How to make restrictions on extensions in group policies 2008R2?

P

Pavel Semenov2016-06-15 19:15:02

Active Directory

Pavel Semenov, 2016-06-15 19:15:02

All evening. can you please tell me how to prevent running/saving/opening certain extensions on the server 2008R2 through group policies?
It's just that the ransomware has already gotten rid of the viruses (((there is no rescue from them ( so I decided to ban certain extensions as much as possible, so at least some kind of clumsy protection will be for a while.
Thank you!

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

S

satoo, 2016-06-15
@satoo

maybe SRP is best
In a general sense, you take away administrator rights (nothing will help without this) and allow programs to run only in certain directories (% ProgramW6432%,% ProgramFiles%,% windir%). You can also allow the program to run by its checksum (so that the legal one is not replaced with the "left" one in the writable directory).
Because a user without administrator rights cannot write anything there - malware will not end up there. All files that come by mail disguised as pictures but have executable extensions will not run. This will not save you from macro viruses (if anyone else remembers them), but it will help you by 98% against droppers of cryproviruses (and better than any antivirus). It will also help from installing / using "left" and portable software (and all sorts of mailboxes and other programs that do not require administrator rights and are installed in the user's directory)

M

Maxim Zabelin, 2016-06-15
@stecker

From encryptors will not help. Well, they will send you a GPO-allowed pdf with malware, which will be recorded in AppData, by mail, how will it save you? Only defense in depth, in which the white list of applications can be only one of the items.