Announcement

Collapse
No announcement yet.

Restrict file tyoes

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Restrict file tyoes

    Hello there,
    I was wondering if there's a way to use AD to restrict the file types that my network users can access. As a standard policy for the whole organisation we have an Internet Proxy managed by the Local Council and we have blocked sites that our users aren't allowed to see. Some of our "smarter" users have created .bat files to open command.com and therefore access the already restricted command prompt. They bypass the proxy by using an external IP Address and get one the blocked sites. Some even use the command prompt to get access to details of their own AD Accounts.

    My question is how do I stop them running the .bat files as my boss is getting annoyed that they can access these things no matter what he asks me to block their access of (command prompt, notepad etc).
    I was looking for quick fix to the problem rather than having to go through all the user accounts and delete the files every evening only to find that they've been remade the next day...

    Any help would be great!
    We run Win Server 2003 and have a mixture of PCs, Laptops and Thin Clients all of which are used by the individuals in question...
    Last edited by MaceZ5; 16th December 2009, 21:24.

  • #2
    Re: Restrict file tyoes

    Managed to figure it out...
    Under the GPO
    User Configuration > Windows Settings > Security Settings > Software Restrictions
    Then Add Software Restriction Policy
    The Designated File Types will list the files that can't be opened, add your own if not already listed.
    Go to the Security Levels within this and make Disallowed as default...

    When the files/programs run they insantly close again... solved my problem!

    Comment


    • #3
      Re: Restrict file tyoes

      Only a partial solution though...
      If the end users were savvy enough to use a .bat file, then they could use a VBS file or other to invoke command.com. Or even use s'thing like GPdisable from Sysinternals.
      If you are serious enough in controlling the end user env or if the businness needs require it, then need to consider using something like SRP in white-list mode (Only allow the specified code to run for limited users)
      Caesar's cipher - 3

      ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

      SFX JNRS FC U6 MNGR

      Comment

      Working...
      X