Re: Can we really block users from installing applications through Group policy?

From: Joshua Feek (jfeek_at_yahoo.com.au)
Date: 10/09/04

  • Next message: Jesse Weigert: "RE: Can we really block users from installing applications through Group policy?" 
    Date: Sat, 9 Oct 2004 00:50:29 +0100 (BST)
To: Harlan Carvey <keydet89@yahoo.com>, focus-ms@securityfocus.com

    Two things I can think of straight away but will
    require you to do some work.

    Use software restriction GPO. It will ensure on
    corporate approved applications are the only ones that
    can execute so even if installed by the user they
    cannot launch it. It doesn't solve the problem but
    makes sure even if installed it provides no use or
    value to the user unless formally requested for
    exemption or addition to the policy

    Second thing. Use an MSI packaging tool to repackage
    every approved application and in the process use your
    own PKI structure to certify every application. Use
    the GPO setting to ensure only your cert is the only
    one trusted for application installation...therefore
    not signed your cert it cannot be installed not matter
    what level of access the user has to a workstation

            
            
                    
    ___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Jesse Weigert: "RE: Can we really block users from installing applications through Group policy?"