Just a quick little question here, i am trying to block exe's and such from running from users home drives but running into problems. Sure I can add a hash rule for all the exe's but this is tedious work. I can add a path rule as "H:*.exe" and this works, but only on the H:\ drive, if the exe is in "H:\SomeFolder2949\" then it isn't blocked. I tried wildcards etc as "H:**.exe" but this doesn't work... it specifically states on a technet artcile the following:
When a path rule specifies a folder, it matches any program
contained in that folder and any programs contained in subfolders.
and that to me says it will match anything in the folder and subfolders...then it goes on to contradict itself and says...
The administrator must define all directories for launching a
specific application in the path rule. For example, if the
administrator creates a shortcut on the desktop to launch
an application, then in the path rule, the administrator
must also grant the user Read access rights to both the
executable file and the shortcut paths to run the application.
If all the path information necessary for launching the
application in the path rule is not defined, it can trigger
the Software Restricted warning when the user attempts to run
the application.
So I am confused....can i get path rules to match on subfolders or not? If so, how?
Thanks.
If you are running windows 2008 R2, you can use file screening to prevent the .exe to even be there.
The note from Microsoft about all subfolders only applies if you specify just a folder, for example C:\Users. This blocks all executables in all subfolders.
But as you correctly noted, if you specify C:\Users*.exe to block only files with extension exe, they are only locked in C:\Users, not for example in C:\Users\Tom.
I do not have an answer for this either, sorry. Same question is also here: Windows - Software restriction policy to block exe files in all subdirectories Unfortunately the only answer there does not answer the question.
By the way the other issue regarding LNK files, in the second cite from Microsoft, can be solved by removing LNK files from the list files that are affected by SRP.