Announcement

Collapse
No announcement yet.

restricting domain users from executing .exe file from their z drives

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • restricting domain users from executing .exe file from their z drives

    Hi all,
    We are using Windows server 2008-R2 as our primary domain users. Users Z drives\home drives are mapped on SAN. i want to restrict all users from executing .exe files from their home drives, FYI I restrict users from running exe and shortcut from z-drives and it work well using below path rule.
    \\IP\sharename$\*\*.exe
    \\IP\sharename$\*\*.lnk
    But users can run exe and shortcuts from subfolders.For example user cant run exe from \\SANIP\sharename$\userid but can run exe from
    \\SANIP\sharename$\userhomedrive\abc

    does any body know how to stop users from such activity?

  • #2
    Re: restricting domain users from executing .exe file from their z drives

    Hi,

    Do you have other restriction policies in place? If not, this one doesn't make sense. Even if you manage to block executing .exe files from home drives, users will execute them from other location, let say from flash drive, or from local drive.
    Maybe you should think about a global policy to restrict access to all exe files excepting those from windows system root folder.

    New in Windows 2008 R2 is the App locker. However it is apply only to Windows 2008 R2 and Windows 7.

    Br,
    Csaba
    Regards,
    Csaba Papp
    MCSA+messaging, MCSE, CCNA
    ...............................
    Remember to give credit where credit is due and leave reputation points where appropriate
    .................................

    Comment


    • #3
      Re: restricting domain users from executing .exe file from their z drives

      csaba is right. Software Restriction Policies, or Applocker, are the best option.,

      There;s plenty of info on exactly how to configure it.
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: restricting domain users from executing .exe file from their z drives

        Sorry, i forgot to add some details in my first post.

        1) The end users are using Thin clients. i.e. no PC in available therefore USB or other external devices can,t be used.

        2) We use windows server 2003 SP2-R2 as our terminal servers.

        3) FYI i have already applied software restriction policy(path Rule \\IP\sharename$\*\*.exe) on domain level to restrict users from executing .exe from their Z/home drives, but still users can run .exe from subfolders within their Z/home drives. .e.g. \\SANIP\sharename$\userhomedrive\abc\filename.exe

        Comment


        • #5
          Re: restricting domain users from executing .exe file from their z drives

          Applocker allows more control than Software Restriction Policies.
          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

          Comment


          • #6
            Re: restricting domain users from executing .exe file from their z drives

            Hi,

            Just for information, in case of Windows-Server 2008 Sp2 only, what to do in this scenario? i.e. Applocker is available only in Server 2008 R2.

            Comment

            Working...
            X