Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
csnow123
Novice
Posts: 5
Liked: never
Joined: Dec 16, 2014 7:50 pm
Contact:

Install blocked by group policy

Post by csnow123 »

Have group policy to block most .exe from executing in temp locations. Think cryptolocker.

Access to C:\Users\xxx\AppData\Local\Temp\Temp1_Veeam.Endpoint.Backup.8.0.0.1822.BETA.zip\EndPoint.8.0.0.1822.exe has been restricted by your Administrator by location with policy rule {431c1074-5bc6-4045-a8e4-50ddb52c0719} placed on path C:\Users\xxx\AppData\Local\Temp\*.zip\*.exe.

Should recode so that it doesn't use that path.
Dima P.
Product Manager
Posts: 14720
Liked: 1705 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Install blocked by group policy

Post by Dima P. »

Hello csnow123,
From my experience, it is common for the software to use C:\Users\xxx\AppData\Local\Temp\ as a temporary location while performing a self unpacking. Could you please describe is it a default group policy or to deploy such is considered to be a best practice? Thank you.
csnow123
Novice
Posts: 5
Liked: never
Joined: Dec 16, 2014 7:50 pm
Contact:

Re: Install blocked by group policy

Post by csnow123 »

I used the gpo provided in this article and links
http://community.spiceworks.com/topic/3 ... it-updated

Not sure I would consider it a best practice (yet) and it does cause issues, notably acrobat flash and join.me.

But, it's another measure of security to keep programs from being installed or run. Most pc users have just local rights but can still run from the various temp directories. Easier to do this than whitelist all programs.

I would prefer that exe's that need to unpack do so in the directory they are run from.

Separate GPO, looks like this:

Software Restriction Policies/Additional Ruleshide
Path Ruleshide
%AppData%\*.exe
Security Level Disallowed
Description Disables ability for executables(exe files) from running under AppData folder
Date last modified 10/7/2013 10:01:19 AM

%AppData%\*\*.exe
Security Level Disallowed
Description Disables ability for executables(exe files) from running under AppData\<Vendor>\ folder
Date last modified 10/7/2013 10:02:46 AM

%localAppData%\*.exe
Security Level Disallowed
Description
Date last modified 10/7/2013 10:12:09 AM

%localAppData%\*\*.exe
Security Level Disallowed
Description
Date last modified 10/7/2013 10:13:06 AM

Temp%\*.zip\*.exe
Security Level Disallowed
Description Block executables run from archive attachments opened using Windows built-in Zip support.
Date last modified 10/17/2013 4:58:50 PM

%Temp%\7z*\*.exe
Security Level Disallowed
Description Block executables run from archive attachments opened with 7zip
Date last modified 10/17/2013 4:57:52 PM
ITP-Stan
Expert
Posts: 214
Liked: 61 times
Joined: Feb 18, 2013 10:45 am
Full Name: Stan G
Contact:

Re: Install blocked by group policy

Post by ITP-Stan »

You would prefer if each program uses it's own TEMP directory inside their current path?
That would be hell to clean-up, so no I don't agree on this one.
Dima P.
Product Manager
Posts: 14720
Liked: 1705 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Install blocked by group policy

Post by Dima P. »

csnow123,
Thanks for details! I agree with Stan - it’s just easier to manage on folder via software permissions then have separate temp folder for every piece of software (and again manage all of them, but separately).
Post Reply

Who is online

Users browsing this forum: Akhanzhin, neo24382 and 40 guests