Hi Simon

In my experience, persistent users will discover pretty quickly that they
can get around this by simply renaming files. If you still want that type
of protection through GPO's, I'm afraid the only solution is to either block
specific, exact names or to compile a comprehensive list of allowed
executables and only allow those.

There are some weird apps that monitor the titles of all windows on the
desktop and forcibly close them if they match the list; A colleague once
tested one of these out and it seemed to work fairly effectively - it is
also immune to renamed executables (but not custom-compiled executables).
Only problem was that it was very aggressive: e-mails, IE windows, Word
documents or anything else that contained the target string in its title
were also instantly closed. If however you still feel that way inclined,
try http://www.plevna.f9.co.uk/tindex.htm. Google ads also suggest this:
http://www.reflex-magnetics.com/products/disknetpro/.

On the MS front, SMS 2.0's software metering facility has a rather kludgy
but effective blocking mechanism that blocks/allows executables based on the
executable's binary properties.

The most effective way IMO is to remove the source of these types of files:
disable the removable drives (see previous threads), block executables on
e-mail gateways, etc.

I've been wanting to test out another theory in a large environment, but
haven't had a chance: setting the "Traverse Folder/Execute file" ACL flag
to "Deny" on end-users' temporary and home directories appears to stop
arbitrary web downloads and e-mail attachments from executing. This might
also prove quite effective against many e-mail worms, and is what *nix
protagonists have been telling us for years... If you want a file to
execute, you should have to explicitly make it executable. (Note that this
only works for binary executables; script files still run normally.)

Hope that helps.

Jannie

-----Original Message-----
From: Simon Taplin [mailto:simont (at) pop.co (dot) za [email concealed]]
Sent: 10 January 2004 17:16
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Active Directory Question

Is is possible to setup a policy on Win2000 Active Directory whereby you can
use wildcards to deny users access to running certain programs, for example
blocking userss running setup*.*

Thanks
Simon

---
This email is hopefully virus free as it has been
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.558 / Virus Database: 350 - Release Date: 2004/01/02

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

[ reply ]