Deny user software installations

[Greg]

I've done some searching but haven't found anything that
works the way I want it to.

How do I deny access to ANY software installations for
users of a group or OU? (either one, whichever works best)

I was able to block access to ADD/Remove progs and the
Windows Installer vie Group Policy, but I was still able
to run an install from Winamp as it doesn't use the
Windows installer. So how do I block stuff like that?

 

[Mvmelle]

Make the users "local user" on their pc's.
The users don't have registry write access to install software.

 

[Greg]

That would work, except I need to do a specific DENY to a
group. I have several users that, in order to use the
accounting applications, must be local administrators.
So, if I could DENY access specifically, it would
override their access. Right?

What is it in the Local Users group that is denied? I
could just create a domain group and set it accordingly.

 

[Dmitry Korolyov]

Greg,

I understand that your users have administrative privileges on their local
computers because they have to use some apps. But there is another
solution - to find out what exactly do they need, what kind of access and
where to, in order to run these applications.

There's a wonderful website, www.sysinternals.com. Download ntfilemon and
ntregmon tools from there, run them both (catching only access denied
messages), and then run your application under regular user account. After
some monitoring, you should be able to find all file system and registry
paths where users need write access to, and document the settings. The next
step is to create a custom group policy which will grant required access to
the file system and registry paths to some domain group. Finally, you
include users working with your app into that group, and apply the group
policy object you created so it affects the desktops where these users work
and the application is installed.

Most "bad" apps need only write access to ODBC settings in HKLM registry
hive, or write access to some configuration files in program files or
system32 directory. By spending some time on access monitoring and creating
custom policies, you will be able to create more secure desktops without
affecting users' productivity and functionality.

 

[Greg]

Dmitry,

Thanks for the insight. I appreciate it. I will do as you
suggested, and I actually have used that app before. The
only problem I have is that our CFO will frown upon us by
NOT doing as their expensive accounting app tech support
says to do. the vendor telling us to just make people
admins is a cheap way out of doing their job and knowing
what their app is really doing!

Never the less, it's still a good plan. And I can figure
out what exactly needs to be set for the apps (the "bad"
apps) and still setup the users as "users" not admins.
Mo-better security!

Thanks!