1

I teach programming in Visual Studio. We want to run it on a terminal server. The problem is that whenever we compile our programs, the Windows refuses to start the created exe file. (I didn't even know the ability to block all exe files exists. And it is not very funny when we do programming.) A message box is shown, saying that running exe files is blocked by group policy. It applies to both .NET and plain Win32 exe programs. The problem is that our IT administrators say they don't know why does this happen and how to turn the blocking off. Can anybody help?

030
  • 5,731
  • 12
  • 61
  • 107
Al Kepp
  • 111
  • 1
  • 1
  • 5

2 Answers2

2

First off, I hope your terminal server is a virtual machine. Before you continue, make sure you have a clean snapshot of the VM. One of your students will take advantage of the ability to run arbitrary applications and screw up your server. You should revert to the snapshot periodically, and always revert immediately before applying patches or installing or upgrading software. Then take a snapshot after that's done but before anyone can use the server. That way when some hoses your server, all you have to do is revert the snapshot.

There are a couple of ways to restrict programs from running.

  • In group policy, there are two areas to look under Policies -> Windows Settings -> Security Settings: Application Control Policies and Software Restriction Policies.

  • There is also the RestrictRun registry key.

  • And finally, third-party applications can use the registry key Appinit_DLLs.

longneck
  • 22,793
  • 4
  • 50
  • 84
  • I believe in Server 2008 r2 you can be being blocked by either SRP (as @longneck mentioned above) or AppLocker which was introduced in 2008 R2. Ask your IT administrator to check for either of those in Computer policy -> Windows Settings -> Security Settings -> Application Control Policies ; or RSOP with admin privs – Get-HomeByFiveOClock Feb 26 '15 at 14:17
  • If your machine is in a domain, and if you do use VM snapshots (or anything like it) to revert the machine to an earlier state, make sure you disable automatic machine password change... – EliadTech Feb 26 '15 at 14:43
0

All exe files icluding calc.exe, notepad.exe and explorer.exe or just some exe files? There are different approaches to this.

If you're trying to block a single executable that you're familiar with you can disable it from a GPO using the setting: User Configuration/Administrative Templates/System/Don't run specified Windows applications

Another option is to specify only the applications you want to allow Using: User Configuration/Administrative Templates/System/Run only specified Windows applications This one would probably take a lot of work to populate for a system with many applications installed or for a corporate environment.

None of the two mentioned settings takes into account that a user can name their exe file what they want so renaming mydangerousapp.exe to explorer.exe would make it a perfectly legitimate executable.

islam
  • 1
  • Please read the actual question before you try to answer. We program i.e. create new exe files in Visual Studio. And want to run them. – Al Kepp May 22 '18 at 21:08