RE: How to block users from installing other apps
From: Shackleford, Dave (znz1_at_cdc.gov)
Date: 06/26/03
- Previous message: Laura A. Robinson: "RE: How to block users from installing other apps"
- Maybe in reply to: Jane Han: "How to block users from installing other apps"
- Next in thread: Wallace.Nathan: "RE: How to block users from installing other apps"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: 'Jane Han' <janehan22@yahoo.com>, focus-ms@securityfocus.com Date: Wed, 25 Jun 2003 21:48:50 -0400
Hi Jane-
Having your users as Local Admin is definitely a security issue going
forward. You can definitely use GP to push out some local restrictions if
they are logging into the domain, but if they log in to the local machine
they can still do anything they want, which is an issue. You can disable IE,
but that leads to disgruntled employees, which will make them want to do
more harm, in my experience. Your best bet is to either:
1) Create an OU with Admin privileges that is set to last for 24 hours.
Attach a GPO to this OU that is very restrictive in terms of extraneous
tasks/options available to the user. Then allow them to log in to the
domain, put their user objects in this OU temporarily, and the next time
they log in they will be in this group for a limited time. They can install
the apps, but the next time they log in, they will be kicked back out into
the normal User group. This is not altogether secure.
2) Only allow specific apps to be run. In Group Policy, go to
Domain Policy-->User Configuration-->Admin. Templates-->System-->"Run only
allowed Windows Applications". Then allow this to be run from a shared
location, or something similar.
If you only need Admin privileges to install the app, that isn't SO bad, but
to run it every time? You are really better off changing that 'feature'.
Hope this helps.
--Dave
> -----Original Message-----
> From: Jane Han [mailto:janehan22@yahoo.com]
> Sent: Wednesday, June 25, 2003 15:22
> To: focus-ms@securityfocus.com
> Subject: How to block users from installing other apps
>
> Due to several customized inhouse applications, the
> users need to be local aministrator to lauch the
> applications. Since most users are local
> admin, they can download and install applications such
> as games, AOL instant messages...from internet.
>
> Is it possible to block users from installing
> applications through Group Policy in this case? or
> disable internet explorer?
>
> Any solutions or suggestions?
>
>
> Thanks in advance,
> Jane
>
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
>
> --------------------------------------------------------------------------
> ---
> --------------------------------------------------------------------------
> ----
----------------------------------------------------------------------------
-
----------------------------------------------------------------------------
-- ----------------------------------------------------------------------------- ------------------------------------------------------------------------------
- Previous message: Laura A. Robinson: "RE: How to block users from installing other apps"
- Maybe in reply to: Jane Han: "How to block users from installing other apps"
- Next in thread: Wallace.Nathan: "RE: How to block users from installing other apps"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
