Prevent execution of Windows executables

Solution 1:

you want Software Restriction Policies. This underutilized feature of modern Windows allows the administrator to allow or restrict executables from running based on the path or even based on a cryptographic signature. By the way, you want more than just EXE's. Software Restriction Policies has a list of 30 or 40 additional types of files that you need to restrict, such as CMD and SCR, Screen savers. In addition, you can block DLL's.

I would rate its effectiveness as substantially better than anti-virus.Also, it's difficult to educate users about social engineering attacks that modern malware uses, such as getting a user to click on ListenToThisMusic.mp3.exe.

Solution 2:

I'd be careful with this. You won't be able to 100% lock everything down and you will make the machines nearly impossible for users to use. You should look at educating your users and putting process, policy and education in place. You need to find the right BALANCE between restricting actions and end user productivity.

I see a LOT of wasted $$$ in companies where they make users lives absolute hell just to make things a little bit easier for the support guys.

Solution 3:

You can whitelist using software restriction policies in GPOs but I'm not sure how effective it is. I'd bet a small donut on it working with most non-malicious users in most places but I wouldn't bet my career on it working anywhere and I wouldn't count on it in places where I expected it to come under attack (e.g. educational environment).

You can certainly block code from running from certain devices and areas of the disk with a combination of ACLs and Software Restrictions and that is a useful security tool, but I'd make it a small part of a security policy, not the cornerstone of one.