GPO Software Restriction Policy

Question

Just a quick little question here, i am trying to block exe's and such from running from users home drives but running into problems. Sure I can add a hash rule for all the exe's but this is tedious work. I can add a path rule as "H:*.exe" and this works, but only on the H:\ drive, if the exe is in "H:\SomeFolder2949\" then it isn't blocked. I tried wildcards etc as "H:**.exe" but this doesn't work... it specifically states on a technet artcile the following:

When a path rule specifies a folder, it matches any program
contained in that folder and any programs contained in subfolders.

and that to me says it will match anything in the folder and subfolders...then it goes on to contradict itself and says...

The administrator must define all directories for launching a 
specific application in the path rule. For example, if the 
administrator creates a shortcut on the desktop to launch 
an application, then in the path rule, the administrator 
must also grant the user Read access rights to both the 
executable file and the shortcut paths to run the application. 
If all the path information necessary for launching the 
application in the path rule is not defined, it can trigger 
the Software Restricted warning when the user attempts to run 
the application.

So I am confused....can i get path rules to match on subfolders or not? If so, how?

Thanks.

score 2 · Answer 1 · answered Mar 21 '12 at 19:29

2

If you are running windows 2008 R2, you can use file screening to prevent the .exe to even be there.

answered Mar 21 '12 at 19:29

ZEDA-NL

846
1
6
13

Unfortunately we are still using 2003 for now... – John Mar 21 '12 at 19:44
File screens are available in 2003r2 – jscott Jul 14 '12 at 00:59

score 2 · Answer 2 · edited Apr 13 '17 at 12:14

The note from Microsoft about all subfolders only applies if you specify just a folder, for example C:\Users. This blocks all executables in all subfolders.

But as you correctly noted, if you specify C:\Users*.exe to block only files with extension exe, they are only locked in C:\Users, not for example in C:\Users\Tom.

I do not have an answer for this either, sorry. Same question is also here: Windows - Software restriction policy to block exe files in all subdirectories Unfortunately the only answer there does not answer the question.

By the way the other issue regarding LNK files, in the second cite from Microsoft, can be solved by removing LNK files from the list files that are affected by SRP.

GPO Software Restriction Policy

2 Answers2