?
Solved

Prevent students running exe files from anywhere other than C:\Program Files

Posted on 2013-06-05
3
Medium Priority
?
629 Views
Last Modified: 2013-06-20
Dear Experts,

I've recently inherited the support of a large secondary school, and it looks as though students have the ability to run executable files from various locations.

I've locked down their networked drives using file screening, but is there a way I can prevent users from running exes that are downloaded from the net and presumably run from temp internet files?

Ideally I like to restrict the running of exes to the C:\Program Files folder only.

Any advice gratefully received.
0
Comment
Question by:andymellor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Accepted Solution

by:
apreed earned 668 total points
ID: 39221847
Try Group Policy setting
"User Configuration/Administrative Templates/System/Run only specified Windows applications"
for whitelisting - you'll need a pretty good whitelist to start from.

You can also blacklist using the "Don't run specified Windows applications" in the same section, but don't think this is good in your scenario.

TechNet article here... Software Restrictions in Group Policy
0
 
LVL 8

Assisted Solution

by:Sushant Gulati
Sushant Gulati earned 668 total points
ID: 39221856
I would advise you to check under
User Configuration > Administrative Templates > Windows Components > Windows Explorer

There are many set of policies you can use to restrict/prevent users not to install anything under the C: drive.

You can restrict access to the drive in My Computer.

Or

Create a new OU, make users part of the OU and apply this GPO Link.
Under Computer Config > Windows Settings > Security Settings > Software Restriction Policies

Here is the good example given in this website for your better understanding.

http://www.mechbgon.com/srp/

Let me know if there is still confusion..!!

~SG~
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 664 total points
ID: 39224029
Hi.

Apreed's link is the way to go: software restriction policies. If your clients run enterprise versions of windows, you could even take applocker which is nearly the same but even better.
For applocker on terminal servers, you only need the standard edition of 2008 R2 or 2012 server.

All other policies mentioned are not suitable for this as their description clearly shows they still can be circumvented.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
Let's recap what we learned from yesterday's Skyport Systems webinar.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month11 days, 15 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question