RE: Can we really block users from installing applications through Group policy?

From: Paul Aviles (paviles_at_adjoined.com)
Date: 10/08/04

  • Next message: vic brown: "Re: Can we really block users from installing applications through Group policy?" 
    Date: Fri, 8 Oct 2004 13:23:06 -0400
To: "Harlan Carvey" <keydet89@yahoo.com>, <focus-ms@securityfocus.com>

    This is very interesting topic. I think this approach will work, but
    will also give you a lot of problems since many applications including
    MS ones will need this. Additionally, how will you handle exceptions to
    the GPO?

    -----Original Message-----
    From: Harlan Carvey [mailto:keydet89@yahoo.com]
    Sent: Friday, October 08, 2004 11:12 AM
    To: focus-ms@securityfocus.com
    Cc: chang zhu
    Subject: Re: Can we really block users from installing applications
    through Group policy?

    > The users are not local administrators. We
    > configure
    > group policy to prevent user installs but it seems
    > that it blocks only .msi packages. Users still can
    > install applications through ex. setup.exe...Can we
    > really block users from installing applications
    > through Group policy?
    >
    > Any idea or thoughts on this?

    Sure. Disable access to the write to certain
    locations of the hard drive. While some applications
    require the ability to write to a temp directory, most
    users shouldn't have write access to the system32
    dir...read and execute usually suffice.

    First, though...some background. Do you have a policy
    in place that states that users shall not install
    software? If you do, the next step should be to put
    technical measures in place to not only prevent it,
    but monitor it. Monitoring can be done easily through
    freeware and WMI.

    > Plus, if we need to block users from saving .mp3
    > file
    > on their computers, can we do it through group
    > policy?

    Again, the first step should be a security policy.
    Next, how do they download the .mp3s? If it's via
    file sharing (or rather, pretty much any method other
    than FTP, HTTP, or bringing in a CD), then there is
    probably an *installed application* that they're
    using. Also, there is very likely an *installed
    application* they're using to play the .mp3s, right?

    You won't be able to completely prevent the download
    of files to the local hard drive through ACLs...the
    users still need some write access to the drive.
    However, you *can* monitor this by simply using 'dir'.
     Map a drive (x:\) and type the following command:

    c:\>dir /s x:\*.mp3

    If you want, you can follow this up with the judicious
    use of 'del'.

    Hope that helps,

    =====
    ------------------------------------------
    Harlan Carvey, CISSP
    "Windows Forensics and Incident Recovery" http://www.windows-ir.com
    http://groups.yahoo.com/group/windowsir/

    "Meddle not in the affairs of dragons, for
    you are crunchy, and good with ketchup."

    "The simplicity of this game amuses me.
    Bring me your finest meats and cheeses."
    ------------------------------------------

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: vic brown: "Re: Can we really block users from installing applications through Group policy?"

    Relevant Pages

    • RE: Can we really block users from installing applications through Group policy?
      ... > applications including MS ones will need this. ... >> group policy to prevent user installs but it seems ... >> really block users from installing applications ... > "Meddle not in the affairs of dragons, ...
      (Focus-Microsoft)
    • Re: I WANT MY FP2000 BACK-Fr Alex
      ... > However you needed to have Norton disabled when you installed ... > In general any anti-virus application should be disabled when installing ... > Thomas A. Rowe ... >>>> What other applications do I have. ...
      (microsoft.public.frontpage.client)
    • Re: Whats the Deal with IE8
      ... What third-party firewall? ... applications running in the background when you installed and/or ... I generally follow the same procedure when installing major upgrades. ... 13- Disable your security software. ...
      (microsoft.public.windowsupdate)
    • Re: Group policy problem: can not assign or publish applications to us
      ... What I would try is to create a new Group Policy with the Software ... HOWEVER i can assign applications to computers. ... > either assign or publish applications through GPO to users it fails. ... The Group Policy client-side extension Software Installation ...
      (microsoft.public.windows.group_policy)
    • RE: Deploying Application
      ... had been trying to use the add applications wizard but that didnt' work, ... (running the the SBS 03 server I am also trying to deploy apps from). ... there something stupid I could be doing in my group policy that would prevent ... you name this new group policy object as Test. ...
      (microsoft.public.windows.server.sbs)