Group Policy 1

[Igore65]

I am pretty sure that programs can be restricted more tightly than just using the app name in the Group Policy. I thought that there was a way of creating a Hash of the Application .exe such that the user cannot circumvent the Policy by changing the name. Has anyone tried this?

 

[gmail2]

Hi,

I haven't tried this, but yes, it's possible to also allow/prohibit applications based on the file hash. This has the advantage of working regardless of where the .exe is (so even if users move the file, it'll still be blocked). However, from what I've heard, the disadvantae is that sometimes updates can change the file hash. So if you want to do it this way I guess you'd need to do testing before rolling out your updates.

Hope this helps

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau

 

[Igore65]

Hi Gmail2

I am familiar with the shortcomings of the updates changing the basic hash and invalidating the block, but the question I have is where and how is the hash created and then associated with the GPO?

 

[baronne]

there is a third party free app you can get which blocks exe's etc. from running... I for the life of me don't know what it's called.. sorry!!
We actually use the FSRM on windows server 2003 R2 to block exe's on the file servers and we hide the C drive, disable access to command prompt... etc.

:: baronne
------------------
"lekker, shot bru

 

[Igore65]

We have users that are bringing in Skype on USB sticks... I know that I can block the .exe by name, but I wanted to use teh additional step of using the Hash of the .exe to block, but for ht elife of me I cannot remember where that hash gets created... Anyone know how to create that hash of a program and associate it with a GPO?

 

[jchoponis]

I have a howto video about it - check out

http://www.mantonrangers.org/PublishedVideos/gpo hash rule.wmv