I view SRP more as a tool to define and limit acceptable behavior, which
just so happens as a nice side effect to help keep malware from running. If
you can't keep it from getting installed on the computer, then a
well-crafted role-based SRP that uses an allow list will block the malware
from executing. My favorite is to have multiple SRPs that reflect various
user role classifications, but all of them are of the allow-list variety:
enumerate the applications that are allowed, and block everything else.
I know, this will have the same effect: stopping Solitare (if Solitare isn't
on the list). However, in the case below, Mike is asking about how to block
a specific program. Solitare is not really the problem here: it's merely the
symptom. A symptom of utter disdain for the organization. Look at what Mike
wrote: "I know I can remove the program but it is easy to reinstall."
Presumably employees here would do just that, and actively circumvent a
policy. And if Mike successfully thwarts all attempts at running Solitare,
people will just play some other game. It is impossible to block all the bad
stuff: you'll never know it all.
These are not the kind of employees to keep around. The more time I spend
thinking about the human side of security, the more I'm becoming a believer
in managerial enforcement of policy, whatever such enforcement might
involve.
Steve Riley
(e-mail address removed)
Why do you consider this a non-technical problem, Steve? There is a
section in the Group Policy Editor that specifically allows an Administrator
to prohibit specific applications.
--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com