Re: Prevent users from installing software

From: Sandip (Sandip_at_discussions.microsoft.com)
Date: 04/29/05

• Next message: Roger Abell: "Re: NT4 and 2000 Trust"
• Previous message: andy smart: "Re: Security Event Log madness."
• In reply to: Steven L Umbach: "Re: Prevent users from installing software"
• Next in thread: andy smart: "Re: Prevent users from installing software"
• Reply: andy smart: "Re: Prevent users from installing software"
• Reply: Steven L Umbach: "Re: Prevent users from installing software"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 29 Apr 2005 03:34:05 -0700

Hi Steve & Danny,

Steven

I want to say a big thank you for you feedback I will be applying the GP
security template first to see if this is a soloution that I will be happy
with, if not I will look into applying SRP. Am I correct in thinking that if
I want to apply SRP, it can be applied on a W2k DC with clients on a mixture
of Windows 2000 and Win Xp SP1 & SP2.

Danny

The reason why users on Windows XP need to be Admin group is due to a in
house database we use, if a user is on a XP PC the permissions have to be
changed for certain features to work correctly, if a user is on W2k no
changes need to be made. I suppose the last resort would be to roll all
users back to Windows 2000.

Thanks all again and I shall keep you posted, if you have any additional
info please post it.

Take Care

Sandip

"Steven L Umbach" wrote:

> First off it is extremely difficult to restrict an administrator and you
> should do everything you can including modifying permissions for
> applications so that they do not need to be an administrator to do such.
> Having said that you are somewhat in luck. Windows XP Pro has a feature
> called Software Restriction Policies that can be used to restrict what
> applications a user can install or run with hash, certificate, and path
> rules. In high security situations you can start with a default disallowed
> security level and then create rules for what the user is allowed to run. If
> you do such keep in mind that desktop shortcuts are considered restricted
> under SRP.
>
> You can manage SRP for computer configuration in a Windows 2000 domain for
> XP Pro computers. SRP also has an enforcement rule that can apply SRP to
> local administrators. Note however that local administrators can bypass SRP
> by booting into safe mode so beware of that. An additional possibility is to
> use Group Policy user configuration/administrative templates/system and add
> setup.exe and install.exe to the disallowed Windows applications list though
> that is not near as effective as SRP. The links below should help. ---
> Steve
>
> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
> http://www.windowsecurity.com/articles/Windows-XP-Group-Policy-Windows-2000-Domain-Part2.html
> http://support.microsoft.com/default.aspx?kbid=842933 --- install this
> patch FIRST on domain controllers.
>
> "Sandip" <Sandip@discussions.microsoft.com> wrote in message
> news:BDDDCBD8-80C9-4B53-8658-655B84C232BA@microsoft.com...
> > Hi All,
> >
> > How can I use the GP on a W2k DC to stop users from installing software
> > when
> > the users is part of the local Administrators group?
> >
> > I have been able to stop software from being installed which uses the
> > Windows Installer using the GP setting under :-
> >
> > User Config\Admin Templates\ Windows Installer\Disable media source for
> > any
> > install (enabled)
> >
> > But with other software I have not been able to. The client PC's are on
> > Windows XP SP2
> >
> > I really need help on this issuse. Thanks for taking time to read and
> > provide feedback to this problem.
> >
> > Thanks
> >
> > Sandip
>
>
>

---

• Next message: Roger Abell: "Re: NT4 and 2000 Trust"
• Previous message: andy smart: "Re: Security Event Log madness."
• In reply to: Steven L Umbach: "Re: Prevent users from installing software"
• Next in thread: andy smart: "Re: Prevent users from installing software"
• Reply: andy smart: "Re: Prevent users from installing software"
• Reply: Steven L Umbach: "Re: Prevent users from installing software"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Prevent users from installing software ... if not I will look into applying SRP. ... >> First off it is extremely difficult to restrict an administrator and you ... In high security situations you can start with a default disallowed ... Note however that local administrators can bypass SRP ... (microsoft.public.win2000.security) [NT] Cumulative Security Update for Internet Explorer (MS04-025) ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ... (Securiteam) [NT] Vulnerability in HTML Help Allows Code Execution (MS05-001) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ... (Securiteam) Re: The Myth of the secure Mac ... OEM Windows XP Home goes for a bit under $100. ... >> secure than Home. ... Though this really has nothing to do with security. ... Microsoft counts on third-party developers to provide more ... (comp.sys.mac.advocacy) SecurityFocus Microsoft Newsletter #120 ... Strengthening Network Security: FREE Guide Network security is a ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows File Protection Signed File Replacement... ... PlatinumFTPServer Information Disclosure Vulnerability ... (Focus-Microsoft)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)