Prevent executables from running on mapped network drives

Page 1 of 3 123 LastLast

  1. Posts : 19
    Windows 7 Professional 64Bit
       #1

    Prevent executables from running on mapped network drives


    Hi!

    In our company, we are using Windows 7 and my goal is to prevent users (also administrators) of specific workstations from running executables which are located on mapped network drives (servers).

    I tried different things (e.g. Software Restriction Policies or Applocker => in both cases I tried the UNC address as well as the drive letter to set up the rules) but nothing worked.

    I would really appreciate any suggestions.

    Kind regards,
    Rickson1982
      My Computer


  2. Posts : 1,800
    Windows 7 Pro x64 SP1
       #2

    Rickson1982 said:
    Hi!

    In our company, we are using Windows 7 and my goal is to prevent users (also administrators) of specific workstations from running executables which are located on mapped network drives (servers).

    I tried different things (e.g. Software Restriction Policies or Applocker => in both cases I tried the UNC address as well as the drive letter to set up the rules) but nothing worked.

    I would really appreciate any suggestions.

    Kind regards,
    Rickson1982
    Rickson1982, welcome to the windows 7 forum.

    As mapped drives are just another letter in the drive listing, I don't believe that you can prevent users, especially administrators from running programs that reside on the mapped drive. If you could then all they would have to do would be to copy the executable to their local drive and run it from there.

    Removing administrators rights is a tricky wicket because you might not be able to reverse changes.

    you could go to the server where the maps are located and change the permissions on each of the executables.

    outside of that, I am not sure why you want to do this.. Take them off the share if that's a problem.

    Rich
      My Computer


  3. Posts : 881
    Windows 7 Ultimate x64
       #3

    You should move the executables inside a different folder then change the permissions so they cannot even view the content of the folder.

    Remember that applocker wont work unless the service is started on the client machine default is set to manual. Once its tested and working correctly is the only time to change it to automatic.

    Forgot the service
    Application Identity service (AppIDSvc)
      My Computer


  4. Posts : 19
    Windows 7 Professional 64Bit
    Thread Starter
       #4

    Hi all!
    Thank you a lot for your responses.

    @richnrockville:
    "If you could then all they would have to do would be to copy the executable to their local drive and run it from there."
    This is exactly what I want to archieve. Users (also administrators) should not be able to run any executable on the network drive.
    If they have to, they must copy it to the local drive.
    I also do not care if the administrators could turn-off any feature that restricts them not tu run executables on the mapped network drive.
    I simply trust them that they will not do it.

    @parman:
    "You should move the executables inside a different folder then change the permissions so they cannot even view the content of the folder."
    This is not possible in our use case. However, I will try your hint with activating the applocker service.

    Kind regards,
    Rickson1982
      My Computer


  5. Posts : 881
    Windows 7 Ultimate x64
       #5

    What kind of applocker policy are you trying to create? If the files are digitally signed you should consider using a publisher type.
      My Computer


  6. Posts : 19
    Windows 7 Professional 64Bit
    Thread Starter
       #6

    Hello parman!

    I would like to create a permission which denies running executables for any user by defining a specific path.

    The path should be the letter of the mapped network drive (e.g. K:\) or the corresponding UNC address. I do not really know what to use...

    However, it is important that that this condition works recursively meaning that all subfolders which may also contain executables should be processed, too.

    Setting up a condition by means of the publisher is not possible because I do not know it a priori. I want to block any executable regardless of its publisher.

    Kind regards
    Rickson 1982
      My Computer


  7. Posts : 881
    Windows 7 Ultimate x64
       #7

    What happens when the user moves the file... then they can run the .exe That's the downfall of using a path rule.
      My Computer


  8. Posts : 19
    Windows 7 Professional 64Bit
    Thread Starter
       #8

    Hi parman!

    As long as the user moves the file and runs it from the local hard disc it is not a problem.

    Basically speaking: I do not want to prevent users from running executables. I only want to forbid running executables on mapped network drives.
      My Computer


  9. Posts : 881
    Windows 7 Ultimate x64
       #9

    Okay, well then i guess path would be fine for you. I dont remember exactly if there are any recursive options when setting it up but i can look into it if you want. I has been a while since i worked with it.

    -edit-

    I wonder if you can use the * metacharacter inside the network path. I would also use the corresponding UNC address.
      My Computer


  10. Posts : 19
    Windows 7 Professional 64Bit
    Thread Starter
       #10

    Hi parman!

    You would do me a great favour because I have never worked in that field.

    I will possibly go back to that problem on next Thursday.
    Than I can try to realize our ideas

    Kind regards
    Rickson1982
      My Computer


 
Page 1 of 3 123 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 01:50.
Find Us