Wow, its been some time i wrote something since i took on my new role. Thought i should pick up my “pen”, erm, rather keyboard and start striking again.
The main focal point of today’s entry in my tech diary, is spurned by a question, can i block ftp.exe program from running in Windows 7. As we all know, Windows 7 loads up with ftp.exe as a process installed. Try opening your command prompt and type “ftp”.
At this time, you open up the task manager, you’ll notice “ftp.exe” amongst the many processes you have.
FTP on its own isn’t a very secure protocol. Its been around for a very long time. Secure FTP is the preferred way of doing FTP these days. A good Admin will secure all sensitive protocol with IPSec, but that is out of scope at the moment for this short write up.
To prevent “FTP.EXE” from being loaded, there are several ways. One of the most primitive way is to delete the file. Yup, an easy but not enforceable, because someone can simply copy and put it back.
To completely prevent FTP.EXE from running, one should be exploring using enforcement via Group Policies. It is the most effective way of governance across the enterprise.
Here are the steps (Done locally on a Windows 7 client, you should do this via GPMC on the right domain policy):
- Edit the appropriate GPO and navigate to “Computer Configuration-> Windows Settings –> Security Settings –> Software Restriction Policies.
- Create a new Software Restriction Policy if it isn’t already created.
- in the Software Restriction Policy, click on Additional Rules.
- Right click Additional Rules and click on New Hash Rule
- To identify the binary running ftp.exe, click on Browse and locate “C:\Windows\System32\ftp.exe”.
- Under security level, select disallowed and click OK.
At this stage, your computer has been updated with the new GPO. However, it will not take effect till the next reboot or till you run the command “gpupdate /force”.
After which, try running FTP. You should be greeted with this message
You can use this technique to prevent banned software from running. On the flip side, you couldn’t also block all software from running except for selected few. Have fun.
/Dennis
Hi Dennis,
When I implement your instructions on my computer which is connected to the real network, it works fine. But if I change the connection from the real network to local network, then I encounter the problem below:
“User policy cound not be updated successfully. The following errors were encountered: ….”
Do you have any idea what is wrong?
Thanks,
Hien Dang
Hi Hien Dang, you probably fired the command “gpupdate /force” while disconnected from the Domain Controller? That error is expected if your domain controller is not contactable. However, if you have previously applied it successfully, the policy is still in force.
Dennis
Hi Dennis,
After I connected my laptop to the network. It was abled to connect to the Domain Controller. It works fine now.
I have two more questions below, please help:
1. I have two laptops both are Windows 7. I can run the program gpedit.msc on one laptop (HP laptop) but can not run the program on the other laptop (Samsung laptop). Do you do why?
2. How can I install GPMC program for Windows 7? Is it a free software?
Thanks,
Hien
Hi Hien,
1. Which editions of Windows 7 are u using? Is there an error message for the Samsung unit?
2. GPMC is part of RSAT Tools. http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d
Dennis
Hello, what is the point if user can use his own ftp app (portable too).. isnt better block port 21 on his firewall ?
Well, the same steps can be used on any programs regardless of ports. You could use this method in a few ways;
1. You know the program, but you don’t know the port (FTP was just a simple example).
2. A program with multiple ports will need you to manage the firewall on multiple entries.
3. A process that is intelligent enough to detected if the port it uses, is blocked, and dynamically open another port to go out. There are close to 65k port numbers on a system.
In such a case, blocking the program is more effective than blocking the port number.
But you have a very valid point too. Thank you.