Network Administration News

The default settings of most Windows versions is rather relaxed: most actions are allowed to users by default. However, in case users should be rather restricted in their choice of actions, several special actions should be performed. It is especially important in multi-user environment such as schools and computer classes in high schools. SysAdm Blog offers one of the technique to restrict users from arbitrarily running any executable in Disallowing .EXE’s in a WindowsXP/2003 Environment

The exact recipe: we recently had a problem with students running a host of different executable files on the computers managed by IT services. One of the favorite tools was one called Bosskey. This allowed students to have several virtual desktops and allow them to switch using a simple keystroke. Think of it like Alt+Tab, but the window doesn’t appear in the taskbar.

As well as this, students would be playing games that they has stored in their folders and on flash drives. It is easy to remove games from students folders, but practically impossible to remove games from the students flash drives. Not really sure where to start with this, I had a look around for group policies that might be able to help me out. And what would you know, Microsoft had delivered.

Before I do into too much detail, Ill explain about the background of your setup. Each student has a unique user name and password to log into the domain environment. Their desktop and My Documents folders are redirected to a UNC path \\files\student\yearX\username\documents and \\files\student\yearX\username\desktop. This is the only remote place that they have read and write access to as well as a directory, c:\temp. As well as this, whenever a student logs into the computer it generates a folder in documents and settings, c:\Documents and Settings\username. Although they are using a mandatory profile, Windows XP will generate a local profile once they log in. This is another place where the students can now read and write to. To summarize this, listed below are the only places where students can read and write.

* \\files\student\yearX\username
* C:\temp
* C:\Documents and Settings
* Any USB drive that is plugged into the computer

Once we have identified where the students can write to, we can open the Group Policy Managments console and create a new policy. You can make this domain wide so that is applies to everyone or select individual organisational units of either user or computer accounts. This policy can be applied to either users or computers, so you can take your pick. I will be describing this on a per-computer basis, located in the root of the OU where all the computer accounts are located.

Create a group policy object called “Software restriction” and edit it. Right click on Software Restriction and click Create new policies.

The set of file types that Windows defaults to is quite restrictive. It includes .lnk’s (Shortcuts) and some Access and VB components. We want to remove these file types from being restricted, so open Designated File Types.

Remove any types that you don’t want included and then click OK. As mentioned earlier, you will want to remove LNK file types and a few others as well. You could remove everything except EXE files, but to be safe we will leave most file types there.

The rest is simple - apply all the new restrictions to All users, and they are limited in their actions from now on. There are other problems, of course, that network administration everyday schedule should keep in mind, yet the main rule must be this one: nothing should be allowed by default - only explicitly.

This article was brought to you by the developers of IPHost Network Monitor, network and server monitoring software.