none
Blocking Batch Files from operating on the desktop of a roaming profile

    Question

  • Hi,

    Working in a Server 2008 R2 environment, we would like to block the creation and operation of batch files.

    We use roaming profiles and folder redirected home drives and have successfully implemented File Screening using FSRM on the home drives which works perfectly. However if i try to use File Screening on the Desktop folder of the remotely stored roaming profile folder it doesnt work.

    The only other way i thought may work would be to use a GPO with software restriction policies and using a Path Rule to attempt to stop them running and/or being created on the users desktops.

    What is best practice for this?

    Tuesday, October 22, 2013 1:57 PM

Answers

  • We use folder redirection with FSRM file screens. This includes the Desktop and it works quite well. What sort of problems are you getting with the roaming profiles? The major difference I guess is with folder redirection, the file will be subject to the FSRM screen as soon as you try to create it whereas with roaming profiles the file is create locally and then uploaded to your profile share later on?

    Maybe a combination of the two would help:

    http://www.grouppolicy.biz/2010/08/best-practice-roaming-profiles-and-folder-redirection-a-k-a-user-virtualization/
    http://technet.microsoft.com/en-us/library/hh848267.aspx

    The other thing is that FSRM screens will only come in to effect on a write to the file as far as I know. So if the bat or cmd file already exists the screen may not block a read to it.

    You may want to look into AppLocker rather than Software Restrictions to block execution of the scripts if you have the right client OSes, it brings a lot more flexibility to the party: http://technet.microsoft.com/en-us/library/ee619725(v=ws.10).aspx#BKMK_FileTypes

    I hope this helps,
    Mark

    • Marked as answer by AGarrett86 Thursday, October 31, 2013 2:25 PM
    Tuesday, October 29, 2013 8:52 AM
  • Hi,

    1. FSRM would break Roaming Profile uploading

    2. Agree with Mark. Applocker is able to do the trick. Deny the path of CMD.exe

    Regards, Brian


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    • Edited by Brian Re - MSFT Thursday, October 31, 2013 2:31 AM
    • Marked as answer by AGarrett86 Thursday, October 31, 2013 2:25 PM
    Thursday, October 31, 2013 2:31 AM

All replies

  • a creative ideal. seems ok... why not test on virtual environment simply?

    Howtodo

    Friday, October 25, 2013 4:30 PM
  • Hi,

    Thank you for posting your issue in the forum.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Best Regards,

    Justin Gu

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Tuesday, October 29, 2013 8:30 AM
  • We use folder redirection with FSRM file screens. This includes the Desktop and it works quite well. What sort of problems are you getting with the roaming profiles? The major difference I guess is with folder redirection, the file will be subject to the FSRM screen as soon as you try to create it whereas with roaming profiles the file is create locally and then uploaded to your profile share later on?

    Maybe a combination of the two would help:

    http://www.grouppolicy.biz/2010/08/best-practice-roaming-profiles-and-folder-redirection-a-k-a-user-virtualization/
    http://technet.microsoft.com/en-us/library/hh848267.aspx

    The other thing is that FSRM screens will only come in to effect on a write to the file as far as I know. So if the bat or cmd file already exists the screen may not block a read to it.

    You may want to look into AppLocker rather than Software Restrictions to block execution of the scripts if you have the right client OSes, it brings a lot more flexibility to the party: http://technet.microsoft.com/en-us/library/ee619725(v=ws.10).aspx#BKMK_FileTypes

    I hope this helps,
    Mark

    • Marked as answer by AGarrett86 Thursday, October 31, 2013 2:25 PM
    Tuesday, October 29, 2013 8:52 AM
  • Hi Justin,

    Thanks for your reply, thats perfect, ill look forward to your reply, any ideas on how to block the creation and running of batch files on the desktop of a roaming profile would be greatly appreciated.

    We already block the use of CMD via GPO however that doesnt block any batch file that doesnt start cmd.

    Tuesday, October 29, 2013 8:58 AM
  • Hi Mark,

    Thanks for your reply, the problem we are getting is that once the screen is applied it just doesnt do anything.

    Ive tried it on the top level of the roaming profile as well as just the desktop folder sub folder and ive also tried the passive approach and it doesnt even log anything in the event log to say its been created or tried to be used.

    Ive applied the same screen on the home drive which uses folder redirection and it works perfectly.

    Thanks for the links ill take a look at applocker too.

    Tuesday, October 29, 2013 9:13 AM
  • Hi,

    1. FSRM would break Roaming Profile uploading

    2. Agree with Mark. Applocker is able to do the trick. Deny the path of CMD.exe

    Regards, Brian


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    • Edited by Brian Re - MSFT Thursday, October 31, 2013 2:31 AM
    • Marked as answer by AGarrett86 Thursday, October 31, 2013 2:25 PM
    Thursday, October 31, 2013 2:31 AM
  • Hi Brian,

    Thanks for your thoughts on this, i thought it was impossible to do it using FSRM and you and Mark have confirmed this.

    I think app locker is the way forward as you suggest

    thanks all for your help.

    • Marked as answer by AGarrett86 Thursday, October 31, 2013 2:25 PM
    • Unmarked as answer by AGarrett86 Thursday, October 31, 2013 2:25 PM
    Thursday, October 31, 2013 2:25 PM