Re: RE: Can we really block users from installing applications through Group policy?

From: Laura Robinson (larobins_at_verizon.net)
Date: 10/16/04

Next message: Thor: "Re: Interesting thing about ICF and SP2"

Previous message: Jim Harrison (ISA): "RE: Interesting thing about ICF and SP2"
Maybe in reply to: Jesse Weigert: "RE: Can we really block users from installing applications through Group policy?"
Next in thread: Joshua Feek: "Re: RE: Can we really block users from installing applications through Group policy?"
Reply: Joshua Feek: "Re: RE: Can we really block users from installing applications through Group policy?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Paul Aviles" <paviles@adjoined.com>, "Harlan Carvey" <keydet89@yahoo.com>, <focus-ms@securityfocus.com>
Date: Sat, 16 Oct 2004 17:44:21 -0400

Um, I don't recall Harlan saying that the policy had to be applied to *everyone*.

Laura
>
> From: "Paul Aviles" <paviles@adjoined.com>
> Date: 2004/10/11 Mon AM 08:57:28 EDT
> To: "Harlan Carvey" <keydet89@yahoo.com>,
> <focus-ms@securityfocus.com>
> CC: "chang zhu" <cyz2000@yahoo.com>
> Subject: RE: Can we really block users from installing applications through Group policy?
>
> Well you cannot ever just release a GPO and expect to fit everyone. From
> administrators to developers people will need different access. How do
> you handle exceptiions?
>
> -----Original Message-----
> From: Harlan Carvey [mailto:keydet89@yahoo.com]
> Sent: Friday, October 08, 2004 5:39 PM
> To: Paul Aviles; focus-ms@securityfocus.com
> Cc: chang zhu
> Subject: RE: Can we really block users from installing applications
> through Group policy?
>
>
> Paul,
>
> > This is very interesting topic. I think this
> > approach will work, but
> > will also give you a lot of problems since many
> > applications including MS ones will need this.
>
> Need what? What problems are you referring to?
>
> > Additionally, how will you handle exceptions to
> > the GPO?
>
> Well...as an exception.
>
> > -----Original Message-----
> > From: Harlan Carvey [mailto:keydet89@yahoo.com]
> > Sent: Friday, October 08, 2004 11:12 AM
> > To: focus-ms@securityfocus.com
> > Cc: chang zhu
> > Subject: Re: Can we really block users from
> > installing applications
> > through Group policy?
> >
> >
> >
> >
> > > The users are not local administrators. We
> > > configure
> > > group policy to prevent user installs but it seems
> > > that it blocks only .msi packages. Users still
> > can
> > > install applications through ex. setup.exe...Can
> > we
> > > really block users from installing applications
> > > through Group policy?
> > >
> > > Any idea or thoughts on this?
> >
> > Sure. Disable access to the write to certain
> > locations of the hard drive. While some
> > applications
> > require the ability to write to a temp directory,
> > most
> > users shouldn't have write access to the system32
> > dir...read and execute usually suffice.
> >
> > First, though...some background. Do you have a
> > policy
> > in place that states that users shall not install
> > software? If you do, the next step should be to put technical
> > measures in place to not only prevent it, but monitor it. Monitoring
> > can be done easily through
> > freeware and WMI.
> >
> > > Plus, if we need to block users from saving .mp3
> > > file
> > > on their computers, can we do it through group
> > > policy?
> >
> > Again, the first step should be a security policy.
> > Next, how do they download the .mp3s? If it's via
> > file sharing (or rather, pretty much any method
> > other
> > than FTP, HTTP, or bringing in a CD), then there is
> > probably an *installed application* that they're
> > using. Also, there is very likely an *installed
> > application* they're using to play the .mp3s, right?
> >
> > You won't be able to completely prevent the download
> > of files to the local hard drive through ACLs...the
> > users still need some write access to the drive.
> > However, you *can* monitor this by simply using
> > 'dir'.
> > Map a drive (x:\) and type the following command:
> >
> > c:\>dir /s x:\*.mp3
> >
> > If you want, you can follow this up with the
> > judicious
> > use of 'del'.
> >
> > Hope that helps,
> >
> >
> > =====
> > ------------------------------------------
> > Harlan Carvey, CISSP
> > "Windows Forensics and Incident Recovery" http://www.windows-ir.com
> > http://groups.yahoo.com/group/windowsir/
> >
> > "Meddle not in the affairs of dragons, for
> > you are crunchy, and good with ketchup."
> >
> > "The simplicity of this game amuses me.
> > Bring me your finest meats and cheeses."
> > ------------------------------------------
> >
> >
> ------------------------------------------------------------------------
> > ---
> >
> ------------------------------------------------------------------------
> > ---
> >
> >
>
>
> =====
> ------------------------------------------
> Harlan Carvey, CISSP
> "Windows Forensics and Incident Recovery" http://www.windows-ir.com
> http://groups.yahoo.com/group/windowsir/
>
> "Meddle not in the affairs of dragons, for
> you are crunchy, and good with ketchup."
>
> "The simplicity of this game amuses me.
> Bring me your finest meats and cheeses."
> ------------------------------------------
>
> ------------------------------------------------------------------------
> ---
> ------------------------------------------------------------------------
> ---
>
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
>
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Next message: Thor: "Re: Interesting thing about ICF and SP2"

Previous message: Jim Harrison (ISA): "RE: Interesting thing about ICF and SP2"
Maybe in reply to: Jesse Weigert: "RE: Can we really block users from installing applications through Group policy?"
Next in thread: Joshua Feek: "Re: RE: Can we really block users from installing applications through Group policy?"
Reply: Joshua Feek: "Re: RE: Can we really block users from installing applications through Group policy?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: GPO settings are not applied
... Microsoft Windows XP Operating System Group Policy Result tool v2.0 ... GPO: Automatic_Updates ... GPO: Default Domain Policy ... Secure Proxy Server: N/A ...
(microsoft.public.windows.server.active_directory)
Re: Set GPO for specific user group
... OK, now the new GPO is listed, but the ie homepage is still set to ... Microsoft Windows XP Operating System Group Policy Result too ... Small Business Server Domain Password Policy ... Filtering: Denied ...
(microsoft.public.windows.server.sbs)
Re: Set GPO for specific user group
... Microsoft Windows XP Operating System Group Policy Result too ... Small Business Server Domain Password Policy ... Filtering: Denied ... Filtering: Disabled (GPO) ...
(microsoft.public.windows.server.sbs)
Re: Move W2K3 server to its own OU seperate from SBS (MyBusiness) OU
... have a group policy that defines 'log on locally'. ... Small Business Server Remote Assistance Policy ... GPO: Default Domain Policy ... Computer Setting: 3 ...
(microsoft.public.windows.server.sbs)
Re: Exchange OWA 2003 Trusted Root Certificate
... > So you're going to explain to me how Group Policy works now? ... When I say Policy, I mean it in a broad sense, I am referring to the GPO, ... which as you admitted defaults to "apply" to the Authenticated Users. ... > One cannot be a member of a GPO. ...
(microsoft.public.win2000.security)