Re: RE: Can we really block users from installing applications through Group policy?

From: Laura Robinson (larobins_at_verizon.net)
Date: 10/27/04

  • Next message: Jef Feltman: "RE: 802.1x Authentication" 
    To: Joshua Feek <jfeek@yahoo.com.au>, Paul Aviles <paviles@adjoined.com>, Harlan Carvey <keydet89@yahoo.com>, <focus-ms@securityfocus.com>
Date: Wed, 27 Oct 2004 17:51:14 -0400

    Could you please identify the GPO setting in question? Thanks.

    Laura
    >
    > From: Joshua Feek <jfeek@yahoo.com.au>
    > Date: 2004/10/25 Mon PM 11:05:12 EDT
    > To: Laura Robinson <larobins@verizon.net>,
    > Paul Aviles <paviles@adjoined.com>,
    > Harlan Carvey <keydet89@yahoo.com>, focus-ms@securityfocus.com
    > CC: chang zhu <cyz2000@yahoo.com>
    > Subject: Re: RE: Can we really block users from installing applications through Group policy?
    >
    > This is not related to software restriction but a
    > method that can be used via group policy to restrict
    > the applications that can be installed, software
    > restriction only stops the application being launched.
    >
    > Within a GPO you can specify that only a cert
    > certified applciation can be installed and then
    > specify the trusted cert provider. By enforcing this a
    > user cannot install unauthorised applications.
    >
    > The original question was how to stop users from
    > installing apps via a gpo method. This fits the bill
    > and works very well, except you have to repackage
    > applications to msi format (or anything else) so that
    > you can sign the installation with your cert.
    >
    >
    > --- Laura Robinson <larobins@verizon.net> wrote:
    > > While your reply actually seems to be in response to
    > > something other than the message to which it is
    > > attached, I did want to comment on a couple of
    > > items. First, implementing software restriction
    > > policies does not require one to repackage all
    > > applications into signed .msi packages- it depends
    > > on which of the four methods of restriction you
    > > implement. Second, you are only mentioning one way
    > > to implement software restriction policies- there
    > > are numerous ways of going about it. It's not quite
    > > as facile as the description below indicates.
    > >
    > > Laura
    > > >
    > > > From: Joshua Feek <jfeek@yahoo.com.au>
    > > > Date: 2004/10/18 Mon PM 09:13:01 EDT
    > > > To: Laura Robinson <larobins@verizon.net>, Paul
    > > Aviles <paviles@adjoined.com>,
    > > > Harlan Carvey <keydet89@yahoo.com>,
    > > focus-ms@securityfocus.com
    > > > CC: chang zhu <cyz2000@yahoo.com>
    > > > Subject: Re: RE: Can we really block users from
    > > installing applications through Group policy?
    > > >
    > > > Of course you can though it requires you to
    > > package
    > > > all applications into MSI format and certify using
    > > a
    > > > PKI cert. You then config a GPO to only allow apps
    > > > that are certified by your cert to be installed.
    > > This
    > > > will stop dead every other application
    > > installation.
    > > > You can of course include other certs from verdors
    > > to
    > > > minimise this repackage requirement
    > > >
    > > > --- Laura Robinson <larobins@verizon.net> wrote:
    > > > > Um, I don't recall Harlan saying that the policy
    > > had
    > > > > to be applied to *everyone*.
    > > > >
    > > > > Laura
    > > > > >
    > > >
    > > >
    > > >
    > > >
    > > >
    > > >
    > > >
    > >
    > ___________________________________________________________ALL-NEW
    > > Yahoo! Messenger - all new features - even more fun!
    > > http://uk.messenger.yahoo.com
    > > >
    > >
    > >
    >
    >
    >
    >
    >
    > ___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
    >
    > ---------------------------------------------------------------------------
    > ---------------------------------------------------------------------------
    >
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Jef Feltman: "RE: 802.1x Authentication"

    Relevant Pages

    • Re: RE: Can we really block users from installing applications through Group policy?
      ... Within a GPO you can specify that only a cert ... user cannot install unauthorised applications. ... installing apps via a gpo method. ... First, implementing software restriction ...
      (Focus-Microsoft)
    • Re: Designing restrictive GPO
      ... > Software Restriction policies are definetly the way to go. ... > to create a GPO and link it to the container the machines reside in (such ... You can 'disallow' applications from running there. ...
      (microsoft.public.win2000.active_directory)
    • Re: Designing restrictive GPO
      ... Software Restriction policies are definetly the way to go. ... to create a GPO and link it to the container the machines reside in (such as ... You can 'disallow' applications from running there. ...
      (microsoft.public.win2000.active_directory)
    • Re: Blocking Multiple Applications
      ... applications. ... The other GPO are just ignored and the exe's can run. ... Software Restriction Policy is the place, where you should take a look at ...
      (microsoft.public.windows.group_policy)
    • Re: I WANT MY FP2000 BACK-Fr Alex
      ... > However you needed to have Norton disabled when you installed ... > In general any anti-virus application should be disabled when installing ... > Thomas A. Rowe ... >>>> What other applications do I have. ...
      (microsoft.public.frontpage.client)