Re: Domain Users are able to install applications.
- From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 22 Feb 2008 09:46:05 -0500
Wobzo <Wobzo@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I have a network where the newly deplouyed Workstations were tested
such that Domain Users were unable to install anything.
However it has recently happened that one of the so said users
installed GE (Google earth).
I found this to be very concerning as this should not have been
possible. approximately 6+ months ago, I personally tested the
ability to install GE as a user and it was not possible.
They also seemed to be able to install "MySpaceIM". My initial
thought was how was the user able to enter the keys under
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall".
I think this maybe launching the application under "SYSTEM"
credentials.
All other local accounts are disabled and users are not members of
anything other than local users group.
What else are people able to run under the "SYSTEM" account?
How can I prevent the users from installing?
To add to the other reply -
You can't prevent limited users from installing software entirely, merely
based on their local group membership. As you've just seen, a lot of apps
don't require special permissions to install ...they don't write to the
restricted areas of the registry & file system.
You should look into group policy options to lock down your desktops if this
is a real concern at your company - software restriction can work well
although it can also be dangerous (play with this in a lab before
deploying). Try posting in microsoft.publicwindows.group_policy for more
help.
.
- Prev by Date: Re: chkdsk problem
- Next by Date: Re: xp pro, granting domain user access to local resources?
- Previous by thread: Re: chkdsk problem
- Next by thread: Secure files that must have read/write access?
- Index(es):
Relevant Pages
|
