[THIN] Re: Only allow specified apps.

Yeah, they'll get around it. When you block CMD using policy, it's just a
registry value that gets set. When you run 2000 or 2003's CMD.EXE, it looks
for that registry value and respects its setting. NT's CMD.EXE doesn't look
for the value, so it will always run. Try it yourself.

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Robert Barrett
Sent: 5 December 2003 4:27 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Only allow specified apps.


I will look into it further then, especially if it has been found to be that
way, I was going only by the documentation (should know better).  I don't
know if it makes a difference but as you have said we do have the command
prompt blocked entirely and we are only running 2000 or 2003 Ts boxes and XP
SP1 clients (other than CE embedded thin).  Will they still find a way
around that?  I am curious now.  I am still going to try to get Appsec to
work.

  _____  

From: Jeff Durbin [mailto:techlists@xxxxxxxxxxxxx] 
Sent: Wednesday, December 03, 2003 8:02 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Only allow specified apps.


  I think you'll find that using "Run only" by itself will be inadequate.
All it does is require that an app that's executed from Explorer (and only
from Explorer, not a DOS box) be listed in the "run only" list. So, for
example, let's say that you allow winword.exe. All I have to do is rename my
CMD.EXE to winword.exe, and it will run. (I know, there's a policy setting
that can stop CMD, but that doesn't stop *NT4's CMD*.) Used by itself, it's
pretty pathetic.
  AppSec blocks all apps except the ones listed in it's apps list, and those
apps don't have to be on the TS itself. I've allowed apps on a network share
using AppSec. The beauty of it is that it will only allow the apps *at the
specified path* run. Therefore, you allow only Winword.exe in your "run
only" list. Then, you tell AppSec that non-admins can run c:\program
files\Microsoft Office\Office10\winword.exe. With that combination, Winword,
at the specified location, is the only app that a non-admin will run. 
  I promise you that if you use "run only" by itself, you'll still have the
problem. Add AppSec and you'll solve it.
 
JD

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Robert Barrett
Sent: 4 December 2003 11:08 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Only allow specified apps.


Thanks.  I have it running using "Run only...", not sure what I was doing
wrong the first time but it works now.  I decided against Appsec because it
apparently requires that the app being blocked reside on the TS box, most of
these kids run games and stuff from their home directory.

  _____  

From: Jeff Durbin [mailto:techlists@xxxxxxxxxxxxx] 
Sent: Wednesday, December 03, 2003 12:04 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Only allow specified apps.


I've used "Run only allowed windows apps" and AppSec many times. This
combination can give you true control over what apps a user can run. Be
aware that the list of apps referenced in the URL is not required. For
example, USRLOGON.CMD isn't required for USRLOGON.CMD to run during login.
Also, when you first run AppSec, it has a list of apps already loaded. I
normally delete them all and start adding only the application executables
that I need. I normally add CTXLOAD.EXE as well, but that's only because it
was required to fix a failure of the clipboard mapping mechanism the first
time I tried using AppSec. Of course, you have to add the names of any
executables referenced during login, but that would only be if you were
using Kix or VB login scripts, for example.
 
Jeff Durbin

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Jim Kenzig http://thethin.net
Sent: 2 December 2003 5:10 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Only allow specified apps.


By the way when using appsec use the dos name for specifying file location
if you have problems. 
Jim
 

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf
Of Jim Kenzig http://thethin.net
Sent: Monday, December 01, 2003 11:06 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Only allow specified apps.


Use appsec.exe  and see http://thethin.net/archive3.cfm?id=81940 for a list.
 
Jim Kenzig
http://thethin.net
http://spamguerilla.com
http://www.kenzig.com
http://ondemandaccess.com
http://worldofasp.com
 

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf
Of Robert Barrett
Sent: Monday, December 01, 2003 10:51 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Only allow specified apps.



Hello all, 

I am an admin in a school division and anyone else can attest to that comes
with a whole bunch of users (high school) playing all sorts of games trying
to congest the network to the point of choking.  Anyway enough griping, has
anyone gotten the GPO setting that only allows certain Windows exe's to run
working?  I am trying to only allow them to run what is necessary to run for
educational purposes, I can make the list myself (of course if someone has a
basic list to start I'd take it :-)).  If not a GPO does anyone have any
other ideas as to how to do this?  TIA

Robert Barrett MCSE, CCA, A+ 
Enterprise Administrator 
Fort Vermilion School Division 
 <http://www.fvsd.ab.ca> http://www.fvsd.ab.ca 
robertb@xxxxxxxxxx  

Other related posts: