Can I use Group Policy to deny software installation?

[Guest]

I have done some research and found (and implimented...thank you again,
Steven) ways to deny student users under our domain to launch certain
installed software, but is there some way (a domain-level group policy,
perhaps) that I can keep them downloading/installing certain programs in the
first place?

Also, how might this impact their ability to use key drives under Windows
2000/2K?

Thank you in advance for any insight in this matter.

 

[Julian Dragut]

Remove the administrator rights for the user, and use ISA to filter the
downloads.
GFI offers a download isa custom application as well

Julian Dragut

 

[Roger Abell]

In general the answer is, I believe, going to be no, there is no way.
This is because there is no one or few "choke points" through which
all "installs" must pass. For example, preventing the code behind a
msi install will have no impact on an exe install that does not use the
Windows installer technology. In the worse case, some software
requires only to be run, hence may be "install" merely by copying it
onto the disk. You could start down the path of stopping this and
that form of install, but you would never reach complete coverage.
There is a specification for user installable applications which when
installed by a limited users will install for use by that user. There is
specification for drag-and-drop install. Etc.

You may need to look at positive software restriction (whitelisting)
instead of negetive (blacklisting), that is, to look at denying all except
for the specifically allowed.

 

[Guest]

Remove the administrator rights for the user, and use ISA to filter the
downloads.
GFI offers a download isa custom application as well

Thank you for your reply Julian.

I'm sorry for my "acronignorance," so to speak, but when you say ISA, do you
mean Microsoft Internet Security and Acceleration firewall? If so, I'm afraid
our budget would not allow for it. I was hoping there was a solution from
within our current software configuration.

 

[Guest]

Remove the administrator rights for the user

....and

I can assure you, our students do not have admin rights in the first place.
This is what makes their ability to install and run such things as Winamp
such a curiosity to me!

 

[Julian Dragut]

Correct,

In AD's GPO you have the option to restrict what software should be run.
There's very long (time consuming) and trial-and-error path, but is seems
to be your choice given your case.

As Roger said, restrict all but what you need for normal operations.

Julian

In general the answer is, I believe, going to be no, there is no way.
This is because there is no one or few "choke points" through which
all "installs" must pass. For example, preventing the code behind a
msi install will have no impact on an exe install that does not use the
Windows installer technology. In the worse case, some software
requires only to be run, hence may be "install" merely by copying it
onto the disk. You could start down the path of stopping this and
that form of install, but you would never reach complete coverage.
There is a specification for user installable applications which when
installed by a limited users will install for use by that user. There is
specification for drag-and-drop install. Etc.

You may need to look at positive software restriction (whitelisting)
instead of negetive (blacklisting), that is, to look at denying all except
for the specifically allowed.

 

[Steven L Umbach]

For those that want to do such the fee utility filemon from SysInternals can
help greatly in tracking down what is being denied during the tweaking
process. Also white listing can be worked around in that if a user copies or
renames a file to be the name of a white listed file then the file can be
executed assuming the user has execute permissions. But that is about the
best you can do with Windows 2000. --- Steve

Correct,

In AD's GPO you have the option to restrict what software should be run.
There's very long (time consuming) and trial-and-error path, but is seems
to be your choice given your case.

As Roger said, restrict all but what you need for normal operations.

Julian

 

[Steven L Umbach]

Beyond my previous suggestions you can also use Group Policy to
modify/enforce Web Content Zone restrictions such as for the internet zone
to prevent users from downloading files via Internet Explorer. You could
also add sites to the trusted Web Content Zones if you want exceptions to
the rule. I have also played around with giving a user account deny for
execute permission for "files only" via special permissions to their user
profile folder and the all users shared documents folder and subfolders. By
default those are the only folders a regular user can write to and would
probably be where they are trying to copy files to run or install an
application. For me this has worked but is something that needs to be fully
tested before implementing to make sure that everything that works for a
user that should. If users are able to write to folders other than that I
would take a serious look as to why that is. --- Steve

 

[Roger Abell]

Yes indeed filemon is a valued tool when one starts down this
rather lengthy and involved road of using a software restiction
whitelisting.

But the main reason I wanted to post a follow-up is to clarify
that the good folks at sysinternals make filemon available as
a free (not fee) utility (you owe me one now Steve, but mine
are more frequent and easily noticed

 

[Steven L Umbach]

Doh!! Thank goodness that filemon and so may other invaluable tools from
SysInternals are free! Thanks Uncle Roger. --- Steve