By Kenji D’Aguiar Requirements Creating a new Software Restriction Policy 1) Under the Administrator profile, go to the RUN command window and enter secpol.msc 2) In the Local Security Settings window, select Software Restrictions Policies, you’ll notice on the right pane that there are no policies defined. 3) To create a policy, select Action from the toolbar, then select Create New Policies. 4) Once a policy is created, you’ll notice 5 new objects in the right pane: Tip: I would highly recommend reading Microsoft's whitepaper on Software Restriction Policies for Stand-Alones to understand the concepts of these policies. 5) Select the Additional Rules Folder, right click and select New Path Rule. 6) A New Path Rule window appears. Here enter the path of the drive or folder you’d like to enforce restrictions on. After entering a path, make sure the Security level option is set to disallow. Below is an example of Path Rules created for one of our workstation models. In this case, our CD drives are disabled in the BIOS, so the next logical drive available for USB thumbdrives would be drive letter D. Just in case a patron tries to be clever and put two USB thumbdrives simultaneously, both ports are covered (drive letters D and E). The A: Drive also has the restrictions in place. We also included the C:\Profiles\All path, this prevents a user from dragging an executable to the Desktop or to My Documents folder and running it from there. Since the PAC tool creates a temporary profile under the Document and Settings directory when a profile is loaded, you will need to include that temporary folder as well in the list. In order for this work, the C:\Documents and Settings\All path is included in the disallowed list. Note: If you have other profiles such as children, spanish, bigprint, etc. just create new Path Rules for them. Remember to also create Path Rules for the temporary profile folders as mentioned above. 7) Once the Paths are entered, the next thing to do is to set the enforcement properties. There are two options: With the first option, I highly recommend you leave it as All software files except Libraries. If you select All software files instead, the thumbdrives will NOT be recognized and installed. This may be a good idea if you want to disable access to USB thumbdrives all together. The second option is pretty straightforward, restrict everyone except local administrators or else you’ll be locked out too! 8) Next we go to the Designated File Types values, here we can specify which file extensions to restrict. This window permits you to add or delete file extensions to your need. Tip: If you recall, one of the additional rules we created was for the folder C:\Profiles\All. One of the extensions listed in thedefault Designated File Types windows is .LNK (shortcuts). You will need to remove this extension or else none of your shortcuts in your Desktop or Start Menu will work. Another that can be removed is the .URL extension. Some people carry a folder with the IE Favorites in their Thumbdrives, this will permit them to view their favorite URLs. Hardening Windows Considering that Path Rules restrict executables from running in particular paths, there is possibility that a patron with good knowledge of windows can bypass these rules and run the applications from another location. Knowing this, it helps to secure access to the C:\ directory and all its subfolders. One way to do this is by using the System Policy Editor (Poledit) and hide access to your C: Drive. Depending on One easy way to avoid this is by hiding all the folder and subfolders in C: Drive. Here is how it's done: Once you have hidden the folders in the C:\Profiles\All path, you may continue with the rest of the folders/subfolders in your C Drive. It can be tedious work at first, but well worth the effort. Since majority of the public access computer use the PAC security tool, we know that these PC are not in a NT Domain, less a AD Domain. So how do you deploy these settings to your stand alone PCs? There's a simple trick to this, here's how it's done: UPDATE - Copying the whole GroupPolicy folder is not necessary, instead you may copy over the following files inside the GroupPolicy Directory: gpt.ini file and the Machine folder If you have several of these PC's, you can use scripts or batch files to automate this task. You can also copy this to the target computer by ways of accessing their administrative share through your explorer window. It is possible to overwrite the groupolicy folder remotely even when there is a patron logged in at the time. Once the modified group policy folder is in place, the policies will take effect after a reboot. Another way to deploy these setting is with Microsoft's SMS Server or by creating a new Ghost image of PC with the policies in effect So there you have it, a free and effective way of securing USB Thumbdrives using Windows Local Security Settings. By the way, those who have come across this page and don't not have the PAC tool and are not using your PC for public access, you can still use software restriction policies. You will have to configure it differently, but it will work. Those administrators in a AD domain environment can you GPO to do the same job and the deployment side is much easier compared with stand-alones. Kenji D'Aguiar
Applications Administrator
Brevard County Libraries
A stand-alone Windows XP workstation (I have not tested this yet with SP2) and the PAC security tool version 2. It's highly recommended you read Microsoft's "Windows XP Security Guide", specifically Chapter 6.
how your organization has setup this policies in the System Policy Editor, there might be areas where a patron may have access to your C:drive even with those policies being in effect. For example you can go to the start menu, then to All Programs, and double click on the folder Accessories. An explorer window pops up then you can easily cut and paste your .exe file there and run it unrestricted. This goes true for any other directory you can browse to.
Note: There will be some folders that you won't be able to hide, that's OK, just skip them.
Important! A Confirm Attributes Changes window appears, DO NOT select the Apply The Changes to the selected items, subfolders and files. If you do this, all the files under the folders specified will be hidden. We only want to hide the folder and subfolders not the files. Select Apply Changes to the Selected Items Only.
Note: If the computer you are securing has more than one drive, you may hide the folders/subfolders in those drives as well. Consider also if you are securing the thumbrives and you are on a PC that has multiple logical drives, that you need to restrict the correct drive letter that will be assigned to the thumbdrive. For Example, our organization has some Granted Gates PC with multiple hard drives, we restricted the next logical drive letters available, in this case Drive G: and H:.
Deploying Software Restriction Policies to stand-alone workstations
I hope I have not missed anything in these instructions and that it will be an easy step-by-step guide. A detailed illustrated version of this guide may also be found Here. If you have any questions feel free to email.
dcft2001@yahoo.com
This work is licensed under a Creative Commons License.
Documents
| Securing USB Thumb Drives using Software Restriction Policies |
Find out how to use software restriction policies to restrict the use of USB thumbdrives on public access computers.
|
|
Contribute to this topic
Do you have an article, presentation, or other content to share on this topic?
You can post it on this topic page. Find out more about submitting documents in the Member Center.
Ratings You must be signed in to rate this item
|
Average (0 Votes)
|
Comments