Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Prevent executables from running on mapped network drives

12 Jan 2013   #1

Windows 7 Professional 64Bit
 
 
Prevent executables from running on mapped network drives

Hi!

In our company, we are using Windows 7 and my goal is to prevent users (also administrators) of specific workstations from running executables which are located on mapped network drives (servers).

I tried different things (e.g. Software Restriction Policies or Applocker => in both cases I tried the UNC address as well as the drive letter to set up the rules) but nothing worked.

I would really appreciate any suggestions.

Kind regards,
Rickson1982


My System SpecsSystem Spec
.

13 Jan 2013   #2

Windows 7 Pro x64 SP1
 
 

Quote   Quote: Originally Posted by Rickson1982 View Post
Hi!

In our company, we are using Windows 7 and my goal is to prevent users (also administrators) of specific workstations from running executables which are located on mapped network drives (servers).

I tried different things (e.g. Software Restriction Policies or Applocker => in both cases I tried the UNC address as well as the drive letter to set up the rules) but nothing worked.

I would really appreciate any suggestions.

Kind regards,
Rickson1982
Rickson1982, welcome to the windows 7 forum.

As mapped drives are just another letter in the drive listing, I don't believe that you can prevent users, especially administrators from running programs that reside on the mapped drive. If you could then all they would have to do would be to copy the executable to their local drive and run it from there.

Removing administrators rights is a tricky wicket because you might not be able to reverse changes.

you could go to the server where the maps are located and change the permissions on each of the executables.

outside of that, I am not sure why you want to do this.. Take them off the share if that's a problem.

Rich
My System SpecsSystem Spec
13 Jan 2013   #3

Windows 7 Ultimate x64
 
 

You should move the executables inside a different folder then change the permissions so they cannot even view the content of the folder.

Remember that applocker wont work unless the service is started on the client machine default is set to manual. Once its tested and working correctly is the only time to change it to automatic.

Forgot the service
Application Identity service (AppIDSvc)
My System SpecsSystem Spec
.


14 Jan 2013   #4

Windows 7 Professional 64Bit
 
 

Hi all!
Thank you a lot for your responses.

@richnrockville:
"If you could then all they would have to do would be to copy the executable to their local drive and run it from there."
This is exactly what I want to archieve. Users (also administrators) should not be able to run any executable on the network drive.
If they have to, they must copy it to the local drive.
I also do not care if the administrators could turn-off any feature that restricts them not tu run executables on the mapped network drive.
I simply trust them that they will not do it.

@parman:
"You should move the executables inside a different folder then change the permissions so they cannot even view the content of the folder."
This is not possible in our use case. However, I will try your hint with activating the applocker service.

Kind regards,
Rickson1982
My System SpecsSystem Spec
14 Jan 2013   #5

Windows 7 Ultimate x64
 
 

What kind of applocker policy are you trying to create? If the files are digitally signed you should consider using a publisher type.
My System SpecsSystem Spec
14 Jan 2013   #6

Windows 7 Professional 64Bit
 
 

Hello parman!

I would like to create a permission which denies running executables for any user by defining a specific path.

The path should be the letter of the mapped network drive (e.g. K:\) or the corresponding UNC address. I do not really know what to use...

However, it is important that that this condition works recursively meaning that all subfolders which may also contain executables should be processed, too.

Setting up a condition by means of the publisher is not possible because I do not know it a priori. I want to block any executable regardless of its publisher.

Kind regards
Rickson 1982
My System SpecsSystem Spec
14 Jan 2013   #7

Windows 7 Ultimate x64
 
 

What happens when the user moves the file... then they can run the .exe That's the downfall of using a path rule.
My System SpecsSystem Spec
14 Jan 2013   #8

Windows 7 Professional 64Bit
 
 

Hi parman!

As long as the user moves the file and runs it from the local hard disc it is not a problem.

Basically speaking: I do not want to prevent users from running executables. I only want to forbid running executables on mapped network drives.
My System SpecsSystem Spec
14 Jan 2013   #9

Windows 7 Ultimate x64
 
 

Okay, well then i guess path would be fine for you. I dont remember exactly if there are any recursive options when setting it up but i can look into it if you want. I has been a while since i worked with it.

-edit-

I wonder if you can use the * metacharacter inside the network path. I would also use the corresponding UNC address.
My System SpecsSystem Spec
14 Jan 2013   #10

Windows 7 Professional 64Bit
 
 

Hi parman!

You would do me a great favour because I have never worked in that field.

I will possibly go back to that problem on next Thursday.
Than I can try to realize our ideas

Kind regards
Rickson1982
My System SpecsSystem Spec
Reply

 Prevent executables from running on mapped network drives




Thread Tools



Similar help and support threads for2: Prevent executables from running on mapped network drives
Thread Forum
.bat for migrating mapped network drives? Network & Sharing
mapped network drives without drive letters Network & Sharing
Manually mapped network drives Network & Sharing
Why don't m$ make it so disconnected mapped network drives Hardware & Devices
1 of 3 Mapped Network Drives not showing up Network & Sharing
Prevent users from running executables from usb sticks Customization
Mapped network drives are lost Network & Sharing

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 12:20 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33