RE: [ActiveDir] Fileserver and Self-Executing Programs
Thanks Hunter for that information, unfortunately however, the workstations within the domain are Win2K Pro and software policies and from what I understand software policies will not work unless with WinXP or Win2K3. I think I am just going to have to bust some heads around here and make sure that it is not done anymore. I don’t mind it actually. I find it to be quite exhilarating. Edwin. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, August 04, 2004 10:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Fileserver and Self-Executing Programs Software Restrictions via group policy may be an option for you. http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx http://www.windowsecurity.com/articles/windows_2003_restriction_policies_security.html Hunter From: Edwin [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 04, 2004 7:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Fileserver and Self-Executing Programs What I have noticed, in the couple of test I have done, is that if the installer is a MSI package, it will immediately be denied any further access. If it is a *.exe then there may be progress on the installation and it is up to the *.exe on how to proceed. If a *.exe is used, the system itself appears never to be modified except within the users own profile allotted space. I am not sure how to restrict file extensions on a folder. Do you have more information on this? I know that I can remove execute permissions but this will take some work to do and resolve my issue. ß I am not complaining about the work. Just that it will take some time. I guess if there is a way to filter out certain executables I would want to filter them all out. So I guess removing execute access will be the best way. But this would also mean I would have to remove this type of permission to their desktop or My Documents since they could also install such a program there providing it was under their 10MB limit. But to go that far would be nasty and I don’t think it would be recommended. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Wassell Sent: Wednesday, August 04, 2004 9:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Fileserver and Self-Executing Programs The first thing that comes to mind is disabling Windows Installer for non-managed apps via GPO, considering you are already doing something similar as you had mentioned that may be the most viable solution. Otherwise, I'm not sure if its possible or how difficult it would be to implement but you could restrict the use of certain file extensions in the user folder tree which would prevent users from running executables for instance. Just two ideas... I'm sure there will be more From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Wednesday, August 04, 2004 8:06 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Fileserver and Self-Executing Programs Within our domain, roaming profiles are used. The roaming profiles are limited to 10MB by means of a GPO. The user is also given a networked drive (K:\) that gives them an additional 40MB which gives them a grand total of 50MB of usable space when on their workstations. The 50MB limit is then enforced by Disk Quotas. The roaming profile data and the networked drive are both on the same machine. The user logging into their workstation is not able to install applications unless first approved. What I have noticed however is that users within the domain are still managing to run unauthorized pieces of software. They are doing this by copying the files K:\ The application that they want to use is a self executing program that does not need to write data to the registry or modify the system in any way. In one case, I noticed that a user is using FireFox. I installed the software with under the same user privileges and was able to do so but with a warning that the application may not install correctly without Admin rights. The application did install to the K:\ and worked correctly when was opened. The good thing about this was that anything that was written to the registry was access denied. So here is the question. How can I prevent users from installing these type of applications to the K:\? When they do this, they are using resources on the remote machine that shouldn’t be. I could care less that they are using more drive space since it will only affect them and their ability to write more files to the remote machine or will prevent them from logging off of their desktop until the space is cleared. I don’t have a problem putting fear into those who are doing this, but I would rather just cut them off and keep my mouth shut if a solution is available. Any thoughts? Thanks everyone for your replies, Edwin
RE: [ActiveDir] Fileserver and Self-Executing Programs
Software Restrictions via group policy may be an option for you. http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx http://www.windowsecurity.com/articles/windows_2003_restriction_policies_security.html Hunter From: Edwin [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 04, 2004 7:59 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Fileserver and Self-Executing Programs What I have noticed, in the couple of test I have done, is that if the installer is a MSI package, it will immediately be denied any further access. If it is a *.exe then there may be progress on the installation and it is up to the *.exe on how to proceed. If a *.exe is used, the system itself appears never to be modified except within the users own profile allotted space. I am not sure how to restrict file extensions on a folder. Do you have more information on this? I know that I can remove execute permissions but this will take some work to do and resolve my issue. ß I am not complaining about the work. Just that it will take some time. I guess if there is a way to filter out certain executables I would want to filter them all out. So I guess removing execute access will be the best way. But this would also mean I would have to remove this type of permission to their desktop or My Documents since they could also install such a program there providing it was under their 10MB limit. But to go that far would be nasty and I don’t think it would be recommended. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Wednesday, August 04, 2004 9:33 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Fileserver and Self-Executing Programs The first thing that comes to mind is disabling Windows Installer for non-managed apps via GPO, considering you are already doing something similar as you had mentioned that may be the most viable solution. Otherwise, I'm not sure if its possible or how difficult it would be to implement but you could restrict the use of certain file extensions in the user folder tree which would prevent users from running executables for instance. Just two ideas... I'm sure there will be more From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Wednesday, August 04, 2004 8:06 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Fileserver and Self-Executing Programs Within our domain, roaming profiles are used. The roaming profiles are limited to 10MB by means of a GPO. The user is also given a networked drive (K:\) that gives them an additional 40MB which gives them a grand total of 50MB of usable space when on their workstations. The 50MB limit is then enforced by Disk Quotas. The roaming profile data and the networked drive are both on the same machine. The user logging into their workstation is not able to install applications unless first approved. What I have noticed however is that users