The best protection of user access control on Windows 7 (32 & 64bit) ?

Dear all,
I have problem setup the best user access control on Windows 7 (32 & 64bit), i will implement it on my client's PC, there are about 30 PCs.
I would like to:
- Block user download from internet / copy from flashdisk / copy from anywhere to PC, based on file extension (*.exe, *.com, *.msi, *.mpg, *.mp3, etc)
- Just allow user to access file only from C:\, but can give exclusion for Thunderbird Portable that store in D:\my documents\

do you know what is the best & low cost method (or maybe free)?

Thanks,
Yudi

 

Have a look at the 1806 trick. This will prevent downloads of executables. Add the media files to the high risk attachements and they will be blocked to. Remove user permissions for users of the registry keys controlling these settings in the registry. When you are not able to write these scripts yourself, there are a handfull of members running a it service company. I am sure the cost of writing such a script by a freelance, even at us or euro rates, by far exceed the cost of doing this manually.

As for external data sources as usb, there are some freebies controlling access, google cnet for corporate security apps which are free.

 

Hi Kees1958,
do you mean "1806 registry tweak" ?
i found some information on:
https://www.wilderssecurity.com/archive/index.php/t-261346.html
https://www.wilderssecurity.com/showthread.php?t=321428
is that correct?

well, no problem if there is charge in US or EURO for this script job, but it would be nice if not too expensive, well just give me the basic / core script of this security settings, then i will do the rest.. I don't know, does about 50 USD is too cheap? i would like to pay the effort, maybe use PayPal, if that too cheap, just tell me..

actually, i've done perfect security settings with EQSecure (learn from Alcyon, EASTER, etc), AFAIK you ever discuss about EQSecure too, with EQSecure all employee PC very secure, no complain about virus anymore. It really safe my life, my time, etc..
But the problem is EQSecure only support WindowsXP, now life must go on, some new computers using Windows 7 (x86 & x64), so that become nightmare for me.
Well this is some of my eqsecure setting:
<Rule Data0="*" Type="1" />
<Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" Data0="*" Type="2">
<Group Name="Allow" ModeID="1">
<Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\Users\ThunderbirdPortable\*.*" />
<Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\Mozilla Thunderbird\*" />
<Rule SubType="15" IncludeSub="1" Action="2" Log="13" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\*.bat" />
<Rule SubType="15" IncludeSub="1" Action="2" Log="13" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\*.cmd" />
<Rule SubType="15" IncludeSub="1" Action="2" Log="13" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\*.com" />
<Rule SubType="15" IncludeSub="1" Action="2" Log="13" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\*.dll" />
<Rule SubType="15" IncludeSub="1" Action="2" Log="13" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\*.exe" />
<Rule SubType="15" IncludeSub="1" Action="2" Log="13" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\*.js" />
<Rule SubType="15" IncludeSub="1" Action="2" Log="13" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%WinDir%\system32\*.scr" />
<Rule SubType="15" IncludeSub="1" Action="2" Log="13" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\*.sys" />
</Group>
<Group Name="Virus Protection" ModeID="1">
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.bat" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.cmd" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.com" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.dll" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.exe" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.js" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.ovl" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.pif" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.reg" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.scr" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.sys" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.vb" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.vbe" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.vbs" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.vmx" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.ws" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.wsc" />
<Rule SubType="15" IncludeSub="0" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\autorun.inf" />
<Rule SubType="15" IncludeSub="0" Action="2" Log="13" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%WinDir%\system32\drivers\etc\hosts" />
</Group>
<Group Name="Multimedia Protection" ModeID="1">
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.mp3" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.mp4" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.aac" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.mpg" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.3gp" />
<Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.avi" />
</Group>
</Rule>


As you can see, i already listed all potential virus extension and add some multimedia extension. Because there are some employee stores a lot of MP3 or p*rn films on office PC

So, can you help me Kees1958? please..
or would you like to share your security settings, i really willing to pay for your help & effort to me.. but please, not too expensive hehe

 

Btw Kees1958, about prevent downloads of executable, i think it should be done by Proxy. But sometimes, they download in ZIP (compression archive), so they can still extract the contents and open the file (*.exe, *.mp3, *.3gp, etc)

Basicly, i will allow read access of some file extension (*.exe, *.com, *.dll, etc) on C:\ (system), but deny write access of some file extension (potentialy virus or music or video) to C:\
Then on drive D:\ i just allow access to Thunderbird Portable.
Well, i still want give permission to AntiVirus, so AntiVirus can check / delete virus detected file..

