help - add policy rule

[justjohnny]

hello every body.
i am using windows xp.
i create the local policy sercurity

This image has been resized. Click this bar to view the full image. The original image is sized 862x432.

Uploaded with ImageShack.us

This image has been resized. Click this bar to view the full image. The original image is sized 835x460.

Uploaded with ImageShack.us

This image has been resized. Click this bar to view the full image. The original image is sized 512x455.

Uploaded with ImageShack.us

i create rule for many file type: bat, cmd, com...

can you help me create the rule automatic use script?

want to make it so any one can not execute program froem the E, F drive.
thanks.

//vncn820

 

[bruceb]

See this (from Mechbgon) which may be of help

http://www.mechbgon.com/srp/

 

[justjohnny]

thanks. But not useful to make it. Because, my pc has some standalone software run from root C, D drive

 

[bruceb]

See this:

All exe files icluding calc.exe, notepad.exe and explorer.exe or just some exe files?
There are different approaches to this.

If you're trying to block a single executable that you're familiar with you can disable it from a GPO using the setting:
User Configuration/Administrative Templates/System/Don't run specified Windows applications

Another option is to specify only the applications you want to allow Using:
User Configuration/Administrative Templates/System/Run only specified Windows applications
This one would probably take a lot of work to populate for a system with many applications installed or for a corporate environment.

None of the two mentioned settings takes into account that a user can name their exe file what they want so renaming mydangerousapp.exe to explorer.exe would make it a perfectly legitimate executable.

A more robust and managable way of securing your systems by controlling which applications that can be launched is Software Restriction Policies.
Check this article for an introduction to Software Restriction Policies:

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

 

[justjohnny]

it is manual create.
i have a lot of PCs
i need script auto make it.

 

[mechBgon]

Hi justjohnny, try this:

Make a new Path Rule for each drive you want to block, and set them to Disallowed. But only include the drive letter, not the file types. So the box should just say E:\ or F:\.

The Software Restriction Policy already has its own list of file types that it will block, so you don't need to specify .exe, .com, .bat, etc. The Software Restriction Policy's list is in the "Designated File Types" and you can edit it.

If you have many computers to configure, normally you would use an Active Directory domain and do this using a Group Policy Object. If you need to make these settings without an Active Directory domain, you could use Microsoft's LocalGPO tool to export the desired Local Security Policy from one computer, and then import it to the other computers using a log-in script or a local command.

The LocalGPO tool is part of Microsoft's Security Compliance Management Toolkit, I don't know if it can be downloaded separately. But SCM is free.

You may also be interested in Microsoft's Fix-It that disables AutoRun, if part of your goal is to stop worms on external devices: http://support.microsoft.com/kb/967715 and scroll down to the Fix-It icons.

 

[justjohnny]

thanks.
but scm not support win xp.

 

[mechBgon]

thanks.
but scm not support win xp.

All you need is the LocalGPO tool from an SCM installation, so if you have any Win7 systems around, you can install SCM on one system to get the LocalGPO tool, then use LocalGPO to deploy your settings. But if you don't already have log-in scripts, it might be just as much work either way.