Solved

Prevent students running exe files from anywhere other than C:\Program Files

Posted on 2013-06-05
3
623 Views
Last Modified: 2013-06-20
Dear Experts,

I've recently inherited the support of a large secondary school, and it looks as though students have the ability to run executable files from various locations.

I've locked down their networked drives using file screening, but is there a way I can prevent users from running exes that are downloaded from the net and presumably run from temp internet files?

Ideally I like to restrict the running of exes to the C:\Program Files folder only.

Any advice gratefully received.
0
Comment
Question by:andymellor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Accepted Solution

by:
apreed earned 167 total points
ID: 39221847
Try Group Policy setting
"User Configuration/Administrative Templates/System/Run only specified Windows applications"
for whitelisting - you'll need a pretty good whitelist to start from.

You can also blacklist using the "Don't run specified Windows applications" in the same section, but don't think this is good in your scenario.

TechNet article here... Software Restrictions in Group Policy
0
 
LVL 7

Assisted Solution

by:Sushant Gulati
Sushant Gulati earned 167 total points
ID: 39221856
I would advise you to check under
User Configuration > Administrative Templates > Windows Components > Windows Explorer

There are many set of policies you can use to restrict/prevent users not to install anything under the C: drive.

You can restrict access to the drive in My Computer.

Or

Create a new OU, make users part of the OU and apply this GPO Link.
Under Computer Config > Windows Settings > Security Settings > Software Restriction Policies

Here is the good example given in this website for your better understanding.

http://www.mechbgon.com/srp/

Let me know if there is still confusion..!!

~SG~
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 166 total points
ID: 39224029
Hi.

Apreed's link is the way to go: software restriction policies. If your clients run enterprise versions of windows, you could even take applocker which is nearly the same but even better.
For applocker on terminal servers, you only need the standard edition of 2008 R2 or 2012 server.

All other policies mentioned are not suitable for this as their description clearly shows they still can be circumvented.
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question