How to enter path in policy for Run Only Windows Allowed Applicati

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Win2K servers and Win2K Pro clients;

I'm trying to set up the Group Policies that allow/disallow programs to run
or not. However, I'm trying to avoid the situation where users can rename a
file on another drive to a name on the allowed list and run it. Yet, I still
need users to have the ability to access files (documents, etc.) off these
various drives. (floppy, CD, USB, Zip, etc.)

So, I thought I'd enter the full path name to the allowed program in the
Group Policy. Unfortunately, this doesn't seem to work, as the programs
won't run when entering the full path name in GP.

Am I missing something here, or can you simply not enter path names in Group
Policy and have this pretty big hole in your security arrangements?

If you can't use path names, what other measures can be taken to prevent
users from running programs from unauthorized locations?

I've thought about using NTFS permissions in Computer Config portion, but
that seems like a fairly large job to enter Read/Write only permissions for
20+ other drive letters in each Group Policy OU on your system.

Just seems like there has to be an easier way to accomplish this.
TIA

Rick
 
You can either disallow executables from running or only allow certain
exectuables to run. The first time I used this policy I learned, as you
just did, you cannot enter the full path, you simply enter the
executables name. It sounds like your only option may be to create a GP
that allows only certain apps/executables to run. But that can be an
administrative nightmare to keep up with.
 
I’m trying to set up the Group Policies that allow/disallow
programs to run or not. However, I’m trying to avoid the
situation where users can rename a file on another drive to a name on
the allowed list and run it. Yet, I still need users to have the
ability to access files (documents, etc.) off these various drives.
(floppy, CD, USB, Zip, etc.)
Click to expand...

Microsoft introduced Software Restriction Policies with XP. They work
on the "version" of the program regardless of the name. However, they
only work with Windows XP Pro and not Windows 2000.

I am not sure what programs you are refering to. Most applications
usually won’t just "run" off of a separate drive. They usually have
to be installed so if your users have no admin access to install you
should be fine. My networks are locked down as tight as I can get. No
one has write access to anything except their H: and I scan that
daily for .exe files and delete them.

What are you worried about specifically - Virus’, spyware, or just
users playing games?

Cheers,

Lara
 
Back
Top