How to block executables from non-standard installs using GPO

[Guest Tim]

Quick background: Windows Server 2003 Native-mode AD, XP workstations. We

have employees in our environment who do not have admin rights on their local

computer and are installing Firefox to their systems by pointing the install

path to their Documents and Settings folders. Because of this non-standard

install, the path to the Firefox executable is not consistent. I have found

a way to block access to an executable using a path restriction in Group

Policy, but is there a way to block access to an executable by name

regardless of its path? (Note: this GPO would have more applications than

just Firefox, but it is the example I'm facing right now.)

 

 

Thanks in advance.

[Guest Pegasus \(MVP\)]

Re: How to block executables from non-standard installs using GPO

 

 

"Tim" <Tim@discussions.microsoft.com> wrote in message

news:4658B0E3-D0F9-4408-BE86-EFB91FB5DDD5@microsoft.com...

> Quick background: Windows Server 2003 Native-mode AD, XP workstations.

> We

> have employees in our environment who do not have admin rights on their

> local

> computer and are installing Firefox to their systems by pointing the

> install

> path to their Documents and Settings folders. Because of this

> non-standard

> install, the path to the Firefox executable is not consistent. I have

> found

> a way to block access to an executable using a path restriction in Group

> Policy, but is there a way to block access to an executable by name

> regardless of its path? (Note: this GPO would have more applications than

> just Firefox, but it is the example I'm facing right now.)

>

>

> Thanks in advance.

 

If you block access to C:\Program Files\Mozilla Firefox and to firefox.exe,

how will you prevent users from invoking Firefox like so: c:\Fox\ff.exe?

What I'm trying to say is this: You may be able to block the object

folder name and the name of the executable but your users will soon

realise that they can run any application under an assumed name such

as ff.exe.

[Guest Dusko Savatovic]

Re: How to block executables from non-standard installs using GPO

 

You can block an executable using Hash rule. The system computes SHA or MD5

hash of any executable (eg .exe or .dll) and when it is read into memory it

is blocked. It is in the same GPO (Software Restriction Policy) as Path rule

(that's what it's called when you want to block executable in certain path).

 

 

"Tim" <Tim@discussions.microsoft.com> wrote in message

news:4658B0E3-D0F9-4408-BE86-EFB91FB5DDD5@microsoft.com...

> Quick background: Windows Server 2003 Native-mode AD, XP workstations.

> We

> have employees in our environment who do not have admin rights on their

> local

> computer and are installing Firefox to their systems by pointing the

> install

> path to their Documents and Settings folders. Because of this

> non-standard

> install, the path to the Firefox executable is not consistent. I have

> found

> a way to block access to an executable using a path restriction in Group

> Policy, but is there a way to block access to an executable by name

> regardless of its path? (Note: this GPO would have more applications than

> just Firefox, but it is the example I'm facing right now.)

>

>

> Thanks in advance.