CSA and Group Policy

jasonsuplita · ‎04-14-2008

Hi,

I have been trying for a while to block users from downloading software and installing it from the internet and from using removeable media onto their machine. I would like to deny this, but still allow us to push software packages through Group Policy. So, far most of this is working, however, I can't get Group Policy to work. I have attached the screen shots of the rules that I have attached to the "installation not detected" rule module. Has anyone been able to get this to work? I figure that I am doing something completely wrong. Just a quick rundown, my â€œGroup Policyâ€ rule allows the MS service (services.exe) to invoke the Software Install applications - Microsoft (msiexe.exe, etc..). â€œMy Block internet downloads and removeable media installation" rule denies any application from running "untrusted content" "download directory executables", "software install applications in download directories" and "temp directory executables". I don't have this rule applying to microsoft installs, SMS, Auto Update, and Mass software deployment applications. Thank you very much everyone for all of your help.

chickman · ‎04-19-2008

Well, I'm kinda interested in what you're trying to accomplish. My first question would be this: Why does everyone have administrative rights to begin with? I can understand if an application requires this access from a business perspective. But, if nothing is required, I'd suggest to lock them down at that point.

CSAMC comes standard with a "removable media" set of rules. Also, keep in mind the syntax you can use for removable media provided by CSA. This is straight from the documentation:

"@removable

This indicates all removable media. That includes, floppies, CDs, zip drives, etc. Note that if you want to indicate all removable media except floppies, for example, you'd have to configure a file set that explicitly excludes floppies from all removable media.

@floppy

This indicates all floppy drives. You can specify particular file paths on floppy media using the following syntax: @floppy:\. Note that @floppy:\ means only the top level files on the floppy media. @floppy or @floppy:\** means all files on the floppy media.

@CD

This indicates all CD ROM drives( including DVD). You can specify particular file paths on CD media using the following syntax: @CD:\. Note that @CD:\ means only the top level files on the media. @CD or @CD:\** means all files on the media.

NOTE: USB connected drives are removable media."

I'm still trying to figure out what you're not able to get working. From what I'm reading, you're able to get the services.exe and msiexe.exe to install applications. Also, it looks like you're able to get the internet based items to not be installed. Are you looking for an application class or set of classes that contain the exe's for SMS, Auto Update.. etc?

jasonsuplita · ‎04-19-2008

The problem is that even though I have created a group policy rule that allows services.exe and msiexe.exe to run, Group Policy still isn't working for some reason. I even have it to the point where I'm logging everything that is being allowed or denied in the rules, and there aren't even any logs telling me that something is being denied. As for why the users have admin rights, this install isn't in our network, it is for one of our clients and for some reason they do not want to change them from having local admin rights, right now.

So, right now what is working: blocking users from downloading software from the internet and installing it, and blocking them from installing software from removeable media.

Not working: Group Policy

Thank you very much for all of your time and help.

chickman · ‎04-19-2008

I got what you're saying now. Did you just clone the "Installation -" rule modules and modify those to include your custom application classes?

edit--

* I do apologize, as we're not currently restricting this at all this way. But, I'm very interested to get this working for you.*

jasonsuplita · ‎04-19-2008

I didn't end up cloning them. I just created a new rule exception for them.

chickman · ‎04-19-2008

I'm trying to figure out how CSA would be blocking GPO pushes. You can view all your denies by going to the group you've placed these clients in. Once you're in there, go to the "Log overrides" and select the "Log deny actions" and attempt what you're looking for. That way you will see what is denying your actions.

chickman · ‎04-19-2008

Ok, you may want to review "Installation - Application Permissions Module" because it appears that the GPO is going to pass your changes through winlogon. It will need to make modifications to the system, registry, API, and so forth. So, my suggestion would be to clone those rules and allow the Microsoft applications access to install and modify, while still denying other applications. This should work in conjunction with your "Deny Internet Downloads" rule.

Let me know what you think.

jasonsuplita · ‎04-19-2008

Thanks, I didn't even think of logging all deny actions for the group. I'm going to try that out on Monday and post back.

chickman · ‎04-19-2008

No problem, I'm interested to see what is stopping the GPO from being pushed to your systems.

jasonsuplita · ‎04-22-2008

Hi Chickman,

I found out that my rules that I created did work. It was my test pc that was being the issue. When I tested with another machine instead, it worked. Thanks and I appreciate all of your help.

chickman · ‎04-23-2008

That is good news!