locked
Active Content CD's RRS feed

  • Question

  •  

    I tried searching a bit but didn't find anything similar, so here's my issue. We are running SteadyState on a few lab machines in a education environment, occasionally staff wants to use CD's that auto run active content(Quicktime, etc). My current settings prohibit the CD from running for the user, even after I have enabled it for the administrator. I checked the settings and Autorun is not disabled, but I can't find anything related to active content or scripts being blocked.

     

    Currently, I do have the option of "Only allow programs from Program Files and Windows directories" checked. Is this what is blocking the CD's from running?


    It seems like if I uncheck this I am opening up the security too much, what's to prevent someone from burning lophtcrack on a cd and putting it on the autorun.inf. Can anyone with a similar experience give their thoughts on the best way to enable this. Thanks.

    Thursday, November 15, 2007 7:41 PM

Answers

  • Hi Pmj0383,

     

    Please understand that allowing Autorun may not be a good manner to secure the computer (As you may know, some virus use this feature to affect the system). If most of CD's are audio or Video files, we can install related players and then suggest users open the CD's manually.

     

    However, if you decide to enable the Autorun feature, here are my suggestions:

     

    Option 1: Uncheck "Only allow programs from Program Files and Windows directories" option to allow programs running from CD.

     

    Option 2: Create an additional rule to allow files running from CD

    ==============

    1. Click Start and then Run.

    2. Type in gpedit.msc and click OK.

    3. Locate: Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Security Levels

    4. Double click Disallowed. Click “Set as default” and then click OK.

     

    Note: This security level will prevent all software from running except the rules under “Additional Rules”

     

    5. Locate: Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules

    6. Right click the blank space and then choose “New Path Rule”.

    7. Input the path of your CD drive. Configure Security Level as Unrestricted and click OK.

     

    Note: “New Path Rule” will allow all programs under the path you specified. If there is only limited CD (or programs), we can use “New Hash Rule” to allow defined programs.

     

    For more information about Software Restriction Policy, please refer to the following website:

     

    Software Restriction Policy for Windows XP Clients

    http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch06.mspx

     

    Best Regards,

     

    Friday, November 16, 2007 7:18 AM

All replies

  • Hi Pmj0383,

     

    Please understand that allowing Autorun may not be a good manner to secure the computer (As you may know, some virus use this feature to affect the system). If most of CD's are audio or Video files, we can install related players and then suggest users open the CD's manually.

     

    However, if you decide to enable the Autorun feature, here are my suggestions:

     

    Option 1: Uncheck "Only allow programs from Program Files and Windows directories" option to allow programs running from CD.

     

    Option 2: Create an additional rule to allow files running from CD

    ==============

    1. Click Start and then Run.

    2. Type in gpedit.msc and click OK.

    3. Locate: Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Security Levels

    4. Double click Disallowed. Click “Set as default” and then click OK.

     

    Note: This security level will prevent all software from running except the rules under “Additional Rules”

     

    5. Locate: Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules

    6. Right click the blank space and then choose “New Path Rule”.

    7. Input the path of your CD drive. Configure Security Level as Unrestricted and click OK.

     

    Note: “New Path Rule” will allow all programs under the path you specified. If there is only limited CD (or programs), we can use “New Hash Rule” to allow defined programs.

     

    For more information about Software Restriction Policy, please refer to the following website:

     

    Software Restriction Policy for Windows XP Clients

    http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch06.mspx

     

    Best Regards,

     

    Friday, November 16, 2007 7:18 AM
  • Very informative, thank you for the information.

     

    Almost all of the CD's in question launch a webpage a first, and then have audo/video files in addition to the content.

     

    I will have to decide what is the best option. Thanks again.

     

    Friday, November 16, 2007 1:43 PM