Re: Deny user software installations
From: Dmitry Korolyov (d__k_at_nospamformorons.mail.ru)
Date: 09/08/03
- Next message: Nick Finco [MSFT]: "Re: Security Settings"
- Previous message: Dmitry Korolyov: "Re: SUS - Critical Update Scheduling"
- In reply to: Greg: "Deny user software installations"
- Next in thread: Greg: "Re: Deny user software installations"
- Reply: Greg: "Re: Deny user software installations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 9 Sep 2003 01:24:18 +0400
Greg,
I understand that your users have administrative privileges on their local
computers because they have to use some apps. But there is another
solution - to find out what exactly do they need, what kind of access and
where to, in order to run these applications.
There's a wonderful website, www.sysinternals.com. Download ntfilemon and
ntregmon tools from there, run them both (catching only access denied
messages), and then run your application under regular user account. After
some monitoring, you should be able to find all file system and registry
paths where users need write access to, and document the settings. The next
step is to create a custom group policy which will grant required access to
the file system and registry paths to some domain group. Finally, you
include users working with your app into that group, and apply the group
policy object you created so it affects the desktops where these users work
and the application is installed.
Most "bad" apps need only write access to ODBC settings in HKLM registry
hive, or write access to some configuration files in program files or
system32 directory. By spending some time on access monitoring and creating
custom policies, you will be able to create more secure desktops without
affecting users' productivity and functionality.
-- Dmitry Korolyov d__k@nospamformorons.mail.ru To e-mail me, remove "nospamformorons" from the address. "Greg" <sysman@techgroupinc.com> wrote in message news:447501c3763d$51841880$a001280a@phx.gbl... > I've done some searching but haven't found anything that > works the way I want it to. > > How do I deny access to ANY software installations for > users of a group or OU? (either one, whichever works best) > > I was able to block access to ADD/Remove progs and the > Windows Installer vie Group Policy, but I was still able > to run an install from Winamp as it doesn't use the > Windows installer. So how do I block stuff like that?
- Next message: Nick Finco [MSFT]: "Re: Security Settings"
- Previous message: Dmitry Korolyov: "Re: SUS - Critical Update Scheduling"
- In reply to: Greg: "Deny user software installations"
- Next in thread: Greg: "Re: Deny user software installations"
- Reply: Greg: "Re: Deny user software installations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
