5

I was wondering if anyone could point me in the right direction on how to block specific exe files from executing on XP machines in a domain environment.

I have active directory setup and working so that is a possible tool.

I know how to block the exe by name but then people can just change the name of the file and launch it again.

Is there any way to block specific exes no matter what the user changes the filename to?

Thanks!

Dan
  • 237
  • 4
  • 9

4 Answers4

6

What you are looking for is Software Restriction policies. If you want to block a specific application you would create a hash rule. However you shouldn't.

There will always be another thing you want to block, or an updated version of the old thing. It's far better to disallow everything except what you want to allow on the machine. At that point you are only maintaining what you have added for software.

Jim B
  • 23,938
  • 4
  • 35
  • 58
3

You can create a Hash rule in Software Restriction Policies in Group Policy to restrict the program, regardless of it's name. My recommendation would be to create a new GPO for this rather than modifying an existing GPO (such as the Default Domain Policy) and test the impact on a select computer and/or user before rolling it out enterprise wide.

http://technet.microsoft.com/en-us/library/bb457006.aspx

EDIT

In response to Jim B's answer: It's much more manageable long term to use his approach of whitelisting applications that can run, rather than blacklisting applications that can't run. Taking a blacklist approach means you're always going to be evaluating whether or not there are new versions of the blacklisted applications, whether or not you're aware of the applications users are trying to install, etc., etc.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
2

I would seriously recommend you to have a look at TrustNoExe. It doesn't exactly match the requirement - as it is a solution that blacklists everything and you have to whitelist individual .exe files yourself, but the internal way this problem is being solved is very nice and it's pretty safe.

0xC0000022L
  • 1,456
  • 2
  • 20
  • 41
  • Not for nothing, but Group Policy has this capability, and is pretty robust. No third party components required. – joeqwerty Jun 06 '12 at 19:25
0

From your default domain group policy you need to go here :

User configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies -> Additional Rules

Then you create a new policy based on exe's hash.

Apply changes and force update on each computer : gpupdate /force

Reference : http://techsultan.com/deny-specific-application-in-active-directory-gpo/

RonnieMalavoie
  • 1