Re: Can I use Group Policy to deny software installation?
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 06/02/05
- Next message: Steven L Umbach: "Re: Can I use Group Policy to deny software installation?"
- Previous message: Julian Dragut: "Re: Can I use Group Policy to deny software installation?"
- In reply to: Julian Dragut: "Re: Can I use Group Policy to deny software installation?"
- Next in thread: Roger Abell: "Re: Can I use Group Policy to deny software installation?"
- Reply: Roger Abell: "Re: Can I use Group Policy to deny software installation?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 2 Jun 2005 15:02:33 -0500
For those that want to do such the fee utility filemon from SysInternals can
help greatly in tracking down what is being denied during the tweaking
process. Also white listing can be worked around in that if a user copies or
renames a file to be the name of a white listed file then the file can be
executed assuming the user has execute permissions. But that is about the
best you can do with Windows 2000. --- Steve
"Julian Dragut" <julianmd@groups.com> wrote in message
news:qWFne.40909$tt5.21445@edtnps90...
> Correct,
>
> In AD's GPO you have the option to restrict what software should be run.
> There's very long (time consuming) and trial-and-error path, but is seems
> to be your choice given your case.
>
> As Roger said, restrict all but what you need for normal operations.
>
> Julian
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:upQDSXmZFHA.1152@tk2msftngp13.phx.gbl...
>> In general the answer is, I believe, going to be no, there is no way.
>> This is because there is no one or few "choke points" through which
>> all "installs" must pass. For example, preventing the code behind a
>> msi install will have no impact on an exe install that does not use the
>> Windows installer technology. In the worse case, some software
>> requires only to be run, hence may be "install" merely by copying it
>> onto the disk. You could start down the path of stopping this and
>> that form of install, but you would never reach complete coverage.
>> There is a specification for user installable applications which when
>> installed by a limited users will install for use by that user. There is
>> specification for drag-and-drop install. Etc.
>>
>> You may need to look at positive software restriction (whitelisting)
>> instead of negetive (blacklisting), that is, to look at denying all
>> except
>> for the specifically allowed.
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Security)
>> MCSE (W2k3,W2k,Nt4) MCDBA
>> "B. Meincke" <garyallan@highschool.ca> wrote in message
>> news:2501FC78-C838-44BC-ACC4-CB9B3CADDB5A@microsoft.com...
>> > I have done some research and found (and implimented...thank you again,
>> > Steven) ways to deny student users under our domain to launch certain
>> > installed software, but is there some way (a domain-level group policy,
>> > perhaps) that I can keep them downloading/installing certain programs
>> > in
>> the
>> > first place?
>> >
>> > Also, how might this impact their ability to use key drives under
> Windows
>> > 2000/2K?
>> >
>> > Thank you in advance for any insight in this matter.
>> > --
>> > BJM
>> > ACE Assistant
>> > Gary Allan High School
>>
>>
>
>
- Next message: Steven L Umbach: "Re: Can I use Group Policy to deny software installation?"
- Previous message: Julian Dragut: "Re: Can I use Group Policy to deny software installation?"
- In reply to: Julian Dragut: "Re: Can I use Group Policy to deny software installation?"
- Next in thread: Roger Abell: "Re: Can I use Group Policy to deny software installation?"
- Reply: Roger Abell: "Re: Can I use Group Policy to deny software installation?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
