[THIN] Re: Only allow specified apps.
- From: "Monahan, Thomas" <Thomas.Monahan@xxxxxxxxxxx>
- To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
- Date: Fri, 5 Dec 2003 11:41:56 -0000
It runs, ( if you check the process it is there), however the user doesn't
see a thing as it is hidden. So they couldn't interact with the command
prompt. They would have batch file all the commands they wanted to run, I
would say.
Regards,
Thomas
> -----Original Message-----
> From: Jeff Durbin [SMTP:techlists@xxxxxxxxxxxxx]
> Sent: 04 December 2003 19:32
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Only allow specified apps.
>
> Yeah, they'll get around it. When you block CMD using policy, it's just a
> registry value that gets set. When you run 2000 or 2003's CMD.EXE, it
> looks for that registry value and respects its setting. NT's CMD.EXE
> doesn't look for the value, so it will always run. Try it yourself.
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]
> On Behalf Of Robert Barrett
> Sent: 5 December 2003 4:27 AM
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Re: Only allow specified apps.
>
>
> I will look into it further then, especially if it has been found to
> be that way, I was going only by the documentation (should know better).
> I don't know if it makes a difference but as you have said we do have the
> command prompt blocked entirely and we are only running 2000 or 2003 Ts
> boxes and XP SP1 clients (other than CE embedded thin). Will they still
> find a way around that? I am curious now. I am still going to try to get
> Appsec to work.
>
> _____
>
> From: Jeff Durbin [mailto:techlists@xxxxxxxxxxxxx]
> Sent: Wednesday, December 03, 2003 8:02 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Only allow specified apps.
>
>
> I think you'll find that using "Run only" by itself will be
> inadequate. All it does is require that an app that's executed from
> Explorer (and only from Explorer, not a DOS box) be listed in the "run
> only" list. So, for example, let's say that you allow winword.exe. All I
> have to do is rename my CMD.EXE to winword.exe, and it will run. (I know,
> there's a policy setting that can stop CMD, but that doesn't stop *NT4's
> CMD*.) Used by itself, it's pretty pathetic.
> AppSec blocks all apps except the ones listed in it's apps list,
> and those apps don't have to be on the TS itself. I've allowed apps on a
> network share using AppSec. The beauty of it is that it will only allow
> the apps *at the specified path* run. Therefore, you allow only
> Winword.exe in your "run only" list. Then, you tell AppSec that non-admins
> can run c:\program files\Microsoft Office\Office10\winword.exe. With that
> combination, Winword, at the specified location, is the only app that a
> non-admin will run.
> I promise you that if you use "run only" by itself, you'll still
> have the problem. Add AppSec and you'll solve it.
>
> JD
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Robert Barrett
> Sent: 4 December 2003 11:08 AM
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Re: Only allow specified apps.
>
>
> Thanks. I have it running using "Run only...", not sure
> what I was doing wrong the first time but it works now. I decided against
> Appsec because it apparently requires that the app being blocked reside on
> the TS box, most of these kids run games and stuff from their home
> directory.
>
> _____
>
> From: Jeff Durbin [mailto:techlists@xxxxxxxxxxxxx]
> Sent: Wednesday, December 03, 2003 12:04 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Only allow specified apps.
>
>
> I've used "Run only allowed windows apps" and AppSec many
> times. This combination can give you true control over what apps a user
> can run. Be aware that the list of apps referenced in the URL is not
> required. For example, USRLOGON.CMD isn't required for USRLOGON.CMD to run
> during login. Also, when you first run AppSec, it has a list of apps
> already loaded. I normally delete them all and start adding only the
> application executables that I need. I normally add CTXLOAD.EXE as well,
> but that's only because it was required to fix a failure of the clipboard
> mapping mechanism the first time I tried using AppSec. Of course, you have
> to add the names of any executables referenced during login, but that
> would only be if you were using Kix or VB login scripts, for example.
>
> Jeff Durbin
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Kenzig
> http://thethin.net
> Sent: 2 December 2003 5:10 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Only allow specified apps.
>
>
> By the way when using appsec use the dos name for
> specifying file location if you have problems.
> Jim
>
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Jim Kenzig
> http://thethin.net
> Sent: Monday, December 01, 2003 11:06 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Only allow specified apps.
>
>
> Use appsec.exe and see
> <http://thethin.net/archive3.cfm?id=81940> for a list.
>
> Jim Kenzig
> <http://thethin.net>
> <http://spamguerilla.com>
> <http://www.kenzig.com>
> <http://ondemandaccess.com>
> <http://worldofasp.com>
>
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Robert Barrett
> Sent: Monday, December 01, 2003 10:51 AM
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Only allow specified apps.
>
>
>
> Hello all,
>
> I am an admin in a school division and anyone else
> can attest to that comes with a whole bunch of users (high school) playing
> all sorts of games trying to congest the network to the point of choking.
> Anyway enough griping, has anyone gotten the GPO setting that only allows
> certain Windows exe's to run working? I am trying to only allow them to
> run what is necessary to run for educational purposes, I can make the list
> myself (of course if someone has a basic list to start I'd take it :-)).
> If not a GPO does anyone have any other ideas as to how to do this? TIA
>
> Robert Barrett MCSE, CCA, A+
> Enterprise Administrator
> Fort Vermilion School Division
> <http://www.fvsd.ab.ca>
> robertb@xxxxxxxxxx
>
***********************************************************
The information contained in this e-mail is intended only
for the individual to whom it is addressed. It may contain
privileged and confidential information. If you have
received this message in error or there are any problems,
please notify the sender immediately and delete the message
from your computer. The unauthorised use, disclosure,
copying or alteration of this message is forbidden. Neither
United Utilities PLC nor any of its subsidiaries will be
liable for direct, special, indirect or consequential
damage as a result of any virus being passed on, or arising
from alteration of the contents of this message by a third
party.
United Utilities PLC (England and Wales No.2366616)
registered office: Dawson House, Great Sankey,
Warrington, WA5 3LW.
***********************************************************
********************************************************
This Week's Sponsor - ThinPrint .Print Server Engine
Thinprint can help you save money, protect resources,
simplify administration, save time and increase
flexibility by solving all of your printing needs.
http://www.thinprint.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
Domains currently for sale by The Kenzig Group
http://www.kenzig.com/serv01.htm
New Site: Free Weblogs!
http://www.blogvortex.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
