Solved

Prevent students running exe files from anywhere other than C:\Program Files

Posted on 2013-06-05
3
614 Views
Last Modified: 2013-06-20
Dear Experts,

I've recently inherited the support of a large secondary school, and it looks as though students have the ability to run executable files from various locations.

I've locked down their networked drives using file screening, but is there a way I can prevent users from running exes that are downloaded from the net and presumably run from temp internet files?

Ideally I like to restrict the running of exes to the C:\Program Files folder only.

Any advice gratefully received.
0
Comment
Question by:andymellor
3 Comments
 
LVL 4

Accepted Solution

by:
apreed earned 167 total points
ID: 39221847
Try Group Policy setting
"User Configuration/Administrative Templates/System/Run only specified Windows applications"
for whitelisting - you'll need a pretty good whitelist to start from.

You can also blacklist using the "Don't run specified Windows applications" in the same section, but don't think this is good in your scenario.

TechNet article here... Software Restrictions in Group Policy
0
 
LVL 7

Assisted Solution

by:susguperf
susguperf earned 167 total points
ID: 39221856
I would advise you to check under
User Configuration > Administrative Templates > Windows Components > Windows Explorer

There are many set of policies you can use to restrict/prevent users not to install anything under the C: drive.

You can restrict access to the drive in My Computer.

Or

Create a new OU, make users part of the OU and apply this GPO Link.
Under Computer Config > Windows Settings > Security Settings > Software Restriction Policies

Here is the good example given in this website for your better understanding.

http://www.mechbgon.com/srp/

Let me know if there is still confusion..!!

~SG~
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 166 total points
ID: 39224029
Hi.

Apreed's link is the way to go: software restriction policies. If your clients run enterprise versions of windows, you could even take applocker which is nearly the same but even better.
For applocker on terminal servers, you only need the standard edition of 2008 R2 or 2012 server.

All other policies mentioned are not suitable for this as their description clearly shows they still can be circumvented.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Article by: Lee
Windows 7 Ultimate and Enterprise (and 2008 R2) introduced a new feature you may not be aware of - Boot from VHD.   Boot from VHD (or what Microsoft refers to asNative Boot allows you to install Windows to a VHD (Virtual Hard Disk) file that is t…
First some basics on Windows 7 Backup.  It has 2 components one is a file based backup which is stored in .zip files each zip is split at around 200 Megabytes and there is the Image Backup which is as the name implies a total image of the partition …
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now