Need help to create a policy that prevents executables from running in a specific directory for all domain users.

Please see scenario below. It is what our security IT department want accomplished. I am the Sys Admin. What approach should I take to accomplish this? Do I go GPO? If I do, can an expert detail the steps (step-by-step)?


Scenario
--------------

Infosec has identified a possible solution for preventing majority of malware attacks on our network.
 
These malware executables fire off from the user's temp folder. Denying the execution of files in that file directory will greatly increase the security of the network.
 
Please create and deploy a policy that prevents executables from running in the following directory of ALL users:
 
C:\Users\$USER$\AppData\Local\Temp
 
An example of malware found in this directory is listed below for reference:
 
C:\Users\dxf\AppData\Local\Temp\Low\radDABCE.tmp.exe (Trojan.MSIL.ED) -> Quarantined and deleted successfully.
 
Please ensure that masked executables (malware.tmp.exe) are blocked, as malware will often have other file type endings in their name in order to bypass policies that prevent the execution of .exe files.
 
If there are any questions please contact Infosec (CAH, AJM or EJL).
joukiejoukAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

A. Cristian CsikiSenior System AdministratorCommented:
Hi.

Create a GPO under:

Computer Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies

In additionl rules add: %USERPROFILE%\AppData\Local\Temp and set it to disallow

Regards
McKnifeCommented:
Take into account what side effects this policy has: So many installations use %temp% as well - they will fail unless you exclude admins.

Also look at whitelisting instead. Another thing: If your windows edition allows it, use applocker.
joukiejoukAuthor Commented:
Can this configuration be done in McAfee ePO? We use that to centrally managed our systems in our environment.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

A. Cristian CsikiSenior System AdministratorCommented:
Hi,

Since you manage GPO with McAfee ePO, take a look at page 177 in this document.

Regards
joukiejoukAuthor Commented:
I think I need this configured in McAfee ePO, rather than a GPO. I think there is a way to set exclusions in ePO but I need to know how to set the policy and the right exclusions to accomplish this. Can an expert assist?
joukiejoukAuthor Commented:
OK, so I do not think we have to be concern with users being blocked when trying to install an app, because they should not be installing any app anyways, as they do not have local admin rights.

That said, how would I configure this in ePO?
McKnifeCommented:
Well, this is a question about restricting what users can run. If you need help on ePO usage, it would be best to ask another question and describe what you know about ePO.

Using GPOs, this is done in seconds, it is the most basic knowledge. But the decision whether the side effects will be tolerable, is the big thing.
joukiejoukAuthor Commented:
I created a GPO as shown in the screenshot. Would I link this to users or computers? Anything special that needs to be done after I link it , like a reboot or log off/on? Do I need to do gpupdate? How can i test this policy is working? Should I try to run an exe from the temp location?

gpo
McKnifeCommented:
The configuration is per computer. It is a setting in the computer config section of the GPO so it needs to be linked to an OU with the computers in question. But: if you are not familiar with this, apply it to a test OU! NOT to a productive environment. It will become effective after a reboot or background policy refresh of the clients.
Test it by using a standard user to start an .exe from temp, right.
joukiejoukAuthor Commented:
Followed your instructions, but it does not appear to be working. Maybe you can check my settings and make sure everything is correct? I pulled my machine out of an existing OU and place it to a test OU. Seem to pick up the policy. However, I am still able to copy a notepad.exe from C: to the TEMP location.

notepad.exe

GPO creation:

gpo creation
GPO Configuration:

gpo config
GPREsult status after reboot (Policy picked up)

gpresult
McKnifeCommented:
Hey, you are trying to prevent what? The policy will disallow starting executables. It will not disallow copying them :) So could you start notepad afterwards as non-admin?
joukiejoukAuthor Commented:
Seems like it works. I test it with having one of my user log in and try to launch notepad.exe from the TEMP location and this is what he gets:

gpo error
What i do notice is that I had him launch the same notepad.exe from another users profile (rtang) on the same path directory (TEMP) from the same PC, he was able to launch it. Is this by design or do we need to add something in the path for the GPO configuration?

gpo2.png
McKnifeCommented:
The policy works. You just need to understand what you set: %userprofile% is part of the restricted path. Now what is "%userprofile%"? It is a variable, that leads to a certain file system path relative to the username. For user "youruser" it is
c:\users\youruser\ - see? That's why for your test user only his own temp directory below the %username%-directory is being restricted, not the tmp directories of other users. If those other users login however, they cannot start any exe from their own temp either - and that's good.

So everything is ok, although I see that your experience is limited and that's dangerous when using such powerful policies. Remember: they cannot start anything from their temp directory - good or bad.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
joukiejoukAuthor Commented:
Thanks for the details. Going with the GPO method, is there a way to whitelist certain EXE in the TEMP?
McKnifeCommented:
Sure. Ans allow rules trump denials. Read the documentation.
joukiejoukAuthor Commented:
Please provide the documentation or link.
McKnifeCommented:
https://technet.microsoft.com/en-us/library/hh831534.aspx holds many links to "the full story".
joukiejoukAuthor Commented:
OK, let me take a look at that link,
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.