Solved

Windows GPO Applocker - Allow Execution from Path - with wildcards?

Posted on 2013-06-07
9
1,646 Views
Last Modified: 2013-06-10
Hello,

I am wondering if it is possible to restrict the execution of a Service User.
Our Software Deployment tool needs - for obvious reasons Administrative Rights on all Client machines. I want to limit the execution of any file that this user does to a certain path on the machine AND from a certain share.

Since the Software has its own Synchronization mechanism, I can't set up a DFS... I have a Share that is located on many computers, and I want to create an allow rule that restricts a certain user to execution only from this share.

The ALLOW rule Applocker should apply would be a Path rule similar to this: \\*\Share
 
I know I can use a wildcard at the end - \\server\share\* - but am I able to substitute the Servername?

Thanks in advance!
David
0
Comment
Question by:Smighty
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 55

Expert Comment

by:McKnife
ID: 39229728
Hi.
Why would you want to do that? Normally, service accounts have complex passwords that cannot be compromised, so all your effort would be in vain.
0
 
LVL 4

Author Comment

by:Smighty
ID: 39229862
This is the account that logs on locally to install software, not only msi files... but click-dummies as well... though I'm able to lock the input through the software most of the time, the user still is logged on and may be compromised....
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39229916
Please describe in detail how this account is used: is it used interactively or scripted? And where do you see possibilities to compromise it? Where would a user have access to visible processes (=windows) that are started as that account?

Also, if that account were compromised, wouldn't it be able to change those applocker rules?
Ok, not too many questions at once, but please reply to all, one by one.
For the wildcard question: how many servers are there? Hundreds? :) Why not list those shares one by one and deploy this setting as a policy?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Author Comment

by:Smighty
ID: 39231982
The Account either runs as a secondary session or is logged on the machine. It will then execute scripts and/or installation routines such as MSI, Wise Installer, InstallShield, InnoSetup, etc.

Some Software I have to deploy does not have a setup does not have a silent-switch or an unattended mechanism. In that case I would have to have a window open where my Software Deployment Software (Baramundi Management Suite) can use its click-dummy to go through the setup.

As long as the Account is logged in, it poses a risk. I want to use applocker to lock down the execution of all EXE or MSI files that are not stored in special paths.

No, I want to use a Group Policy object, but not a local one.

Yes, there are hundreds, to be precise, 150 machines, but we will hit 200 very soon. Since I want to do this in a group policy, I don't want to change that policy everytime I deploy a new machine that serves as an distributed installation point (DIP)

for the wildcards: \\*\DIP$ would be generic but would do. \\DIP*\DIP$ would be possible as well, since many of them are already set up starting with these 3 letters.
Also: is it possible to use the other Wildcard (?) as well? \\??DIP*\DIP$ would be another that I could to use for some machines...
0
 
LVL 55

Accepted Solution

by:
McKnife earned 500 total points
ID: 39233140
You know what, I tried it out, you can stick to your plan. \\*\sharename\* works as exception.
0
 
LVL 4

Author Closing Comment

by:Smighty
ID: 39234024
Thanks. You had the time I had not :)
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39234180
Hi again.

Please think about this quote from the FAQ: "B grade means the solution given lacked some information or required you to do a good amount of extra work to resolve the problem. When closing the question, the asker should explain why a B grade was awarded."

Taken from http://support.experts-exchange.com/customer/portal/articles/481419
No bad feelings, just to let you know what B is meant for.
0
 
LVL 4

Author Comment

by:Smighty
ID: 39236803
sorry, I didn't know that... in this case it should be A - can I change that?
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39236889
No need to. Next time :)
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question