Install blocked by group policy

Backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)

Install blocked by group policy

Veeam Logoby csnow123 » Tue Dec 16, 2014 7:52 pm

Have group policy to block most .exe from executing in temp locations. Think cryptolocker.

Access to C:\Users\xxx\AppData\Local\Temp\Temp1_Veeam.Endpoint.Backup.8.0.0.1822.BETA.zip\EndPoint.8.0.0.1822.exe has been restricted by your Administrator by location with policy rule {431c1074-5bc6-4045-a8e4-50ddb52c0719} placed on path C:\Users\xxx\AppData\Local\Temp\*.zip\*.exe.

Should recode so that it doesn't use that path.
csnow123
Novice
 
Posts: 5
Liked: never
Joined: Tue Dec 16, 2014 7:50 pm

Re: Install blocked by group policy

Veeam Logoby Dima P. » Tue Dec 16, 2014 8:04 pm

Hello csnow123,
From my experience, it is common for the software to use C:\Users\xxx\AppData\Local\Temp\ as a temporary location while performing a self unpacking. Could you please describe is it a default group policy or to deploy such is considered to be a best practice? Thank you.
Dima P.
Veeam Software
 
Posts: 6263
Liked: 442 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

Re: Install blocked by group policy

Veeam Logoby csnow123 » Mon Dec 22, 2014 2:00 pm

I used the gpo provided in this article and links
http://community.spiceworks.com/topic/3 ... it-updated

Not sure I would consider it a best practice (yet) and it does cause issues, notably acrobat flash and join.me.

But, it's another measure of security to keep programs from being installed or run. Most pc users have just local rights but can still run from the various temp directories. Easier to do this than whitelist all programs.

I would prefer that exe's that need to unpack do so in the directory they are run from.

Separate GPO, looks like this:

Software Restriction Policies/Additional Ruleshide
Path Ruleshide
%AppData%\*.exe
Security Level Disallowed
Description Disables ability for executables(exe files) from running under AppData folder
Date last modified 10/7/2013 10:01:19 AM

%AppData%\*\*.exe
Security Level Disallowed
Description Disables ability for executables(exe files) from running under AppData\<Vendor>\ folder
Date last modified 10/7/2013 10:02:46 AM

%localAppData%\*.exe
Security Level Disallowed
Description
Date last modified 10/7/2013 10:12:09 AM

%localAppData%\*\*.exe
Security Level Disallowed
Description
Date last modified 10/7/2013 10:13:06 AM

Temp%\*.zip\*.exe
Security Level Disallowed
Description Block executables run from archive attachments opened using Windows built-in Zip support.
Date last modified 10/17/2013 4:58:50 PM

%Temp%\7z*\*.exe
Security Level Disallowed
Description Block executables run from archive attachments opened with 7zip
Date last modified 10/17/2013 4:57:52 PM
csnow123
Novice
 
Posts: 5
Liked: never
Joined: Tue Dec 16, 2014 7:50 pm

Re: Install blocked by group policy

Veeam Logoby ITP-Stan » Mon Dec 22, 2014 4:14 pm

You would prefer if each program uses it's own TEMP directory inside their current path?
That would be hell to clean-up, so no I don't agree on this one.
ITP-Stan
Veeam ProPartner
 
Posts: 71
Liked: 7 times
Joined: Mon Feb 18, 2013 10:45 am
Full Name: Stan (IF-IT4U)

Re: Install blocked by group policy

Veeam Logoby Dima P. » Tue Dec 23, 2014 12:12 am

csnow123,
Thanks for details! I agree with Stan - it’s just easier to manage on folder via software permissions then have separate temp folder for every piece of software (and again manage all of them, but separately).
Dima P.
Veeam Software
 
Posts: 6263
Liked: 442 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov


Return to Veeam Agent for Windows



Who is online

Users browsing this forum: ASzczygiol and 14 guests