Prevent executables from running on mapped network drives

[Rickson1982]

Hi!

In our company, we are using Windows 7 and my goal is to prevent users (also administrators) of specific workstations from running executables which are located on mapped network drives (servers).

I tried different things (e.g. Software Restriction Policies or Applocker => in both cases I tried the UNC address as well as the drive letter to set up the rules) but nothing worked.

I would really appreciate any suggestions.

Kind regards,
Rickson1982

 

[richnrockville]

Hi!

In our company, we are using Windows 7 and my goal is to prevent users (also administrators) of specific workstations from running executables which are located on mapped network drives (servers).

I tried different things (e.g. Software Restriction Policies or Applocker => in both cases I tried the UNC address as well as the drive letter to set up the rules) but nothing worked.

I would really appreciate any suggestions.

Kind regards,
Rickson1982

Rickson1982, welcome to the windows 7 forum.

As mapped drives are just another letter in the drive listing, I don't believe that you can prevent users, especially administrators from running programs that reside on the mapped drive. If you could then all they would have to do would be to copy the executable to their local drive and run it from there.

Removing administrators rights is a tricky wicket because you might not be able to reverse changes.

you could go to the server where the maps are located and change the permissions on each of the executables.

outside of that, I am not sure why you want to do this.. Take them off the share if that's a problem.

Rich

 

[Parman]

You should move the executables inside a different folder then change the permissions so they cannot even view the content of the folder.

Remember that applocker wont work unless the service is started on the client machine default is set to manual. Once its tested and working correctly is the only time to change it to automatic.

Forgot the service
Application Identity service (AppIDSvc)

 

[Rickson1982]

Hi all!
Thank you a lot for your responses.

@richnrockville:
"If you could then all they would have to do would be to copy the executable to their local drive and run it from there."
This is exactly what I want to archieve. Users (also administrators) should not be able to run any executable on the network drive.
If they have to, they must copy it to the local drive.
I also do not care if the administrators could turn-off any feature that restricts them not tu run executables on the mapped network drive.
I simply trust them that they will not do it.

@parman:
"You should move the executables inside a different folder then change the permissions so they cannot even view the content of the folder."
This is not possible in our use case. However, I will try your hint with activating the applocker service.

Kind regards,
Rickson1982

 

[Parman]

What kind of applocker policy are you trying to create? If the files are digitally signed you should consider using a publisher type.

 

[Rickson1982]

Hello parman!

I would like to create a permission which denies running executables for any user by defining a specific path.

The path should be the letter of the mapped network drive (e.g. K:\) or the corresponding UNC address. I do not really know what to use...

However, it is important that that this condition works recursively meaning that all subfolders which may also contain executables should be processed, too.

Setting up a condition by means of the publisher is not possible because I do not know it a priori. I want to block any executable regardless of its publisher.

Kind regards
Rickson 1982

 

[Parman]

What happens when the user moves the file... then they can run the .exe That's the downfall of using a path rule.

 

[Rickson1982]

Hi parman!

As long as the user moves the file and runs it from the local hard disc it is not a problem.

Basically speaking: I do not want to prevent users from running executables. I only want to forbid running executables on mapped network drives.

 

[Parman]

Okay, well then i guess path would be fine for you. I dont remember exactly if there are any recursive options when setting it up but i can look into it if you want. I has been a while since i worked with it.

-edit-

I wonder if you can use the * metacharacter inside the network path. I would also use the corresponding UNC address.

 

[Rickson1982]

Hi parman!

You would do me a great favour because I have never worked in that field.

I will possibly go back to that problem on next Thursday.
Than I can try to realize our ideas

Kind regards
Rickson1982

 

[Parman]

Okay i tested it out and it worked fine.

look at this for most of the instructions.

How to configure AppLocker Group Policy to prevent software from running - TechNet Articles - United States (English) - TechNet Wiki

When you get to conditions. choose path

Then select browse folders (navigate to your share using the UNC path.) choose next.

If you dont want any exceptions choose next again.

In the Description you can add "Please move files to desktop to run."

Then create. You dont need any of the default runs created.

This will update with the policy update or you can force it to update with the command gpedit /force

 

[Rickson1982]

Hi parman!

Thank you a lot for your effort.

I will follow your steps and I will make sure that the Application Identity service (AppIDSvc) is running.

I will let you know about the results.

Kind regards
Rickson1982

 

[Parman]

Remember that you should not set the service to automatic until your have successfully tested it out. It's pretty straight forward and worked for me the first time so if you have any issues just ask.

 

[Rickson1982]

Hi parman!

Today, I tried out your solution.

It works perfectly for workstations which are on the domain.

However, it does not work for workstations which are not part of the domain (imaged workstations).

Do you have any suggestions how to deal with that problem?

Kind regards
Rickson1982

 

[Parman]

You will have to go into the local group policy for the pc.

 

[Rickson1982]

Hi!

I think this is where I defined the rules.

I defined them here (without success):
Local Group Policy Editor / Computer Configuration / Windows Settings / Security Settings / Application Control Policies / AppLocker

Do you have any other ideas?

Do I need to change sth. in Local Group Policy Editor / Computer Configuration / Windows Settings / Security Settings / Local Policies?

 

[Parman]

1. Start menu type gpedit.msc
2. Computer Configuration>Windows settings>Security Settings>Application Control Policies> Applocker.

My list and your list match up. It should work fine. did you run gpedit /force afterwards. Remember that without forcing the update it will only update after a certain period of time.

Last thing did you remember to start the service? Application Identity service

It will also have to be setup to automatic or it will not work after reboot, but only set on automatic after its been tested and working correctly.

 

[Rickson1982]

Hi!

I did all the steps exactly as you mentioned. Without success.

I think there may be some other settings missing...

 

[Parman]

Anyway you could get me screen shots of the configuration. I just did it again using a network drive (UNC path) and it worked flawless.

 

[Rickson1982]

Hi!

What configuration do you think could be interesting?

I am sure that the configuration of the AppLocker rules is correct.

As I said the workstation does not belong to the domain and has been set up by means of an image. Maybe there are some other security or general settings wrong which are required by AppLocker to function correctly...