How to block executables from non-standard installs using GPO

  • Thread starter Thread starter Tim
  • Start date Start date
T

Tim

Guest
Quick background: Windows Server 2003 Native-mode AD, XP workstations. We
have employees in our environment who do not have admin rights on their local
computer and are installing Firefox to their systems by pointing the install
path to their Documents and Settings folders. Because of this non-standard
install, the path to the Firefox executable is not consistent. I have found
a way to block access to an executable using a path restriction in Group
Policy, but is there a way to block access to an executable by name
regardless of its path? (Note: this GPO would have more applications than
just Firefox, but it is the example I'm facing right now.)


Thanks in advance.
 
Re: How to block executables from non-standard installs using GPO


"Tim" <Tim@discussions.microsoft.com> wrote in message
news:4658B0E3-D0F9-4408-BE86-EFB91FB5DDD5@microsoft.com...
> Quick background: Windows Server 2003 Native-mode AD, XP workstations.
> We
> have employees in our environment who do not have admin rights on their
> local
> computer and are installing Firefox to their systems by pointing the
> install
> path to their Documents and Settings folders. Because of this
> non-standard
> install, the path to the Firefox executable is not consistent. I have
> found
> a way to block access to an executable using a path restriction in Group
> Policy, but is there a way to block access to an executable by name
> regardless of its path? (Note: this GPO would have more applications than
> just Firefox, but it is the example I'm facing right now.)
>
>
> Thanks in advance.

If you block access to C:\Program Files\Mozilla Firefox and to firefox.exe,
how will you prevent users from invoking Firefox like so: c:\Fox\ff.exe?
What I'm trying to say is this: You may be able to block the object
folder name and the name of the executable but your users will soon
realise that they can run any application under an assumed name such
as ff.exe.
 
Re: How to block executables from non-standard installs using GPO

You can block an executable using Hash rule. The system computes SHA or MD5
hash of any executable (eg .exe or .dll) and when it is read into memory it
is blocked. It is in the same GPO (Software Restriction Policy) as Path rule
(that's what it's called when you want to block executable in certain path).


"Tim" <Tim@discussions.microsoft.com> wrote in message
news:4658B0E3-D0F9-4408-BE86-EFB91FB5DDD5@microsoft.com...
> Quick background: Windows Server 2003 Native-mode AD, XP workstations.
> We
> have employees in our environment who do not have admin rights on their
> local
> computer and are installing Firefox to their systems by pointing the
> install
> path to their Documents and Settings folders. Because of this
> non-standard
> install, the path to the Firefox executable is not consistent. I have
> found
> a way to block access to an executable using a path restriction in Group
> Policy, but is there a way to block access to an executable by name
> regardless of its path? (Note: this GPO would have more applications than
> just Firefox, but it is the example I'm facing right now.)
>
>
> Thanks in advance.
 

Similar threads

A
Windows 10 How to disallow Work or School Accounts from external organizations?
Replies
0
Views
173
Aleksiv95
A
M
This viral grocery shopping hack from TikTok is brilliant – pull it off with one $22 Amazon purchase
Replies
0
Views
85
Maren Estrada
M
D
Windows 10 After applying GPO for blocking removable devices unable to access internal HDD
Replies
0
Views
88
Daniel Baa
D
J
Why do Windows 10 laptops fail to run application that runs on Windows 10 Workstations?
Replies
0
Views
181
Jeffrey H Jacobs
J
F
Windows 10 Restricted Admin Rights in non domain PC
Replies
0
Views
117
F-Kay
F
Back
Top