Re: preventing users from installing unauthorized softwares

From: Andrew Mitchell (amitchell_at_removecasey.vic.gov.au)
Date: 04/24/04 

Date: Sat, 24 Apr 2004 10:14:46 -0700

"=?Utf-8?B?QWFmYXEgTWFuem9vcg==?=" <anonymous@discussions.microsoft.com>
said

> Restricting the access on firewall may completely stop access to even
> to legitimate and production related site also.

How so? If all clients have their browser configured to use the proxy
server (preferably through a group policy) and only the proxy can access
the internet on port 80 then users can browse the intenet via the proxy. If
they require direct access through the firewall for other applications you
only open the ports that the application in question requires.
Other applications that require a direct connection (MSN Messenger etc.)
would be blocked. If they use another application to bypass the proxy, they
would be blocked.
If they leave things alone it will work just fine.

> Startsurf was a example
> to demstrate what is can be possible bigger issue is compliance to the
> policy having no unauthorrized softwares on machines.

If you were using Windows Server 2003 with Windows XP clients you could
prevent them from running the applications even if they renamed them, but
with Windows 2000 that is not an option without using third party products.

You could start by ensuring that users are not local administrators on
their PC's and add msiexec.exe to the deny list. This would stop any
applications that use the Windows installer from being installed (I think -
I haven't tried this).
If the users only need to run a limited number of applications you could
create a default policy of deny all, then just add the applications you
want to allow them to run.

It sounds to me like this is more of a people management problem than a
technical problem. Do you have an official internet access or computer use
policy it your work? Does it cover situations such as this and, if so, have
you notified the users managers of the breach of policy?

> That is why it is
> rather more important to prevent the installation then breaking the
> functionality of it.

A correctly setup proxy/firewall combination will ensure your security
without reducing legitimate functionality. 

-- 
Andy.

Relevant Pages

  • Re: XPPro : Restrict the programs a user can run
    ... this option only controls whether those applications can be started by the ... Local Computer Policy ... This setting only prevents users from running programs that are started by the Windows Explorer process. ... >> restrict users to allow ONLY the specified programs to be run ...
    (microsoft.public.windowsxp.security_admin)
  • Re: How to Add MyFile.exe to the Run only allowed Windows applications, using a Script / Registry /
    ... Since you are already using group policies, ... Click next to List of allowed applications ... I have defined 2 groups policy in Windows Server 2003 SP2, ...
    (microsoft.public.windows.server.security)
  • RE: Using axWebBrowser in a C# form
    ... You can use the default credentials object then send that to a proxy ... Default credentials get the credentials of the user logged on (in windows ... applications) and it web it get those that the web application is running ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: event id 1085 problem
    ... The new Windows Group Policy Guide from Microsoft Press!!! ... > The following applications were found in policy GPO. ... > Assigned application FPP Dashboard. ... > Software installation extension returning with final error code 1612. ...
    (microsoft.public.windows.group_policy)
  • Re: event id 1085 problem
    ... The new Windows Group Policy Guide from Microsoft Press!!! ... >>> policy refresh. ... >>> Enumerating applications in the Active Directory for computer VIJAYPC ... >>> Software installation extension returning with final error code 1612. ...
    (microsoft.public.windows.group_policy)