Portable Apps

[Guest]

I have a problem I am sure other people face...We can control access to the
internet with group policy, content advisor, etc BUT how do you prevent users
from using a thumb drive with firefox, netscape or some other "portable"
browser installed on it? I have tried preventing by using hash rules but
everytime a new release (minor or major) comes out you have to create a new
hash rule and for 150 users that gets real time consuming. I can't restrict
by drive letter because we have to allow for picture uploading via camera/usb
connections. Also some of our keyboards and mice are usb as well. I currently
have executable permissions set for only c:\windows\system32 and c:\prgram
files and limited all accounts to "limited". Of course we have some network
drives that have .exe's, .bat that need to be run on a day to day basis so it
seems I just go in circles...I think maybe I have been trying to long and
looking at the same stuff over and over and need a little outside advice/help.

Any help will be GREATLY appreciated.

DL

 

[Steven L Umbach]

You can use SRP with a default disallowed security level and then you add
the white list items/paths to the allowed list but that can be pretty time
consuming to figure out and maintain.

What might be worth a try is to create a path rule for every drive other
than the system drive and the mapped drives to see if that helps with a
disallowed security level for those drives. Yes that may mean a path rule
for every drive but C: and the mapped drives but should be worth trying.
AFAIK such rules should not prevent users from uploading pictures and other
non executables on those drives. You can also modify the designated file
types if needed for specific exclusions by removing from the list.

You could also create rules for the mapped drives if needed if they are to
be used for data only [or also create hash rules for allowed executables] .
By default desktop shortcuts can be restricted by SRP so exclusions may need
to be created for authorized shortcuts. Checking the application log for SRP
events can help tweak SRP policies if you are having difficulty getting
desired applications/shortcuts to work when creating rules and free tools
such as filemon from Microsoft/SysInternals can help tracking down what
executables are used and access being denied to by SRP to allow you to
create any needed exemptions for process to work.

Strict computer use policies are also of value as a non technical solution
if that is a possibility. But the powers that be need to buy into such and
the policies need to be enforced or they will not be effective. Usually only
a couple individuals need to be made an example of before users understand
that you are serious.

Steve

http://www.microsoft.com/technet/sysinternals/utilities/filemon.mspx --
be sure to use filter views to track down access denied events

 

[Guest]

Does your external firewall or router allow you to designate applications
which are allowed to send to the outside world?

If you are not sure what already legitimately installed software does e.g.
Adobe/Anti-virus/etc. self-updates, then install free copy of Zone Alarm on a
workstation and set it up to get your approval for any access to the Internet.
After a week you should have a reasonably comprehensive list.

 

[Guest]

I'd like to thank both of you for taking the time to answer. I will actually
try both approaches and see which one works for us. thanks again.