block portable firefox via group policy?

loltim · 11 Mar 2013 at 15:45

how would you guys block portable firefox? it just runs from USB so it's bypassing all IE web proxy's set in group policy.

obviously I could just block all USB ports but is there a better way?

hash rules and path rules in software restrictions would be easy to get round wouldn't they?

http://portableapps.com/support/firefox_portable#installing

loltim · 11 Mar 2013 at 17:25

Yeah already considered that. A user with half a brain could either rename the .exe, move it to a different location or use a different version of the software ie. update it.

Also, we'd have to do it for Firefox, Opera and all the other browsers out there.

I think we need to block it on the firewall. ie. block it on port 80. Have no other network admins that administer networks with strict web filters encountered this before?

loltim · 11 Mar 2013 at 18:27

We set a proxy group policy for all users and lockout IE internet options so users are forced to go through the proxy (Sophos WS100).

It works fine if you force users to use IE. Obviously users can't install applications so I thought this was an OK idea, until portable apps appeared...

What do you suggest? There's probably something on the WS100 that I can configure but I don't have much experience with them.

loltim · 11 Mar 2013 at 18:37

KIA said:
You have a configuration issue if an application can access the Internet without going through the proxy.

It's not as bad as it sounds. Users are connecting to a pretty locked down terminal server via Igel thin clients. Locking down USB is the main issue here.

loltim · 11 Mar 2013 at 20:09

DRZ <3

I'm not sure how that'd work. All clients need to be allowed to access the web, but it must be via the Sophos WS100's white list.

loltim · 11 Mar 2013 at 21:05

What's the best way of doing that? Obviously I only want to deny traffic to a specific OU and not the whole network.

I'm using server 2008 R2.

I'm presuming something like a Sonicwall would be perfect for this but it's not the cheapest option.

loltim · 12 Mar 2013 at 22:44

LinkZ said:
How about blocking all exe's from USB sticks? Can do that with a software restriction policy GPO if the memory sticks always map to the same drive letter.

I can see a policy that will prevent execution of files on removable storage, is that the one you mean?

What's from stopping the user copying the exe to his/her desktop and running from there?

loltim · 12 Mar 2013 at 23:06

We have a sonicwall TZ215 (I think?) in the office and it's great from what I've seen, but we have a hard time selling them to clients

Blocking USB ports would be nice, and it'd make an example of the people that try and abuse the system I guess, but there are genuine users who need USB.