LinkBack URL
About LinkBacks
Reply With QuoteDid you block it using a HASH or certificate rule (as I would recommend) - or what? Does the process MSPAIN.EXE startup in the background when then users are performing this stunt?
10+ Helpful Posts
20+ Helpful Posts
I maintain a network for a school. My teachers have asked me to block Paint from being available. I have used software restriction policies to do this but it is still available from within WordPad. The students have figured out that if they go up to Insert|Object and then select 'Paintbrush picture' if pulls paint up within WordPad. I cannot seem to block this. Can anyone help? Thanks in advance.
100+ Helpful Posts!
50+ Helpful Posts
Did you block it using a HASH or certificate rule (as I would recommend) - or what? Does the process MSPAIN.EXE startup in the background when then users are performing this stunt?
10+ Helpful Posts
20+ Helpful Posts
Yes, mspaint.exe does show up as a process when it is opened in this way. I have my settings to Disallow everything and then I go in and allow whatever I need to be allowed. I have even tried to create an extra Disallow rule specifically for mspaint.exe and it didn't seem to make any difference. I have tried both Path and Hash rules.
100+ Helpful Posts!
50+ Helpful Posts
With the default "deny all" rule enabled MSPAINT.EXE would still be able to run because of the default rules automatically enabled (sysem path etc.).
But a Disallow with the HASH rule should overwrite such a SRP policy...
http://www.windowsecurity.com/articles/Default-Deny-All-Applications-Part1.html
http://www.windowsecurity.com/articles/Default-Deny-All-Applications-Part2.html
I'm not sure what's going on in your setup and unfortunately I don't have time at the moment to test it out
10+ Helpful Posts
20+ Helpful Posts
Thanks for the reply and I completely understand the lack of time factor. I hardly have time to fix my own problems sometimes much less figure out someone elses.
What really blows my mind on this is that I actually deleted ALL of the default rules and only put in my own Allow rules.
By any chance, can you tell me if there is a way to uninstall Paint via GP?
100+ Helpful Posts!
50+ Helpful Posts
Try setting the NTFS permissions to 'Deny' for the student users (leave it available for Admins just in case). This can be done easily in the Computer Configuration\Windows Settings\Security Settings\File System section of the GPO.
I work in an educational environment as well, and for a long term solution to issues like this I would HIGHLY recommend looking into 'License Broker' from http://www.sintegrators.com/. Not only can you save money on software by only buying licenses for the number of users using it at one time instead of every computer, but we also use it to block certain software all together (you can tell it you have 0 licenses of MSPaint). It really has been one of the best tools we have purchased for the classroom environment.
10+ Helpful Posts
20+ Helpful Posts
Ok, the NTFS permissions worked but I would sure like to have a way to do it based on user instead of computer. This will work for now though. Thanks a lot.
Posting Permissions