Windows 7: Prevent executables from running on mapped network drives

Hi!

In our company, we are using Windows 7 and my goal is to prevent users (also administrators) of specific workstations from running executables which are located on mapped network drives (servers).

I tried different things (e.g. Software Restriction Policies or Applocker => in both cases I tried the UNC address as well as the drive letter to set up the rules) but nothing worked.



I would really appreciate any suggestions.

Kind regards,
Rickson1982

Rickson1982, welcome to the windows 7 forum.

As mapped drives are just another letter in the drive listing, I don't believe that you can prevent users, especially administrators from running programs that reside on the mapped drive. If you could then all they would have to do would be to copy the executable to their local drive and run it from there.

Removing administrators rights is a tricky wicket because you might not be able to reverse changes.

you could go to the server where the maps are located and change the permissions on each of the executables.

outside of that, I am not sure why you want to do this.. Take them off the share if that's a problem.

Rich

You should move the executables inside a different folder then change the permissions so they cannot even view the content of the folder.

Remember that applocker wont work unless the service is started on the client machine default is set to manual. Once its tested and working correctly is the only time to change it to automatic.

Forgot the service
Application Identity service (AppIDSvc)

Hi all!
Thank you a lot for your responses.

@richnrockville:
"If you could then all they would have to do would be to copy the executable to their local drive and run it from there."
This is exactly what I want to archieve. Users (also administrators) should not be able to run any executable on the network drive.
If they have to, they must copy it to the local drive.
I also do not care if the administrators could turn-off any feature that restricts them not tu run executables on the mapped network drive.
I simply trust them that they will not do it.

@parman:
"You should move the executables inside a different folder then change the permissions so they cannot even view the content of the folder."
This is not possible in our use case. However, I will try your hint with activating the applocker service.

Kind regards,
Rickson1982

What kind of applocker policy are you trying to create? If the files are digitally signed you should consider using a publisher type.

Hello parman!

I would like to create a permission which denies running executables for any user by defining a specific path.

The path should be the letter of the mapped network drive (e.g. K:\) or the corresponding UNC address. I do not really know what to use...

However, it is important that that this condition works recursively meaning that all subfolders which may also contain executables should be processed, too.

Setting up a condition by means of the publisher is not possible because I do not know it a priori. I want to block any executable regardless of its publisher.

Kind regards
Rickson 1982

What happens when the user moves the file... then they can run the .exe That's the downfall of using a path rule.

Hi parman!

As long as the user moves the file and runs it from the local hard disc it is not a problem.

Basically speaking: I do not want to prevent users from running executables. I only want to forbid running executables on mapped network drives.

Okay, well then i guess path would be fine for you. I dont remember exactly if there are any recursive options when setting it up but i can look into it if you want. I has been a while since i worked with it.

-edit-

I wonder if you can use the * metacharacter inside the network path. I would also use the corresponding UNC address.

Hi parman!

You would do me a great favour because I have never worked in that field.

I will possibly go back to that problem on next Thursday.
Than I can try to realize our ideas

Kind regards
Rickson1982