• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

help - add policy rule

J

justjohnny

Junior Member
hello every body.
i am using windows xp.
i create the local policy sercurity

wol_error.gif
This image has been resized. Click this bar to view the full image. The original image is sized 862x432.
82765937.jpg


Uploaded with ImageShack.us

wol_error.gif
This image has been resized. Click this bar to view the full image. The original image is sized 835x460.
53620489.jpg


Uploaded with ImageShack.us

wol_error.gif
This image has been resized. Click this bar to view the full image. The original image is sized 512x455.
47411169.jpg


Uploaded with ImageShack.us

i create rule for many file type: bat, cmd, com...

can you help me create the rule automatic use script?

want to make it so any one can not execute program froem the E, F drive.
thanks.

//vncn820
 
See this:

All exe files icluding calc.exe, notepad.exe and explorer.exe or just some exe files?
There are different approaches to this.

If you're trying to block a single executable that you're familiar with you can disable it from a GPO using the setting:
User Configuration/Administrative Templates/System/Don't run specified Windows applications

Another option is to specify only the applications you want to allow Using:
User Configuration/Administrative Templates/System/Run only specified Windows applications
This one would probably take a lot of work to populate for a system with many applications installed or for a corporate environment.

None of the two mentioned settings takes into account that a user can name their exe file what they want so renaming mydangerousapp.exe to explorer.exe would make it a perfectly legitimate executable.

A more robust and managable way of securing your systems by controlling which applications that can be launched is Software Restriction Policies.
Check this article for an introduction to Software Restriction Policies:

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
 
Hi justjohnny, try this:

Make a new Path Rule for each drive you want to block, and set them to Disallowed. But only include the drive letter, not the file types. So the box should just say E:\ or F:\.

The Software Restriction Policy already has its own list of file types that it will block, so you don't need to specify .exe, .com, .bat, etc. The Software Restriction Policy's list is in the "Designated File Types" and you can edit it.

If you have many computers to configure, normally you would use an Active Directory domain and do this using a Group Policy Object. If you need to make these settings without an Active Directory domain, you could use Microsoft's LocalGPO tool to export the desired Local Security Policy from one computer, and then import it to the other computers using a log-in script or a local command.

The LocalGPO tool is part of Microsoft's Security Compliance Management Toolkit, I don't know if it can be downloaded separately. But SCM is free.

You may also be interested in Microsoft's Fix-It that disables AutoRun, if part of your goal is to stop worms on external devices: http://support.microsoft.com/kb/967715 and scroll down to the Fix-It icons.
 
justjohnny said:
thanks.
but scm not support win xp.
Click to expand...

All you need is the LocalGPO tool from an SCM installation, so if you have any Win7 systems around, you can install SCM on one system to get the LocalGPO tool, then use LocalGPO to deploy your settings. But if you don't already have log-in scripts, it might be just as much work either way.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top