block portable firefox via group policy?

loltim · 11 Mar 2013 at 15:45

how would you guys block portable firefox? it just runs from USB so it's bypassing all IE web proxy's set in group policy.

obviously I could just block all USB ports but is there a better way?

hash rules and path rules in software restrictions would be easy to get round wouldn't they?

http://portableapps.com/support/firefox_portable#installing

anything I don't mind · 11 Mar 2013 at 17:10

You can use a software restriction policy for the firefox.exe. But not sure if they could just rename the .exe to bypass.

http://support.microsoft.com/kb/324036

loltim · 11 Mar 2013 at 17:25

Yeah already considered that. A user with half a brain could either rename the .exe, move it to a different location or use a different version of the software ie. update it.

Also, we'd have to do it for Firefox, Opera and all the other browsers out there.

I think we need to block it on the firewall. ie. block it on port 80. Have no other network admins that administer networks with strict web filters encountered this before?

KIA · 11 Mar 2013 at 17:44

You have a configuration issue if an application can access the Internet without going through the proxy.

anything I don't mind · 11 Mar 2013 at 17:54

We use sophos application control which prevents this problem. I guess you could do it with a basic firewall application rule in windows that blocks all applications on port 80 apart from IE. Although never tired to do a block all app rule with windows firewall.

If you restricted it with a proxy a user could still enter the proxy in to the firefox portable, unless that was prevented some how.

I hate locking down usb as it causes a support headache and it can be unmanageable.

loltim · 11 Mar 2013 at 18:27

We set a proxy group policy for all users and lockout IE internet options so users are forced to go through the proxy (Sophos WS100).

It works fine if you force users to use IE. Obviously users can't install applications so I thought this was an OK idea, until portable apps appeared...

What do you suggest? There's probably something on the WS100 that I can configure but I don't have much experience with them.

loltim · 11 Mar 2013 at 18:37

KIA said:
You have a configuration issue if an application can access the Internet without going through the proxy.

It's not as bad as it sounds. Users are connecting to a pretty locked down terminal server via Igel thin clients. Locking down USB is the main issue here.

DRZ · 11 Mar 2013 at 19:02

Simplest way is either WCCP or, even more simply, only allow NAT from specific IP addresses. What's doing the NAT on your network?

loltim · 11 Mar 2013 at 20:09

DRZ <3

I'm not sure how that'd work. All clients need to be allowed to access the web, but it must be via the Sophos WS100's white list.

Terrier_Jimlad · 11 Mar 2013 at 20:34

Why not just deny all port 80 traffic outbound to the firewall unless via your proxy server?

Pigeon_Killer · 11 Mar 2013 at 20:46

Terrier_Jimlad said:
Why not just deny all port 80 traffic outbound to the firewall unless via your proxy server?

That's what we do

loltim · 11 Mar 2013 at 21:05

What's the best way of doing that? Obviously I only want to deny traffic to a specific OU and not the whole network.

I'm using server 2008 R2.

I'm presuming something like a Sonicwall would be perfect for this but it's not the cheapest option.

LinkZ · 12 Mar 2013 at 15:43

How about blocking all exe's from USB sticks? Can do that with a software restriction policy GPO if the memory sticks always map to the same drive letter.

loltim · 12 Mar 2013 at 22:44

LinkZ said:
How about blocking all exe's from USB sticks? Can do that with a software restriction policy GPO if the memory sticks always map to the same drive letter.

I can see a policy that will prevent execution of files on removable storage, is that the one you mean?

What's from stopping the user copying the exe to his/her desktop and running from there?

paradigm · 12 Mar 2013 at 22:56

loltim said:
What's the best way of doing that? Obviously I only want to deny traffic to a specific OU and not the whole network.

I'm using server 2008 R2.

I'm presuming something like a Sonicwall would be perfect for this but it's not the cheapest option.

I have NEVER heard anyone use the words "sonicwall" and "perfect" without some form of negation in between. I can't wait to throw ours in a skip.

Can't you segregate the people you want to block off onto a separate subnet and block that?

loltim said:
I can see a policy that will prevent execution of files on removable storage, is that the one you mean?

What's from stopping the user copying the exe to his/her desktop and running from there?

Just block USB mass storage full stop?

loltim · 12 Mar 2013 at 23:06

We have a sonicwall TZ215 (I think?) in the office and it's great from what I've seen, but we have a hard time selling them to clients

Blocking USB ports would be nice, and it'd make an example of the people that try and abuse the system I guess, but there are genuine users who need USB.

two00lbwaster · 12 Mar 2013 at 23:14

I believe that you can prevent the execution of programs using Software Restriction Policies to whitelist [as per Ev0's post #18 below] predefined folders using a path rule e.g. Program Files, Program Files (x86) and Windows.

Those folders require Admin rights to modify / add files and folders in there so could be seen as an effective method of locking down any untrusted application.

I've never done this, I'm just recalling some stuff from memory.

Ev0 · 13 Mar 2013 at 01:31

loltim said:
Yeah already considered that. A user with half a brain could either rename the .exe, move it to a different location or use a different version of the software ie. update it.

You're making the mistake here of using srp to blacklist apps

Do it the other way, deny everything accept authorised apps (whitelisting).

If setup properly software restriction policies can be very effective.