RE: How to block users from installing other apps

From: Dennis Bauer (dbauer_at_Mines.EDU)
Date: 07/07/03

  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #144"
    To: "'Sakaba'" <>, "'VNV Jeep'" <>, <>
    Date: Mon, 7 Jul 2003 10:56:58 -0600

    I would like to point out that most users are not savvy enough to know
    how to do this. Also if they are then that would be one person out of
    how many. I know the risks with this and I actually have all the event
    logs from all the machines ported to the servers that I run. I know if
    one has its admin password changed right away and then re-image that
    machine. All the users know that if they have data on that machine and
    they do something of that nature I will rebuild to the last known good
    configuration. (know that I do a backup of their machines every night
    so data loss is not the question.) I have an image after every software
    install that I do. This makes the process a little less painful because
    I have remote client running on all machines in the forest that I run.
    So if they make the change it is noticeable and can be corrected really


    -----Original Message-----
    From: Sakaba []
    Sent: Friday, July 04, 2003 8:15 AM
    To: VNV Jeep;
    Subject: RE: How to block users from installing other apps

    Not that I disagree with what you are saying but I think as a caveat its
    important to note that there are a number of tools that run off a simple
    floppy and allow the user to reboot their machine and change the local
    admin password. Then they simply login as local admin on the machine
    and add their domain account to the local admin group.


    So don't add D-users to the local admin account but don't be surprised
    if your more IT aware users do it themselves.


    -----Original Message-----
    From: VNV Jeep []
    Sent: Friday, July 04, 2003 1:07 AM
    Subject: RE: How to block users from installing other apps

    Jane... I would *HIGHLY* recommend you do not add domain users to the
    local Admin group. Bad bad bad, very bad. I agree with your help desk
    manager... you don't want to do this. Yes, it will only cause damage to
    the local machine, but it could have bigger impacts around your

    What can happen?

    1.) They can download illegal software & install it.
    2.) If you have any software/OS standardization, this will be shot.
    3.) They can run & execute viruses, which have the capability to delete
    system files in the OS (which they normally can't delete but since
    they're admin, anything goes).
    4.) By running viruses/trojans, and being successfully executed, they
    have the capability to traverse the network and hit other
    workstations/servers on the domain.
    5.) They can stop & start services.
    6.) They can uninstall standard software you may have on there.
    7.) They can make network card property changes...

    I could go on & on...

    It's not hard to manipulate permissions for your apps so that these
    users can run under a restricted user account. You don't need
    filemon/regmon to do this. (you might in an extremely rare occasion,
    but have not had to use them yet). What works 99% of the time is this:

    1.) Go into the program files\<appname folder> and give local users
    modify rights.
    2.) Go into the HKLM\software\<appname folder> and do the same.

    That's it.

    Good luck,

    |-----Original Message-----
    |From: Jane Han []
    |Sent: Thursday, July 03, 2003 11:47 AM
    |To: Dennis Bauer;
    |Subject: RE: How to block users from installing other apps
    |Thanks for all help.
    |I downloaded regmon and filemon and going to find
    |which permission need to apply to the reg keys and
    |files level.
    |Currently, I met some resistance from help desk
    |manager, which many changes could be done at users'
    |level if we need to change reg and file permission.
    |he challenged me that the only damage can be caused
    |only at local computer, not at domain.
    |If someone can list all damages that caused by
    |assigning domain users to the local administrators
    |group, I would greatly appreciate it.
    |Thanks in advance,
    |--- Dennis Bauer <dbauer@Mines.EDU> wrote:
    |> Have you tried regmon and filemon to see what you
    |> need to open for users
    |> to be able to run the apps?
    |> -----Original Message-----
    |> From: Jane Han []
    |> Sent: Wednesday, June 25, 2003 2:22 PM
    |> To:
    |> Subject: How to block users from installing other
    |> apps
    |> Due to several customized inhouse applications, the
    |> users need to be local aministrator to lauch the applications. Since

    |> most users are local admin, they can download and install
    |> applications such
    |> as games, AOL instant messages...from internet.
    |> Is it possible to block users from installing
    |> applications through Group Policy in this case? or
    |> disable internet explorer?
    |> Any solutions or suggestions?
    |> Thanks in advance,
    |> Jane
    |> __________________________________
    |> Do you Yahoo!?
    |> SBC Yahoo! DSL - Now only $29.95 per month!
    |> -----
    |> ------
    |Do you Yahoo!?
    |SBC Yahoo! DSL - Now only $29.95 per month!

    Add photos to your e-mail with MSN 8. Get 2 months FREE*.



  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #144"