RE: Can we really block users from installing applications through Group policy?

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 10/08/04

  • Next message: Miroslaw Slawek Chorazy: "Re: Can we really block users from installing applications through Group policy?" 
    Date: Fri, 8 Oct 2004 14:39:17 -0700 (PDT)
To: Paul Aviles <paviles@adjoined.com>, focus-ms@securityfocus.com

    Paul,

    > This is very interesting topic. I think this
    > approach will work, but
    > will also give you a lot of problems since many
    > applications including MS ones will need this.

    Need what? What problems are you referring to?

    > Additionally, how will you handle exceptions to
    > the GPO?

    Well...as an exception.

    > -----Original Message-----
    > From: Harlan Carvey [mailto:keydet89@yahoo.com]
    > Sent: Friday, October 08, 2004 11:12 AM
    > To: focus-ms@securityfocus.com
    > Cc: chang zhu
    > Subject: Re: Can we really block users from
    > installing applications
    > through Group policy?
    >
    >
    >
    >
    > > The users are not local administrators. We
    > > configure
    > > group policy to prevent user installs but it seems
    > > that it blocks only .msi packages. Users still
    > can
    > > install applications through ex. setup.exe...Can
    > we
    > > really block users from installing applications
    > > through Group policy?
    > >
    > > Any idea or thoughts on this?
    >
    > Sure. Disable access to the write to certain
    > locations of the hard drive. While some
    > applications
    > require the ability to write to a temp directory,
    > most
    > users shouldn't have write access to the system32
    > dir...read and execute usually suffice.
    >
    > First, though...some background. Do you have a
    > policy
    > in place that states that users shall not install
    > software? If you do, the next step should be to put
    > technical measures in place to not only prevent it,
    > but monitor it. Monitoring can be done easily
    > through
    > freeware and WMI.
    >
    > > Plus, if we need to block users from saving .mp3
    > > file
    > > on their computers, can we do it through group
    > > policy?
    >
    > Again, the first step should be a security policy.
    > Next, how do they download the .mp3s? If it's via
    > file sharing (or rather, pretty much any method
    > other
    > than FTP, HTTP, or bringing in a CD), then there is
    > probably an *installed application* that they're
    > using. Also, there is very likely an *installed
    > application* they're using to play the .mp3s, right?
    >
    > You won't be able to completely prevent the download
    > of files to the local hard drive through ACLs...the
    > users still need some write access to the drive.
    > However, you *can* monitor this by simply using
    > 'dir'.
    > Map a drive (x:\) and type the following command:
    >
    > c:\>dir /s x:\*.mp3
    >
    > If you want, you can follow this up with the
    > judicious
    > use of 'del'.
    >
    > Hope that helps,
    >
    >
    > =====
    > ------------------------------------------
    > Harlan Carvey, CISSP
    > "Windows Forensics and Incident Recovery"
    > http://www.windows-ir.com
    > http://groups.yahoo.com/group/windowsir/
    >
    > "Meddle not in the affairs of dragons, for
    > you are crunchy, and good with ketchup."
    >
    > "The simplicity of this game amuses me.
    > Bring me your finest meats and cheeses."
    > ------------------------------------------
    >
    >
    ------------------------------------------------------------------------
    > ---
    >
    ------------------------------------------------------------------------
    > ---
    >
    >

    =====
    ------------------------------------------
    Harlan Carvey, CISSP
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://groups.yahoo.com/group/windowsir/

    "Meddle not in the affairs of dragons, for
    you are crunchy, and good with ketchup."

    "The simplicity of this game amuses me.
    Bring me your finest meats and cheeses."
    ------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Miroslaw Slawek Chorazy: "Re: Can we really block users from installing applications through Group policy?"

    Relevant Pages

    • RE: Can we really block users from installing applications through Group policy?
      ... Can we really block users from installing applications ... > group policy to prevent user installs but it seems ... you *can* monitor this by simply using 'dir'. ...
      (Focus-Microsoft)
    • Re: I WANT MY FP2000 BACK-Fr Alex
      ... > However you needed to have Norton disabled when you installed ... > In general any anti-virus application should be disabled when installing ... > Thomas A. Rowe ... >>>> What other applications do I have. ...
      (microsoft.public.frontpage.client)
    • Re: Whats the Deal with IE8
      ... What third-party firewall? ... applications running in the background when you installed and/or ... I generally follow the same procedure when installing major upgrades. ... 13- Disable your security software. ...
      (microsoft.public.windowsupdate)
    • Re: Group policy problem: can not assign or publish applications to us
      ... What I would try is to create a new Group Policy with the Software ... HOWEVER i can assign applications to computers. ... > either assign or publish applications through GPO to users it fails. ... The Group Policy client-side extension Software Installation ...
      (microsoft.public.windows.group_policy)
    • RE: Deploying Application
      ... had been trying to use the add applications wizard but that didnt' work, ... (running the the SBS 03 server I am also trying to deploy apps from). ... there something stupid I could be doing in my group policy that would prevent ... you name this new group policy object as Test. ...
      (microsoft.public.windows.server.sbs)