Windows - Software restriction policy to block exe files in all subdirectories

windows windows-7 group-policy

As per Microsoft's guidance on GPO Software Restriction:

http://technet.microsoft.com/en-us/library/bb457006.aspx

Path Rules

A path rule can specify a folder or fully qualified path to a program. When a path rule specifies a folder, it matches any program contained in that folder and any programs contained in subfolders. Both local and UNC paths are supported.

Using Environment Variables in Path Rules.

A path rule can use environment variables. Since path rules are evaluated in the client environment, the ability to use environment variables (for example, %WINDIR%) allows a rule to adapt to a particular user's environment.

Important: Environment variables are not protected by access control lists (ACL). If users can start a command prompt they can redefine an environment variable to a path of their choosing.

Using Wildcards in Path Rules. A path rule can incorporate the '?' and '*' wildcards, allowing rules such as "*.vbs" to match all Visual Basic® Script files. Some examples:

•"\\DC-??\login$" matches \\DC-01\login$, \\DC-02\login$

•"*\Windows" matches C:\Windows, D:\Windows, E:\Windows

•"c:\win*" matches c:\winnt, c:\windows, c:\windir

So since a user can just redefine where %APPDATA% points to, consider using the APPDATA environment variable in your path rule, instead of the actual fully-qualified file system path.

More documentation:

The following examples show instances of applying environment variables to a path rule:

• “%UserProfile%” matches C:\Documents and Settings\User and all subfolders under this directory.

• “%ProgramFiles%\Application” matches C:\Program Files\Application and all subfolders under this directory.


Just tested this. Even when using %APPDATA% instead of a direct system path, unless you make a rule per each sub folder (/asterix/, /asterix/asterix/, /asterix/asterix/asterix/) and so on for how ever deep you want it to go, windows will stop enforcing when it goes past the depth you defined.

I tested this by putting a self contained auto clicker into the AppData/roaming directory, and then tested it by adding a folder and moving the exe deeper into the file structure. After going past 3 levels deep, as defined in the Local security policy, Windows allowed the auto clicker to run.

Related

How to prevent Server rebooting upon log off when a restart is pending?
System information disabled due to load higher than 1.0 amazon ec2
Environment variables are unavailable when running scripts over ssh
What is nonpaged pool?
One second delay before tcpdump returns packets
Having problems setting up SSL with Nginx
Is it possible to extend a 504 timeout in nginx on a per location basis
Jetty JMX setup for remote access
FreeTDS: Do I need to restart anything after changing the freetds.conf file?
Haproxy using 10GB Memory and 100% CPU with 50k connections
Monitoring cpu and memory usage of Docker containers on Centos 7
Automatically mount volume on EC2