within the domain are still managing to run unauthorized pieces of software. They are doing this by copying the files K:\ The application that they want to use is a self executing program that does not need to write data to the registry or modify the system in any way. In one case, I noticed that a user is using FireFox. I installed the software with under the same user privileges and was able to do so but with a warning that the application may not install correctly without Admin rights. The application did install to the K:\ and worked correctly when was opened. The good thing about this was that anything that was written to the registry was access denied. So here is the question. How can I prevent users from installing these type of applications to the K:\? When they do this, they are using resources on the remote machine that shouldn’t be. I could care less that they are using more drive space since it will only affect them and their ability to write more files to the remote machine or will prevent them from logging off of their desktop until the space is cleared. I don’t have a problem putting fear into those who are doing this, but I would rather just cut them off and keep my mouth shut if a solution is available. Any thoughts? Thanks everyone for your replies, Edwin
RE: [ActiveDir] Fileserver and Self-Executing Programs
What I have noticed, in the couple of test I have done, is that if the installer is a MSI package, it will immediately be denied any further access. If it is a *.exe then there may be progress on the installation and it is up to the *.exe on how to proceed. If a *.exe is used, the system itself appears never to be modified except within the users own profile allotted space. I am not sure how to restrict file extensions on a folder. Do you have more information on this? I know that I can remove execute permissions but this will take some work to do and resolve my issue. ß I am not complaining about the work. Just that it will take some time. I guess if there is a way to filter out certain executables I would want to filter them all out. So I guess removing execute access will be the best way. But this would also mean I would have to remove this type of permission to their desktop or My Documents since they could also install such a program there providing it was under their 10MB limit. But to go that far would be nasty and I don’t think it would be recommended. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Wassell Sent: Wednesday, August 04, 2004 9:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Fileserver and Self-Executing Programs The first thing that comes to mind is disabling Windows Installer for non-managed apps via GPO, considering you are already doing something similar as you had mentioned that may be the most viable solution. Otherwise, I'm not sure if its possible or how difficult it would be to implement but you could restrict the use of certain file extensions in the user folder tree which would prevent users from running executables for instance. Just two ideas... I'm sure there will be more From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Wednesday, August 04, 2004 8:06 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Fileserver and Self-Executing Programs Within our domain, roaming profiles are used. The roaming profiles are limited to 10MB by means of a GPO. The user is also given a networked drive (K:\) that gives them an additional 40MB which gives them a grand total of 50MB of usable space when on their workstations. The 50MB limit is then enforced by Disk Quotas. The roaming profile data and the networked drive are both on the same machine. The user logging into their workstation is not able to install applications unless first approved. What I have noticed however is that users within the domain are still managing to run unauthorized pieces of software. They are doing this by copying the files K:\ The application that they want to use is a self executing program that does not need to write data to the registry or modify the system in any way. In one case, I noticed that a user is using FireFox. I installed the software with under the same user privileges and was able to do so but with a warning that the application may not install correctly without Admin rights. The application did install to the K:\ and worked correctly when was opened. The good thing about this was that anything that was written to the registry was access denied. So here is the question. How can I prevent users from installing these type of applications to the K:\? When they do this, they are using resources on the remote machine that shouldn’t be. I could care less that they are using more drive space since it will only affect them and their ability to write more files to the remote machine or will prevent them from logging off of their desktop until the space is cleared. I don’t have a problem putting fear into those who are doing this, but I would rather just cut them off and keep my mouth shut if a solution is available. Any thoughts? Thanks everyone for your replies, Edwin
RE: [ActiveDir] Fileserver and Self-Executing Programs
The first thing that comes to mind is disabling Windows Installer for non-managed apps via GPO, considering you are already doing something similar as you had mentioned that may be the most viable solution. Otherwise, I'm not sure if its possible or how difficult it would be to implement but you could restrict the use of certain file extensions in the user folder tree which would prevent users from running executables for instance. Just two ideas... I'm sure there will be more From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Wednesday, August 04, 2004 8:06 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Fileserver and Self-Executing Programs Within our domain, roaming profiles are used. The roaming profiles are limited to 10MB by means of a GPO. The user is also given a networked drive (K:\) that gives them an additional 40MB which gives them a grand total of 50MB of usable space when on their workstations. The 50MB limit is then enforced by Disk Quotas. The roaming profile data and the networked drive are both on the same machine. The user logging into their workstation is not able to install applications unless first approved. What I have noticed however is that users within the domain are still managing to run unauthorized pieces of software. They are doing this by copying the files K:\ The application that they want to use is a self executing program that does not need to write data to the registry or modify the system in any way. In one case, I noticed that a user is using FireFox. I installed the software with under the same user privileges and was able to do so but with a warning that the application may not install correctly without Admin rights. The application did install to the K:\ and worked correctly when was opened. The good thing about this was that anything that was written to the registry was access denied. So here is the question. How can I prevent users from installing these type of applications to the K:\? When they do this, they are using resources on the remote machine that shouldn’t be. I could care less that they are using more drive space since it will only affect them and their ability to write more files to the remote machine or will prevent them from logging off of their desktop until the space is cleared. I don’t have a problem putting fear into those who are doing this, but I would rather just cut them off and keep my mouth shut if a solution is available. Any thoughts? Thanks everyone for your replies, Edwin
