Use Gpedit.msc (Group Policy) to prevent directories from executing certain files.
First of all:
Run-----Enter gpedit.msc----Computer Configuration---Windows Settings----security settings ↓ Software restriction policy (if there is nothing next to it.) Right-click to create a policy)---other rules----(right-click) a new path rule (p) is created.
As shown in figure:
This way the D:wwwroot directory will not be able to execute any exe.bat.com files. No matter what jurisdiction you are. Even system is unable to execute.
This greatly improves the security of using exp elevation privileges.
Here's a thought, of course. As you all know, C:windowstemp is a temporary folder. Basically all users can write. It is not required to execute permissions.
Of course we can add a rule to him here. Let C:windowstemp have no execute permission. method as above.
Principle: Based on software policy from these directories can not run programs to increase security.