darkevilent Posted June 26, 2007 Share Posted June 26, 2007 hi i am a system admin for a large high school in Australia and i am trying to find a way to block exes files that students bring to school on there usb drives does any one know a way to stop them from running on the computers i have placed on programs restrictions and they have bypassed it by simply change the name of the program. could any one help me?? thanks Adrian Quote Link to comment Share on other sites More sharing options...
GonZor Posted June 26, 2007 Share Posted June 26, 2007 You could setup a policy to block programs running unless they are in a certain location, eg block all programs that aren't located in the "C:Program Files" folder, or create a list of programs on your computers and and deny all exes from running unless their hash matches one in the list. The first way is easily bypassed if students are smart enough to realise, The later becomes an issue when you have a programming class that need to make exes. Someone may be able to build on this, to over come the problems. Quote Link to comment Share on other sites More sharing options...
VaKo Posted June 26, 2007 Share Posted June 26, 2007 Look at a program called USB Lock. Quote Link to comment Share on other sites More sharing options...
F8Junkie Posted June 26, 2007 Share Posted June 26, 2007 Yes, I'd also recommend Group Policies if you're running a Windows environment. Or Local Security Policies might work better. You can find these in the Administrative Tools Folder in the control panel. Or if you don't want students using USB devices at all, there is always the old fill the port with hot glue trick. Quote Link to comment Share on other sites More sharing options...
darkevilent Posted June 26, 2007 Author Share Posted June 26, 2007 i was think about only allowing for programs that are is the "C:Program Files" but there are 5 class of computer programing and they make exe files and there are lost of students that bring there school work on there usb's to print it off at school. Quote Link to comment Share on other sites More sharing options...
VaKo Posted June 27, 2007 Share Posted June 27, 2007 That is a problem, if you don't know which exe's you want to allow you can't opt for a form of white listing. You could look at blacklisting certain applications but since you have people making exe's on the systems they can just tweak the source or code there own nasty apps to avoid the black list. So look at a product called Deepfreeze. While it won't stop them running anything they want (ie the exe's they make), it will allow you to rule out things like sniffers or viruses being resident in the systems if you schedule a daily reboot for the students workstations. Then make it clear to everyone that *anything* not kept in there network storage and/or usb disks will be lost. http://en.wikipedia.org/wiki/Deep_Freeze_(software) http://www.faronics.com/html/deepfreeze.asp Ultimately though, if you cannot control exactly what they run you will always have the risk of comprised systems on your network but with this method you would be able to limit the scope of damage significantly and mitigate the risk of unscheduled downtime. Quote Link to comment Share on other sites More sharing options...
GonZor Posted June 27, 2007 Share Posted June 27, 2007 So look at a product called Deepfreeze. Another option would be HDGuard, I am from Australia and several schools I know use this. i was think about only allowing for programs that are is the "C:Program Files" but there are 5 class of computer programing and they make exe files and there are lost of students that bring there school work on there usb's to print it off at school. Is there a need for them to make executables? If they are learning something like visual basic the don't need to make the executable they can test their program through the debug mode and I'm sure the teachers don't need an exe to mark they would need to look at the source code. I would definately make a list of programs you don't want run and add the hash to the black listed programs through group policy. School kids tend to find fad games all the time, they play it for a month then find something better so it may be an idea if all the schools in your region do something similar and create a combined list of black listed games. This would keep an up to date list of all the current games and will slow the kids down. Quote Link to comment Share on other sites More sharing options...
F8Junkie Posted June 29, 2007 Share Posted June 29, 2007 Deepfreeze. Ahhhh, that brings back some memories for me. Good program to keep naive users from accidentally destroying their systems. Contray to what VaKo said,you can set it up with what's called a "thawed" folder were users are able to save data to that wouldn't be destroyed on reboot. Last experience I had with it (5+ years ago, I think?) to proved extremely hard to circumvent. Good program, but I don't think it's exactly what you're looking for, or maybe it is. ::shrug:: Quote Link to comment Share on other sites More sharing options...
mubix Posted June 29, 2007 Share Posted June 29, 2007 How I would do it was to disable all USB ports (via BIOS or G.L.U.E.) and make a network share for the students to store legit computer science projects on. Quote Link to comment Share on other sites More sharing options...
F8Junkie Posted July 2, 2007 Share Posted July 2, 2007 Maybe remove the USB Generic Storage Drivers? Quote Link to comment Share on other sites More sharing options...
natural_orange Posted July 4, 2007 Share Posted July 4, 2007 Thats a really hard problem to stop. Make a program that deletes all the .exe files off of the removable drive when it is inserted? only problem with that is if they rename the file and copy it somewhere else and change the name... you could also just find a handfull of kids that are doing it, give them a month suspension from computer access to make and example out them and then mabey people will be to scared to run there own exes? Quote Link to comment Share on other sites More sharing options...
elmer Posted July 10, 2007 Share Posted July 10, 2007 Make a program that deletes all the .exe files off of the removable drive when it is inserted? NO! DO NOT DO THAT! You will have a freaking ton of people angry at you if you do that. I would be angry if this happened. Quote Link to comment Share on other sites More sharing options...
moonlit Posted July 10, 2007 Share Posted July 10, 2007 You could just write a program to open the exes (open, not run) which would lock the files. Quote Link to comment Share on other sites More sharing options...
Sparda Posted July 10, 2007 Share Posted July 10, 2007 You could just write a program to open the exes (open, not run) which would lock the files. associate the exe extension with notepad? :P Quote Link to comment Share on other sites More sharing options...
F8Junkie Posted July 11, 2007 Share Posted July 11, 2007 You could just write a program to open the exes (open, not run) which would lock the files. associate the exe extension with notepad? :P Wouldn't that cause notepad to try and open notepad with notepad that would try and open notepad with notepad ....... Quote Link to comment Share on other sites More sharing options...
Anthrax Posted July 23, 2007 Share Posted July 23, 2007 i think if you did that windows would try and run in notepad. lol Quote Link to comment Share on other sites More sharing options...
moonlit Posted July 23, 2007 Share Posted July 23, 2007 Not "notepad exenamehere.exe", I meant write a small app to do it, it's rather easy, I might do it later if I get bored. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.