|
Posted by Karl Levinson on May 17, 2006, 10:35 am
Please log in for more thread options I believe McAfee Virusscan 8 lets you do this. There are probably other
ways as well, involving third party software. SRP is the only way I can
think of without adding non-Microsoft software.
You are correct that you could also run a script that just monitors for the
existence of such files. A simple DIR in a batch file, perhaps, with FIND
and/or FC commands to filter permitted files out of the results.
You might also be able to use local group policy to change the NTFS file
permissions on all files except for permitted file extensions, e.g. have one
that removes all permissions for *.* in certain folders, then another one
that adds permissions allowing access to *.lnk etc. With this method, you
could probably write forbidden files to the drive and access them for maybe
half an hour, but then the permissions would be revoked on the files.
You don't want to push large amounts of NTFS file permissions via AD group
policy, but you can run a script that uses the SECEDIT command to import and
apply a security template / database you created using MMC.EXE and the
Security Templates and Security Configuration and Analysis add-ins. Be
careful and test thoroughly, as this is a good way to screw up all the
systems on your network simultaneously.
>I have thought about SRP. But it is way too restrictive. I am just not sure
>if there is a better way. Maybe soft restrictions where we would just
>monitor and modify the hard set policies accordingly. I dont know. It would
>be nice to get an official response as to why this isnt being addressed by
>MS. My initial thought was simply that I might have missed something
>between Server SP 1 and R2.
>
> ac
>
>
>> The closest you probably could come within the native operating system is
>> to use Software Restriction Policies that is available in XP Pro and
>> Windows 2003 where you can use path, hash and certificate rules and also
>> modify the designated file types list. The link below explains how to use
>> and deploy Software Restriction Policies. FYI and user that is a local
>> administrator can bypass SRP by booting the computer into Safe Mode. SRP
>> should not be implemented however without extensive testing to make sure
>> they work as planned and do not overly restrict the user. Also desktop
>> shortcuts [.lnk files] by default are included in the designated file
>> types. When tweaking SRP it will help to check the application log for
>> SRP events if problems arise and also use the free filemon tool from
>> SysInternals to see what files are accessed/executed when a user tries to
>> run an application. --- Steve
>>
>> -- Software Restriction Policies
>>
>>> Is there a way to lock down all file types with the exception of a
>>> "whitelist" on a Windows Server?
>>> I want to actually specify what file extentions are allowed to execute
>>> on a server. I.E. .exe, .doc, .xls but I want to block everything else.
>>>
>>> TIA
>>>
>>> Alex
>>>
>>
>>
>
>
>
| 
XML Sitemap