Block .scr file execution

How do I stop .scr files from being run on a SBS 2011 server?

A client has terminal services running, so files run on the actual server. I believe that this may be done via GPO. Ideally, I would like a step by step please.


Many thanks.
meduziAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Normally these are Screen saver files. Do they cause you a problem?  Or perhaps turn Screen Saver off (black monitor instead).
0
meduziAuthor Commented:
Hi John.

No, these .scr files are scripts, the type that often installs Crytolocker etc. I know how to block them via Exchange, but I simply want to stop these running completely.
0
JohnBusiness Consultant (Owner)Commented:
If that is the case on your server, then top grade antivirus should stop Cryptolocker from installing.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

meduziAuthor Commented:
In many cases, they do, but often, not, and we also have Cryptoprevent.

Anyway, I simply need to know the GPO method for blocking .scr file execution please.
0
McKnifeCommented:
Scr files could only be disassociated, so windows won't know what to do with those.
Look at the picture at http://community.spiceworks.com/topic/551170-how-to-block-scr-files-via-gpo-or-similar
On the page there's a screenshot of the GPO setting to accomplish this. It would need to be associated to users and only applied to them on terminal servers by using wmi filtering.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnBusiness Consultant (Owner)Commented:
Cryptolocker can also come buried in the other files, so it is more than blocking a single extension

http://www.computerworld.com/article/2485214/microsoft-windows/cryptolocker-how-to-avoid-getting-infected-and-what-to-do-if-you-are.html
0
David AtkinTechnical DirectorCommented:
Hello,

You can use a Software Restriction Policy, configured via group policy.

Have a look at the below article:
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

I've never heard of Ransomware being deployed via a scr file though.  Normally I tends to be from a compressed exe in a temp location.  See the article for further information.
0
McKnifeCommented:
Software restriction policies ("SRP") can indeed be used to block .scr files.
Applocker, the successor of SRP, cannot do this, MS has seen no need (no danger?) to block those.
0
younghvCommented:
I've requested that this question be closed as follows:

Accepted answer: 250 points for McKnife's comment #a40985962
Assisted answer: 250 points for thinkpads_user's comment #a40985963

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.