Re: Program Install LOCK DOWN for Win 2000 Users
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/21/04
- Next message: Steven L Umbach: "Re: object picker error"
- Previous message: Chris Vain: "Re: Enterprise Certificate Authority and Computer Certificates"
- In reply to: Roger W: "Program Install LOCK DOWN for Win 2000 Users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 21 Apr 2004 15:52:58 GMT
The best solution is to upgrade to XP Pro and use Software Restriction Policies which
are very powerful in restricting such via hash, certificate, and path rules. See the
link below for info on that.
http://support.microsoft.com/?kbid=310791
For W2K it is much more difficult but the following can help. Some "applications" may
be a single executable file which are almost impossible to prevent.
-- Do not give users rights beyond to belonging in the default users group.
-- Change ntfs permissions on the root/drive folder to be no more that
read/list/execute for users/everyone being sure to check advanced ntfs permissions
also.
-- Use Local Group Policy [gpedit.msc] to populate the disallowed Windows
applications list in user configuration/administrative templates/system keeping in
mind that by default local Group Policy applies to ALL users including administrators
though there a couple work arounds. Be sure to also put command.com, install.exe and
setup.exe in the list and read the full explanation of the policy setting and what it
does. You may also want to disable the command prompt and registry editing while
there, again reading full explanation.
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q293655&
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
-- Consider using ipsec filtering via Local Security Policy or a personal firewall
that can map rules to applications protected via a MD5 hash to prevent users from
using unauthorized internet applications if they do somehow install some.
-- Consider modifying the ntfs permissions on the users profile folder to prevent
them from creating folders. This would have to be done via ntfs advanced/special
permissions and may interfere with user functionality or may not. The benefit is that
many applications need to create folders during an installation and that may prevent
those installations from succeeding. It did work on a test computer of mine.
-- Users can easily become local administrators with free programs if they can boot
to an alternate device such as cdrom or floppy. Therefore it is recommended that you
allow only booting from hardrive in cmos and password protect cmos settings and lock
the computer case to prevent access to the cmos reset jumper or hard drive removal.
If possible also disable USB in cmos and use registry setting or Group Policy to
disable auto run for the cdrom. --- Steve
"Roger W" <anonymous@discussions.microsoft.com> wrote in message
news:211a01c427a1$28ba4350$a601280a@phx.gbl...
> IS there a way through using Security PErmissions, and
> GPEDITOR that we can prevent regular users from being able
> to install ANY Application. We want to prevent the
> installation of ALL programs( be it from the internet like
> Webshots,Weatherbug, Yahoo messenger etc) to trying to
> install programs from CDs or Floppies
>
> IS this possible?? (without the use of Active Directory!!!)
>
> Roger W
> Network Support
- Next message: Steven L Umbach: "Re: object picker error"
- Previous message: Chris Vain: "Re: Enterprise Certificate Authority and Computer Certificates"
- In reply to: Roger W: "Program Install LOCK DOWN for Win 2000 Users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
