreed earned 167 total points
ID: 39221847
Try Group Policy setting
"User Configuration/Administrative Templates/System/Run only specified Windows applications"
for whitelisting - you'll need a pretty good whitelist to start from.

You can also blacklist using the "Don't run specified Windows applications" in the same section, but don't think this is good in your scenario.

TechNet article here... Software Restrictions in Group Policy
0
 
LVL 7

Assisted Solution

by:susguperf
susguperf earned 167 total points
ID: 39221856
I would advise you to check under
User Configuration > Administrative Templates > Windows Components > Windows Explorer

There are many set of policies you can use to restrict/prevent users not to install anything under the C: drive.

You can restrict access to the drive in My Computer.

Or

Create a new OU, make users part of the OU and apply this GPO Link.
Under Computer Config > Windows Settings > Security Settings > Software Restriction Policies

Here is the good example given in this website for your better understanding.

http://www.mechbgon.com/srp/

Let me know if there is still confusion..!!

~SG~
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 166 total points
ID: 39224029
Hi.

Apreed's link is the way to go: software restriction policies. If your clients run enterprise versions of windows, you could even take applocker which is nearly the same but even better.
For applocker on terminal servers, you only need the standard edition of 2008 R2 or 2012 server.

All other policies mentioned are not suitable for this as their description clearly shows they still can be circumvented.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
On some Windows 7 (SP1) computers, Windows Update becomes super slow even the computer is reasonably fast.  There's one solution that seemed to have worked well for me (after trying a few other suggested solutions).
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question