I don't want to block user access to USB Flash Drive, they still can use USB Flash Drive, but i will block all user access to file that potentialy virus, because I don't trust AntiVirus 100%.

Do you have any solution of this?

 

I don't understand, what is 1806 Trick?? some said 1806 Tweak.. what is that?

 

it is a regedit tweak to configure your browser to blocks file downloads in real time

 

Sorry,

Maybe Mrkvonic or Sully can help you out with the scripts. I have not touched scripting since 1996 . Yes the 1806 is a registry tweak. When you download a zip file at default settings and block dangerous attachements, it will display a message telling you that for your security a few files were not unzipped. When you add jpg, mpg as dangerous extensions in the attachement part of the registry (or GPO) it will not unzip them.

Regards Kees

 

Have you ever tried using ACL to limit write access for users. Just right click on a folder, choose security tab, click advanced and you can change the rights for users. This can also be done with icacls in scripts.

Regards Kees

 

So, what is the best method of my case to implement? Does 1806 Registry Trick, SRP or ACL? Do i need mix of those?
I already send PM to Mrkvonic, he said to implement SRP.. i don't know what is advantage & disadvantage of those things..

would you like to share your experience, which one the best of my case?

thanks Kees..

 

Next Tuesday, I will be home again and I will send Sully and e-mail, asking whether he can send his PrettyGoodSecurity V2 with an ini file to you. This will accomplish SRP, ACL and the 1806 (depending on the commands in the ini-file).

Regards Kees

 

thanks a lot Kees, i need it so much.. really..
if need to pay, please let me know, as long as according to my needs

thank you, i really appreciate it

 

does PGS (Pretty Good Security) is made by Sully? WOW!
i can't wait until next tuesday

 

Yes, it is.

@ Kees1958

On a side note, I found out that the 1806 trick makes Chromium (I'd say Chrome as well) to complain that the browser's profile cannot be opened properly. Because I'm a bit lazy right now , I did not check if it's due to me running Chromium broker process with a low integrity label. But, I may check it later.

Of course, turning 1806 off will make Chromium behave normally.

 

Hello Kess, have you got the the PGS ? would you like to share with me?

thanks

 

Hi,

I have contacted sully by e-mail, asked to contact you also. Maybe you could send him a PM also

Rgds

 

Kees, don't you have the PGS software and configuration?
would you like send the software to me?

thanks..

 

Sorry no,

I sent Sully e-mails on work and private address, hope he will respond soon to you.

 

I am not sure if this is the latest version, but here you go.

http://www.downloadplex.com/Windows/System-Utilities/Other/pgs-pretty-good-security_399216.html

(Found it in the Security Super List -> System Hardening, http://www.techsupportalert.com/content/probably-best-free-security-list-world.htm?page=0,8)

 

i already download, but when downloading PGS not found..
but no problem, i already got PGS v1 from skudo12, well maybe not the latest version, because afaik the latest is v1.1.1

I have some questions:
1. Is there any sample configuration (*.ini) ? maybe, would you send to my email at yudigadget (at) gmail.com
i want to start learning about setting PGS very soon
Please..
2. does PGS similiar like EQSecure or PGS is just a tool to configure the windows registry easily?
3. It looks like if PGS similiar like EQSecure, very easy for user to disable / exit the software, is there any way to password the software?
4. Do i need to set PGS.exe to run on windows startup?
5. Does it works stable on Windows 7 32bit and 64bit environment ?

thanks a lot for help!

best regards,
Yudi

 

1. When you have an ini file working, attach it to this post (as text file) and I can help explain it.

2. It is a tool to give Software Restricition Policies to Home versions (normally only on Pro/Ultimate/Business). You get all the benefits of SRP without hacking the registry by hand.

4. NO, it works as an replacement for gpedit, after reboot (or entering gpupdate) everything works fine.

5. You have to ask Sully. I have installed it on Vista x32 and Vista x64. Now running Win7 Ultimate, so using gpedit instead.

 

So SRP is enough if i already use Pro at office?

 

PGS = SRP nothing more, so when you got PRO use SRP through gpedit.exe