Re: How to block users from installing other apps

• Previous message: Matthew Wagenknecht: "RE: How to block users from installing other apps"
• In reply to: afreyman_at_dsw.net: "RE: How to block users from installing other apps"
• Next in thread: Marian Ion (e-licitatie.ro): "Re: How to block users from installing other apps"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 27 Jun 2003 01:25:58 +0200
To: focus-ms@securityfocus.com

On 2003-06-25 afreyman@dsw.net wrote:
> You have several options, depending on whether you're using Windows
> 2k3 or 2k. You can block the "Add/Remove programs" from the control
> panel or you can block the entire control panel. You can also disable
> IE. With W2k3, there is an available feature to block based on program
> path and an .exe hash. This has been discussed here in terms of
> security, but can also be used to prevent users from installing and
> running apps, if you have a specific list of apps that you want to
> block. Do remember that this feature only works on Windows XP. There
> also additional software restriction rules that you can create in
> order to prevent the user from installing various applications.

All of these suggestions will at best create some sort of "Security by
Obscurity" as long as the users have Local Administrator privileges.

> Another approach would be to NOT make the users local admins and just
> run/install apps with elevated privileges.

No. It's not another approach, it's the *only* approach. Everything else
is completely pointless, since any local administrator can do (and of
course should be able to do) anything he/she pleases on the local
machine.

My 0.02 $CURRENCY

Regards
Ansgar Wiechers

-----------------------------------------------------------------------------
------------------------------------------------------------------------------

• Previous message: Matthew Wagenknecht: "RE: How to block users from installing other apps"
• In reply to: afreyman_at_dsw.net: "RE: How to block users from installing other apps"
• Next in thread: Marian Ion (e-licitatie.ro): "Re: How to block users from installing other apps"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]