Guest Tim Posted October 24, 2008 Posted October 24, 2008 Quick background: Windows Server 2003 Native-mode AD, XP workstations. We have employees in our environment who do not have admin rights on their local computer and are installing Firefox to their systems by pointing the install path to their Documents and Settings folders. Because of this non-standard install, the path to the Firefox executable is not consistent. I have found a way to block access to an executable using a path restriction in Group Policy, but is there a way to block access to an executable by name regardless of its path? (Note: this GPO would have more applications than just Firefox, but it is the example I'm facing right now.) Thanks in advance.
Guest Pegasus \(MVP\) Posted October 24, 2008 Posted October 24, 2008 Re: How to block executables from non-standard installs using GPO "Tim" <Tim@discussions.microsoft.com> wrote in message news:4658B0E3-D0F9-4408-BE86-EFB91FB5DDD5@microsoft.com... > Quick background: Windows Server 2003 Native-mode AD, XP workstations. > We > have employees in our environment who do not have admin rights on their > local > computer and are installing Firefox to their systems by pointing the > install > path to their Documents and Settings folders. Because of this > non-standard > install, the path to the Firefox executable is not consistent. I have > found > a way to block access to an executable using a path restriction in Group > Policy, but is there a way to block access to an executable by name > regardless of its path? (Note: this GPO would have more applications than > just Firefox, but it is the example I'm facing right now.) > > > Thanks in advance. If you block access to C:\Program Files\Mozilla Firefox and to firefox.exe, how will you prevent users from invoking Firefox like so: c:\Fox\ff.exe? What I'm trying to say is this: You may be able to block the object folder name and the name of the executable but your users will soon realise that they can run any application under an assumed name such as ff.exe.
Guest Dusko Savatovic Posted October 25, 2008 Posted October 25, 2008 Re: How to block executables from non-standard installs using GPO You can block an executable using Hash rule. The system computes SHA or MD5 hash of any executable (eg .exe or .dll) and when it is read into memory it is blocked. It is in the same GPO (Software Restriction Policy) as Path rule (that's what it's called when you want to block executable in certain path). "Tim" <Tim@discussions.microsoft.com> wrote in message news:4658B0E3-D0F9-4408-BE86-EFB91FB5DDD5@microsoft.com... > Quick background: Windows Server 2003 Native-mode AD, XP workstations. > We > have employees in our environment who do not have admin rights on their > local > computer and are installing Firefox to their systems by pointing the > install > path to their Documents and Settings folders. Because of this > non-standard > install, the path to the Firefox executable is not consistent. I have > found > a way to block access to an executable using a path restriction in Group > Policy, but is there a way to block access to an executable by name > regardless of its path? (Note: this GPO would have more applications than > just Firefox, but it is the example I'm facing right now.) > > > Thanks in advance.
Recommended Posts