Software Installation restriction

[Guest]

I heard that starting with windows XP, you can set the software installation
permission so users cannot install any software onto their computers. Is
there a way to do that within a windows 2000 workstation? we have a W2k
environment where servers are W2K, most workstations are W2K and some are XP.

We want to set a group policy where only the IT group can install programs
(running exe, installers, etc). Is there a way to do that?

 

[Florian Frommherz]

Howdy ngan!

I heard that starting with windows XP, you can set the software installation
permission so users cannot install any software onto their computers. Is
there a way to do that within a windows 2000 workstation? we have a W2k
environment where servers are W2K, most workstations are W2K and some are XP.

The easiest way to achieve your goal has nothing got to do with group
policy but with security itself. Users that do not have admin rights at
their machines are not able to install software. If your users have
local admin rights, go and make them ordinary users. You will run into
many other issues and you will never be 100% sure if the settings you
roll out via group policy get disabled by your admin-users.

cheers,

Florian

 

[Guest]

1. So there isn't a way to set that in group policies for W2K? Just XP and
higher?

2. You mentioned turning everyone into ordinary users on the local
computers. What if there is a program that requires a higher permission than
the ordinary users? Can I set a group policy to increase the permission just
for that? Or the max security I can go is the local group policy?

3. also, I assume when you set them as ordinary users, they cannot install
any programs (exe, installer files, etc)?

Thanks,
Ngan

 

[Florian Frommherz]

Howdy ngan!

1. So there isn't a way to set that in group policies for W2K? Just XP and
higher?

It is not possible. Neither in W2k nor Windows XP. Administrators do
have *all* access to the machine. That's why they are admins ;-)

2. You mentioned turning everyone into ordinary users on the local
computers. What if there is a program that requires a higher permission than
the ordinary users? Can I set a group policy to increase the permission just
for that? Or the max security I can go is the local group policy?

You could see if you can run these programs under certain user accounts
with admin-privileges. But that is nothing that I would consider
"secure" - even not more secure than your current situation.

The only possibility that remains to you would be monitoring the files
and registry keys that the program tries to access (read and write) -
and grant the users access to them. Programs for monitoring can be found
across the internet. I always recommend "filemon" and "regmon" from
sysinternals.com .

3. also, I assume when you set them as ordinary users, they cannot install
any programs (exe, installer files, etc)?

Yes, your right. At least no programs that need access to parts of
registry and sensitive party of the filesystem.

cheers,

Florian