Re: RE: Can we really block users from installing applications through Group policy?

From: Laura Robinson (larobins_at_verizon.net)
Date: 10/28/04

  • Next message: Laura Robinson: "Re: RE: Can we really block users from installing applications through Group policy?" 
    To: Joshua Feek <jfeek@yahoo.com.au>, Paul Aviles <paviles@adjoined.com>, Harlan Carvey <keydet89@yahoo.com>, <focus-ms@securityfocus.com>
Date: Thu, 28 Oct 2004 12:29:30 -0400

    Related to my other response, if you are referring to the following Group Policy path:

    Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies

    then you are talking about the exact group policy settings that I discussed and that you dismissed as irrelevant. I understand that you're suggesting signing the .msi files and disallowing unsigned MSI installation, but I think you're missing my point, which was that that is only one way to use software restriction policies to achieve the goal in question. I'm not sure we're following each other's chains of thought here...

    Laura
    >
    > From: Joshua Feek <jfeek@yahoo.com.au>
    > Date: 2004/10/27 Wed PM 08:57:06 EDT
    > To: Laura Robinson <larobins@verizon.net>, Paul Aviles <paviles@adjoined.com>,
    > Harlan Carvey <keydet89@yahoo.com>, focus-ms@securityfocus.com
    > CC: chang zhu <cyz2000@yahoo.com>
    > Subject: Re: RE: Can we really block users from installing applications through Group policy?
    >
    > When you repackage your applications into a new
    > certifified msi package, you specifify the cert to be
    > used to digitally sign the application. Wise and most
    > of the others have this capability.
    >
    > Under software restriction GPO additional rules, new
    > certificate rule,you add the reference to the cert you
    > used for the applications packaged above.
    >
    > --- Laura Robinson <larobins@verizon.net> wrote:
    > > Could you please identify the GPO setting in
    > > question? Thanks.
    > >
    > > Laura
    > > >
    > > > From: Joshua Feek <jfeek@yahoo.com.au>
    > > > Date: 2004/10/25 Mon PM 11:05:12 EDT
    > > > To: Laura Robinson <larobins@verizon.net>,
    > > > Paul Aviles <paviles@adjoined.com>,
    > > > Harlan Carvey <keydet89@yahoo.com>,
    > > focus-ms@securityfocus.com
    > > > CC: chang zhu <cyz2000@yahoo.com>
    > > > Subject: Re: RE: Can we really block users from
    > > installing applications through Group policy?
    > > >
    > > > This is not related to software restriction but a
    > > > method that can be used via group policy to
    > > restrict
    > > > the applications that can be installed, software
    > > > restriction only stops the application being
    > > launched.
    > > >
    > > > Within a GPO you can specify that only a cert
    > > > certified applciation can be installed and then
    > > > specify the trusted cert provider. By enforcing
    > > this a
    > > > user cannot install unauthorised applications.
    > > >
    > > > The original question was how to stop users from
    > > > installing apps via a gpo method. This fits the
    > > bill
    > > > and works very well, except you have to repackage
    > > > applications to msi format (or anything else) so
    > > that
    > > > you can sign the installation with your cert.
    > > >
    > > >
    > > > --- Laura Robinson <larobins@verizon.net> wrote:
    > > > > While your reply actually seems to be in
    > > response to
    > > > > something other than the message to which it is
    > > > > attached, I did want to comment on a couple of
    > > > > items. First, implementing software restriction
    > > > > policies does not require one to repackage all
    > > > > applications into signed .msi packages- it
    > > depends
    > > > > on which of the four methods of restriction you
    > > > > implement. Second, you are only mentioning one
    > > way
    > > > > to implement software restriction policies-
    > > there
    > > > > are numerous ways of going about it. It's not
    > > quite
    > > > > as facile as the description below indicates.
    > > > >
    > > > > Laura
    > > > > >
    > > > > > From: Joshua Feek <jfeek@yahoo.com.au>
    > > > > > Date: 2004/10/18 Mon PM 09:13:01 EDT
    > > > > > To: Laura Robinson <larobins@verizon.net>,
    > > Paul
    > > > > Aviles <paviles@adjoined.com>,
    > > > > > Harlan Carvey <keydet89@yahoo.com>,
    > > > > focus-ms@securityfocus.com
    > > > > > CC: chang zhu <cyz2000@yahoo.com>
    > > > > > Subject: Re: RE: Can we really block users
    > > from
    > > > > installing applications through Group policy?
    > > > > >
    > > > > > Of course you can though it requires you to
    > > > > package
    > > > > > all applications into MSI format and certify
    > > using
    > > > > a
    > > > > > PKI cert. You then config a GPO to only allow
    > > apps
    > > > > > that are certified by your cert to be
    > > installed.
    > > > > This
    > > > > > will stop dead every other application
    > > > > installation.
    > > > > > You can of course include other certs from
    > > verdors
    > > > > to
    > > > > > minimise this repackage requirement
    > > > > >
    > > > > > --- Laura Robinson <larobins@verizon.net>
    > > wrote:
    > > > > > > Um, I don't recall Harlan saying that the
    > > policy
    > > > > had
    > > > > > > to be applied to *everyone*.
    > > > > > >
    > > > > > > Laura
    > > > > > > >
    > > > > >
    > > > > >
    > > > > >
    > > > > >
    > > > > >
    > > > > >
    > > > > >
    > > > >
    > > >
    > >
    > ___________________________________________________________ALL-NEW
    > > > > Yahoo! Messenger - all new features - even more
    > > fun!
    > > > > http://uk.messenger.yahoo.com
    > > > > >
    > > > >
    > > > >
    > > >
    > > >
    > > >
    > > >
    > > >
    > > >
    > >
    > ___________________________________________________________ALL-NEW
    > > Yahoo! Messenger - all new features - even more fun!
    > > http://uk.messenger.yahoo.com
    > > >
    > > >
    > >
    > ---------------------------------------------------------------------------
    > > >
    > >
    > ---------------------------------------------------------------------------
    > > >
    > > >
    > >
    > >
    >
    > Send instant messages to your online friends http://uk.messenger.yahoo.com
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Laura Robinson: "Re: RE: Can we really block users from installing applications through Group policy?"

    Relevant Pages

    • Re: Group policy problem: can not assign or publish applications to us
      ... What I would try is to create a new Group Policy with the Software ... HOWEVER i can assign applications to computers. ... > either assign or publish applications through GPO to users it fails. ... The Group Policy client-side extension Software Installation ...
      (microsoft.public.windows.group_policy)
    • RE: Deploying Application
      ... had been trying to use the add applications wizard but that didnt' work, ... (running the the SBS 03 server I am also trying to deploy apps from). ... there something stupid I could be doing in my group policy that would prevent ... you name this new group policy object as Test. ...
      (microsoft.public.windows.server.sbs)
    • RE: Can we really block users from installing applications through Group policy?
      ... > applications including MS ones will need this. ... >> group policy to prevent user installs but it seems ... >> really block users from installing applications ... > "Meddle not in the affairs of dragons, ...
      (Focus-Microsoft)
    • RE: Browser Vulns
      ... Implement Group Policy to prevent users from clearing ... > searching of those files for common non-work related sites. ... > Having spent time in a small (400+ user base) organization, ...
      (Focus-Microsoft)
    • RE: Can we really block users from installing applications through Group policy?
      ... Can we really block users from installing applications ... > group policy to prevent user installs but it seems ... you *can* monitor this by simply using 'dir'. ...
      (Focus-Microsoft)