How can I stop .exe's being ran from removeable media, such as USB drives?

windows-server-2008 group-policy

I have an issue with users running .exe's from removable storage such as Memory Sticks and SD cards.

I am trying to set up blocking of exe's being ran from all removable storage to combat this, however under the Group Policy settings under "User Configuration > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules" you can create a "path" variable. I would like to use a system variable for all removable storage but do not know if there is one that works. Do I have to go through and create a blocklist for all potential drive letters that could be assigned to removeable media (E:\ through to about L:\) or is there one that actually works? I've found %~dp0 which, apparently, only works for for loops, if statements and batch parameters.

If there are other, better, or more reliable measures please let me know.

Oh, I've looked at AppLocker but our DC is running Server 2008 and I believe that AppLocker is part of Windows 7 and 2008 R2. As mentioned in the comments to the answer below I don't think Server 2008 has the "Deny Execute Access" setting, so are there any other options?


Solution 1:

You can stop execution of software on removable devices via a GPO. The setting is under Computer > Administrative Templates > System > Removable Storage Access > Removable Disks: Deny Execute Access

enter image description here

Edit:

Do you have access to a Server 2008 R2 System? If so, you could create the policy setting, back it up to disk and transfer it to your Server 2008 System and import the policy back. This won't give you the ability to modify the policy, but you should be able to see the settings as Extra Registry Settings and it should work fine on your Windows 7 clients.

If it helps, I've just created a backup of such a policy, and have put it up on Dropbox for you to download. The usual use at your own risk, etc. applies.

Solution 2:

Some corporate anti-virus products (e.g. McAfee, Sophos, Symantec) include this function as something that can be enabled corporately. Maybe your corporate anti-virus solution has this as a feature.

Related

Linux ext4 "extents" attribute
How to get sync status on headless dropbox install
what is uninstall procedure for software installed via "make install" on CentOS 6.2
How to configure Nginx so it will treat '?…' as part of the file name
Should the virtualization host be allowed to run any service?
VMWare ESXi: how to add network drivers to installation?
Disable SSL / TLS compression in Apache 2.2.x
Best strategy to keep chef cookbooks versions under control
calculating days until disk is full
Hostnames in HAProxy configuration file
Virtualisation management: should Vcenter, Veeam etc be on a physical machine or VM?
Demoted domain controller still authenticating users