Re: Prevent users from installing software

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/29/05

• Next message: Steven L Umbach: "Re: Event Error Logs with Event ID 538 and 540"
• Previous message: Steven L Umbach: "Re: Security Policy Is not opening."
• In reply to: Sandip: "Re: Prevent users from installing software"
• Next in thread: BM: "Re: Prevent users from installing software"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 29 Apr 2005 13:38:02 -0500

SRP can be configured in a Windows 2000 domain via Group Policy but will
only apply to XP Pro domain computers. --- Steve

"Sandip" <Sandip@discussions.microsoft.com> wrote in message
news:83E61879-51A5-491D-B217-5F695DD94C4B@microsoft.com...
> Hi Steve & Danny,
>
> Steven
>
> I want to say a big thank you for you feedback I will be applying the GP
> security template first to see if this is a soloution that I will be happy
> with, if not I will look into applying SRP. Am I correct in thinking that
> if
> I want to apply SRP, it can be applied on a W2k DC with clients on a
> mixture
> of Windows 2000 and Win Xp SP1 & SP2.
>
> Danny
>
> The reason why users on Windows XP need to be Admin group is due to a in
> house database we use, if a user is on a XP PC the permissions have to be
> changed for certain features to work correctly, if a user is on W2k no
> changes need to be made. I suppose the last resort would be to roll all
> users back to Windows 2000.
>
> Thanks all again and I shall keep you posted, if you have any additional
> info please post it.
>
> Take Care
>
> Sandip
>
>
> "Steven L Umbach" wrote:
>
>> First off it is extremely difficult to restrict an administrator and you
>> should do everything you can including modifying permissions for
>> applications so that they do not need to be an administrator to do such.
>> Having said that you are somewhat in luck. Windows XP Pro has a feature
>> called Software Restriction Policies that can be used to restrict what
>> applications a user can install or run with hash, certificate, and path
>> rules. In high security situations you can start with a default
>> disallowed
>> security level and then create rules for what the user is allowed to run.
>> If
>> you do such keep in mind that desktop shortcuts are considered restricted
>> under SRP.
>>
>> You can manage SRP for computer configuration in a Windows 2000 domain
>> for
>> XP Pro computers. SRP also has an enforcement rule that can apply SRP to
>> local administrators. Note however that local administrators can bypass
>> SRP
>> by booting into safe mode so beware of that. An additional possibility is
>> to
>> use Group Policy user configuration/administrative templates/system and
>> add
>> setup.exe and install.exe to the disallowed Windows applications list
>> though
>> that is not near as effective as SRP. The links below should help. ---
>> Steve
>>
>> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
>> http://www.windowsecurity.com/articles/Windows-XP-Group-Policy-Windows-2000-Domain-Part2.html
>> http://support.microsoft.com/default.aspx?kbid=842933 --- install this
>> patch FIRST on domain controllers.
>>
>> "Sandip" <Sandip@discussions.microsoft.com> wrote in message
>> news:BDDDCBD8-80C9-4B53-8658-655B84C232BA@microsoft.com...
>> > Hi All,
>> >
>> > How can I use the GP on a W2k DC to stop users from installing software
>> > when
>> > the users is part of the local Administrators group?
>> >
>> > I have been able to stop software from being installed which uses the
>> > Windows Installer using the GP setting under :-
>> >
>> > User Config\Admin Templates\ Windows Installer\Disable media source for
>> > any
>> > install (enabled)
>> >
>> > But with other software I have not been able to. The client PC's are
>> > on
>> > Windows XP SP2
>> >
>> > I really need help on this issuse. Thanks for taking time to read and
>> > provide feedback to this problem.
>> >
>> > Thanks
>> >
>> > Sandip
>>
>>
>>

• Next message: Steven L Umbach: "Re: Event Error Logs with Event ID 538 and 540"
• Previous message: Steven L Umbach: "Re: Security Policy Is not opening."
• In reply to: Sandip: "Re: Prevent users from installing software"
• Next in thread: BM: "Re: Prevent users from installing software"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Prevent users from installing software ... I want to apply SRP, it can be applied on a W2k DC with clients on a mixture ... users back to Windows 2000. ... In high security situations you can start with a default disallowed ... Note however that local administrators can bypass SRP ... (microsoft.public.win2000.security) Re: Why are programs not digitally signed to protect against viruses? ... Correct me if I am wrong Steve, but one can also, for example, use ... Microsoft MVP (Windows Server: Security) ... If you are interested in SRP see the link ... >> google, and symantec searches on it, to try and verify its authenticity. ... (microsoft.public.security) Re: Prevent users from installing software ... if not I will look into applying SRP. ... > users back to Windows 2000. ... >>First off it is extremely difficult to restrict an administrator and you ... Note however that local administrators can bypass SRP ... (microsoft.public.win2000.security) Re: Basisverzeichnis/Homelaufwerk: Anwendungen ohne Erlaubnis starten.... ... das sind nämlich zwei Probleme der SRP) über ... SecureWave meiner Kenntnis nach das sicherste ist. ... Nils Kaczenski - MVP Windows Server ... (microsoft.public.de.german.windows.terminaldienste) Re: Mac advocacy again: Springer changes to Mac ... Steve de Mena wrote: ... Macs are more user friendly than other computers ... It also said they'll be running OS X, Windows Vista and Windows XP on ... (comp.sys.mac.advocacy)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint