Jump to content

how to block remote exe files


darkevilent
 Share

Recommended Posts

hi i am a system admin for a large high school in Australia and i am trying to find a way to block exes files that students bring to school on there usb drives does any one know a way to stop them from running on the computers i have placed on programs restrictions and they have bypassed it by simply change the name of the program.  could any one help me??

thanks

Adrian

Link to comment
Share on other sites

You could setup a policy to block programs running unless they are in a certain location, eg block all programs that aren't located in the "C:Program Files" folder, or create a list of programs on your computers and and deny all exes from running unless their hash matches one in the list. The first way is easily bypassed if students are smart enough to realise, The later becomes an issue when you have a programming class that need to make exes. Someone may be able to build on this, to over come the problems.

Link to comment
Share on other sites

Yes, I'd also recommend Group Policies if you're running a Windows environment.  Or Local Security Policies might work better.

You can find these in the Administrative Tools Folder in the control panel.

Or if you don't want students using USB devices at all, there is always the old fill the port with hot glue trick.

Link to comment
Share on other sites

i was think about only allowing for programs that are is the "C:Program Files" but there are 5 class of computer programing and they make exe files and there are lost of students that bring there school work on there usb's to print it off at school.

Link to comment
Share on other sites

That is a problem, if you don't know which exe's you want to allow you can't opt for a form of white listing. You could look at blacklisting certain applications but since you have people making exe's on the systems they can just tweak the source or code there own nasty apps to avoid the black list. So look at a product called Deepfreeze. While it won't stop them running anything they want (ie the exe's they make), it will allow you to rule out things like sniffers or viruses being resident in the systems if you schedule a daily reboot for the students workstations. Then make it clear to everyone that *anything* not kept in there network storage and/or usb disks will be lost.

http://en.wikipedia.org/wiki/Deep_Freeze_(software)

http://www.faronics.com/html/deepfreeze.asp

Ultimately though, if you cannot control exactly what they run you will always have the risk of comprised systems on your network but with this method you would be able to limit the scope of damage significantly and mitigate the risk of unscheduled downtime.

Link to comment
Share on other sites

So look at a product called Deepfreeze.

Another option would be HDGuard, I am from Australia and several schools I know use this.

i was think about only allowing for programs that are is the "C:Program Files" but there are 5 class of computer programing and they make exe files and there are lost of students that bring there school work on there usb's to print it off at school.

Is there a need for them to make executables? If they are learning something like visual basic the don't need to make the executable they can test their program through the debug mode and I'm sure the teachers don't need an exe to mark they would need to look at the source code.

I would definately make a list of programs you don't want run and add the hash to the black listed programs through group policy. School kids tend to find fad games all the time, they play it for a month then find something better so it may be an idea if all the schools in your region do something similar and create a combined list of black listed games. This would keep an up to date list of all the current games and will slow the kids down.

Link to comment
Share on other sites

Deepfreeze.  Ahhhh, that brings back some memories for me.

Good program to keep naive users from accidentally destroying their systems.  Contray to what VaKo said,you can set it up with what's called a "thawed" folder were users are able to save data to that wouldn't be destroyed on reboot.

Last experience I had with it (5+ years ago, I think?) to proved extremely hard to circumvent.  Good program, but I don't think it's exactly what you're looking for, or maybe it is.  ::shrug::

Link to comment
Share on other sites

Thats a really hard problem to stop. 

Make a program that deletes all the .exe files off of the removable drive when it is inserted?

only problem with that is if they rename the file and copy it somewhere else and change the name...

you could also just find a handfull of kids that are doing it, give them a month suspension from computer access to make and example out them and then mabey people will be to scared to run there own exes?

Link to comment
Share on other sites

Make a program that deletes all the .exe files off of the removable drive when it is inserted?

NO! DO NOT DO THAT! You will have a freaking ton of people angry at you if you do that. I would be angry if this happened.

Link to comment
Share on other sites

You could just write a program to open the exes (open, not run) which would lock the files.

associate the exe extension with notepad? :P

Wouldn't that cause notepad to try and open notepad with notepad that would try and open notepad with notepad .......

Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...