Re: Can I use Group Policy to deny software installation?

• Previous message: Roger Abell: "Re: Group policy to disable network hyperlinks in Word"
• In reply to: Roger Abell: "Re: Can I use Group Policy to deny software installation?"
• Next in thread: Steven L Umbach: "Re: Can I use Group Policy to deny software installation?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 3 Jun 2005 10:56:14 -0500

Doh!! Thank goodness that filemon and so may other invaluable tools from
SysInternals are free! Thanks Uncle Roger. --- Steve

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:OozYTp%23ZFHA.2884@tk2msftngp13.phx.gbl...
> Yes indeed filemon is a valued tool when one starts down this
> rather lengthy and involved road of using a software restiction
> whitelisting.
>
> But the main reason I wanted to post a follow-up is to clarify
> that the good folks at sysinternals make filemon available as
> a free (not fee) utility (you owe me one now Steve, but mine
> are more frequent and easily noticed :-)
>
> --
> Roger
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:eJh2S36ZFHA.3132@TK2MSFTNGP09.phx.gbl...
>> For those that want to do such the fee utility filemon from SysInternals
> can
>> help greatly in tracking down what is being denied during the tweaking
>> process. Also white listing can be worked around in that if a user copies
> or
>> renames a file to be the name of a white listed file then the file can be
>> executed assuming the user has execute permissions. But that is about the
>> best you can do with Windows 2000. --- Steve
>>
>>
>> "Julian Dragut" <julianmd@groups.com> wrote in message
>> news:qWFne.40909$tt5.21445@edtnps90...
>> > Correct,
>> >
>> > In AD's GPO you have the option to restrict what software should be
> run.
>> > There's very long (time consuming) and trial-and-error path, but is
> seems
>> > to be your choice given your case.
>> >
>> > As Roger said, restrict all but what you need for normal operations.
>> >
>> > Julian
>> >
>> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> > news:upQDSXmZFHA.1152@tk2msftngp13.phx.gbl...
>> >> In general the answer is, I believe, going to be no, there is no way.
>> >> This is because there is no one or few "choke points" through which
>> >> all "installs" must pass. For example, preventing the code behind a
>> >> msi install will have no impact on an exe install that does not use
>> >> the
>> >> Windows installer technology. In the worse case, some software
>> >> requires only to be run, hence may be "install" merely by copying it
>> >> onto the disk. You could start down the path of stopping this and
>> >> that form of install, but you would never reach complete coverage.
>> >> There is a specification for user installable applications which when
>> >> installed by a limited users will install for use by that user. There
> is
>> >> specification for drag-and-drop install. Etc.
>> >>
>> >> You may need to look at positive software restriction (whitelisting)
>> >> instead of negetive (blacklisting), that is, to look at denying all
>> >> except
>> >> for the specifically allowed.
>> >>
>> >> --
>> >> Roger Abell
>> >> Microsoft MVP (Windows Security)
>> >> MCSE (W2k3,W2k,Nt4) MCDBA
>> >> "B. Meincke" <garyallan@highschool.ca> wrote in message
>> >> news:2501FC78-C838-44BC-ACC4-CB9B3CADDB5A@microsoft.com...
>> >> > I have done some research and found (and implimented...thank you
> again,
>> >> > Steven) ways to deny student users under our domain to launch
>> >> > certain
>> >> > installed software, but is there some way (a domain-level group
> policy,
>> >> > perhaps) that I can keep them downloading/installing certain
>> >> > programs
>> >> > in
>> >> the
>> >> > first place?
>> >> >
>> >> > Also, how might this impact their ability to use key drives under
>> > Windows
>> >> > 2000/2K?
>> >> >
>> >> > Thank you in advance for any insight in this matter.
>> >> > --
>> >> > BJM
>> >> > ACE Assistant
>> >> > Gary Allan High School
>> >>
>> >>
>> >
>> >
>>
>>
>
>

• Previous message: Roger Abell: "Re: Group policy to disable network hyperlinks in Word"
• In reply to: Roger Abell: "Re: Can I use Group Policy to deny software installation?"
• Next in thread: Steven L Umbach: "Re: Can I use Group Policy to deny software installation?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]