RE: How to block users from installing other apps

alied_at_cimex.com.cu
Date: 06/26/03

  • Next message: Gerson Sampaio: "Xp Home" 
    Date: Thu, 26 Jun 2003 14:06:14 -0500
To: <focus-ms@securityfocus.com>

    There's also something that happenned to me when I tried to switch fron local
    workstation user to a domain user.
    When I tries to keep their settings, I overwrited the domain user ntuser.dat
    with the old local user ntuser.dat, and every restrictions I had set on that OU
    were not applied. If those local admins manage to overwrite the ntuser.dat(e.g.
    creating a new local user with admin privileges and using it to overwrite the
    ntuser.dat), the policy will not apply.

    I certainly don't know for how long, for I didn't give it the time, but it's
    some way to bypass th domain policies.

    Is there anybody who could explain in detail how domain policies are applied?

    Thanx in advance

    Alied Pérez Martínez
    Administrador Red Sucursal Matanzas
    Corporación CIMEX S.A.
    -----Mensaje original-----
    De: "Shackleford Dave" <znz1@cdc.gov>
    Enviado el: Wednesday, June 25, 2003 9:49 PM
    Para: "'Jane Han'" <janehan22@yahoo.com>; focus-ms@securityfocus.com
    Asunto: RE: How to block users from installing other apps

    Hi Jane-

    Having your users as Local Admin is definitely a security issue going
    forward. You can definitely use GP to push out some local restrictions if
    they are logging into the domain, but if they log in to the local machine
    they can still do anything they want, which is an issue. You can disable IE,
    but that leads to disgruntled employees, which will make them want to do
    more harm, in my experience. Your best bet is to either:

    1) Create an OU with Admin privileges that is set to last for 24 hours.
    Attach a GPO to this OU that is very restrictive in terms of extraneous
    tasks/options available to the user. Then allow them to log in to the
    domain, put their user objects in this OU temporarily, and the next time
    they log in they will be in this group for a limited time. They can install
    the apps, but the next time they log in, they will be kicked back out into
    the normal User group. This is not altogether secure.

    2) Only allow specific apps to be run. In Group Policy, go to
    Domain Policy-->User Configuration-->Admin. Templates-->System-->"Run only
    allowed Windows Applications". Then allow this to be run from a shared
    location, or something similar.

    If you only need Admin privileges to install the app, that isn't SO bad, but
    to run it every time? You are really better off changing that 'feature'.

    Hope this helps.

    --Dave

    > -----Original Message-----
    > From: Jane Han [mailto:janehan22@yahoo.com]
    > Sent: Wednesday, June 25, 2003 15:22
    > To: focus-ms@securityfocus.com
    > Subject: How to block users from installing other apps
    >
    > Due to several customized inhouse applications, the
    > users need to be local aministrator to lauch the
    > applications.  Since most users are local
    > admin, they can download and install applications such
    > as games, AOL instant messages...from internet.
    >
    > Is it possible to block users from installing
    > applications through Group Policy in this case?  or
    > disable internet explorer?
    >
    > Any solutions or suggestions?
    >
    >
    > Thanks in advance,
    > Jane
    >
    >
    > __________________________________
    > Do you Yahoo!?
    > SBC Yahoo! DSL - Now only $29.95 per month!
    > http://sbc.yahoo.com
    >
    > --------------------------------------------------------------------------
    > ---
    > --------------------------------------------------------------------------
    > ----

    ----------------------------------------------------------------------------
    -
    ---------------------------------------------------------------------------- 

    --
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
  • Next message: Gerson Sampaio: "Xp Home"

    Relevant Pages

    • RE: How to block users from installing other apps
      ... you can block the entire control panel. ... specific list of apps that you want to block. ... that you can create in order to prevent the user from installing various ... Due to several customized inhouse applications, ...
      (Focus-Microsoft)
    • Re: How to block users from installing other apps
      ... I guess the best easiest way is to allow only signed applications and only ... How to block users from installing other apps ... SBC Yahoo! ...
      (Focus-Microsoft)
    • RE: How to block users from installing other apps
      ... How to block users from installing other apps ... Due to several customized inhouse applications, ...
      (Focus-Microsoft)
    • Re: I WANT MY FP2000 BACK-Fr Alex
      ... > However you needed to have Norton disabled when you installed ... > In general any anti-virus application should be disabled when installing ... > Thomas A. Rowe ... >>>> What other applications do I have. ...
      (microsoft.public.frontpage.client)
    • Re: 360 Homebrew Breakthrough
      ... Here's where things really get interesting: It's apparently very easy to integrate Windows applications into the MCE "More Programs" tab. ... So I downloaded a couple of apps and installed them on MCE, switched over to the 360, and lo and behold, most of them run perfectly. ... I also tried installing a couple of shareware games, including a Tetris clone and some card games. ...
      (uk.games.video.xbox)