Hash rule on Windows 2000 doesnt work

[gotmespinnin]

Hi

I created a GPO to block windows games on my network, I used
hash rule to deny access to games even if users change the path or
rename the exe file. This works well on XP pcs but doesnt work on
Windows 2000 clients. Unfortunately majority of my users are on Windows
2000. Is there any other way to stop my users playing sol.exe or
spider.exe?

 

[Florian Frommherz]

Howdy gotmespinnin!

I created a GPO to block windows games on my network, I used
hash rule to deny access to games even if users change the path or
rename the exe file. This works well on XP pcs but doesnt work on
Windows 2000 clients. Unfortunately majority of my users are on Windows
2000. Is there any other way to stop my users playing sol.exe or
spider.exe?

Where did you apply the rule from? Remember: The hash, that will be
created for spider.exe on Windows XP differs from the hash, that
spider.exe will create on Windows 2000. So you will have to create two
hash rules. One with the hash of spider.exe from Windows 2000 and one
with the hash from Windows XP.

cheers,

Florian

 

[Darren Mar-Elia \(MVP\)]

Actually, I suspect he's referring to Software Restriction policy hash rules
and in that case, there is no support for Software Restriction Policy on
Win2k (and actually the hash value should be the same regardless of the
OS--that is the purpose of a hash). So, unfortunately the only way to block
certain executables on Win2k is to use the Admin. Template restriction at
User Configuration\Administrative Templates\System\Don't run specified
Windows applications. However, note that that does not prevent renaming and
running of an app, unfortunately.

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
And, the Windows Group Policy Guide is out from Microsoft Press!!! Check it
out at http://www.microsoft.com/mspress/books/8763.asp
GPOGUY Blog: http://blogs.dirteam.com/blogs/gpoguy

 

[Florian Frommherz]

Howdy Darren!

Actually, I suspect he's referring to Software Restriction policy hash rules
and in that case, there is no support for Software Restriction Policy on
Win2k

Aahhr, right. I forgot that. There's no CSE for SRP in Windows 2000...

(and actually the hash value should be the same regardless of the
OS--that is the purpose of a hash).

Well, I'm not that sure about that. As long as the OS and the service
pack level is the same, you're right. But what if the file I block via
SRP hash rule gets replaced by another file through a service pack? I
thought the hash is partly built from the file size?

cheers,

Florian

 

[Darren Mar-Elia \(MVP\)]

But what if the file I block via SRP hash rule gets replaced by another

file through a service pack? I thought the hash is partly built from the
file size?

I think we're saying the same thing. The hash value is unique to the file,
based on a number of factors, including its size. This is true across OS
versions because the hashing algorithm is independent of stuff like OS
version, but yes, if you have a hash rule on a *system* file, and that file
gets updated, for whatever reason, then the hash values will change.

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
And, the Windows Group Policy Guide is out from Microsoft Press!!! Check it
out at http://www.microsoft.com/mspress/books/8763.asp
GPOGUY Blog: http://blogs.dirteam.com/blogs/gpoguy

 

[gotmespinnin]

OK, hash rule doesnt work with W2K..my only other option is to create a
file sized based rule..for e.g. spider.exe is 526 KB..is it possible to
create a rule that restricts files based on size..because file size
will be the same no matter what they rename it to..

 

[gotmespinnin]

aahh..win2k does not support hash rules..

is it possible to create a policy that will deny access to any exe file
of size 56KB?

 

[gotmespinnin]

is it possible to create a policy to deny access to a file based on
file size?