run only allowed windows applications

[Guest]

I am interested in enabling the 'run only allowed apps' policy.
How do I go about finding all the .exe's that are necessary?

Is there somewhere a list of required .exe's for office2003, IE6,
Macromedia, HP printers etc?

Thanks

 

[Steven L Umbach]

If you happen to have any XP Pro computers, look into using Software
Restriction Policies instead. It can be difficult to track down all the
files involved. I don't know of the list you request but you can use the
free filemon utility from SysInternals which monitors file use in real time.
The logs will be huge but you should be able to spot the .exe files that are
used. Don't forget files for Windows Updates and antivirus software. ---
Steve

http://www.sysinternals.com/ntw2k/source/filemon.shtml

 

[Guest]

I work in a school where security is always a problem. all our computers are
w2k.
The problem at the moment is students are bringing in regedit.exe on disk
and running it, then importing .reg files that get around security set by GPO.
If I did use 'run only allowed win apps' and they rename their regedit.exe
to winword.exe (which will be allowed of course, will it still work for them?)
Any ideas of other 3rd party software that can get round these kind of
problems. We can not upgrade to XP.

Thanks

 

[Steven L Umbach]

Yes if they rename an unauthorized application to the name of an authorized
application it would work if they figured that out. I assume you already
disable editing the registry in Group Policy and added regedt32.exe and
regedit.exe to the list of unhallowed applications Boy when I was in school
in the sixties I would be thrashed within an inch of my life if I did such
behavior and then I would thrashed within an inch of my life again when I
got home. I guess times have changed. See the links below which may help as
it discusses Group Policy behavior in that a policy will not be refreshed
unless the computer detects that the policy has changed. You can change that
policy and reduce the refresh period which by default is 90 minutes. I would
change it to at least 20 minutes to start and maybe to as low as five
minutes and make the change to refresh registry settings even if policy has
not changed. I hope some of this helps as I hate it when brats get away with
crap like that. Note that the refresh interval can be changed for both users
and computers. If it is user configuration that they are trying to bypass
[most likely] be SURE that you configure the "user configuration"
nterval. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;812541
http://www.microsoft.com/resources/...2003/all/deployguide/en-us/dmebb_gpu_pnwa.asp
http://tinyurl.com/6y6hf -- same link as above shorter.

 

[Andrew Mitchell]

I work in a school where security is always a problem. all our computers
are w2k.
The problem at the moment is students are bringing in regedit.exe on
disk and running it, then importing .reg files that get around security
set by GPO. If I did use 'run only allowed win apps' and they rename
their regedit.exe to winword.exe (which will be allowed of course, will
it still work for them?) Any ideas of other 3rd party software that can
get round these kind of problems. We can not upgrade to XP.

You can still use software restriction policies to do this on Windows 2000.
I have done this on the computers of some troublesome users I have.

I don't have the details in front of me but IIRC it was something like:
-Make sure drives are formatted NTFS
-Make sure users do not have write or update access to c:\windows or c:
\program files.
-Use a GPO to prevent access to and hide the C drive from Explorer.
-Set a default software restriction policy to disallow all applications.
-Set another policy to allow .lnk and .url files to run from "c:\documents
and settings" (this allows shortcuts to run from the users profiles -
Desktop, Start menu etc.)
-Create another policy to allow any executable to run from C:\Windows and
subdirectories and "C:\Program Files" and subdirectories. As you have made
sure the users can't save anything here you are pretty safe.

When the users open Explorer they will only see their floppy drive, 'My
Documents", and their CD-ROM (if they have one). They will not be able to
run executables of any name from any of these locations and will not have
permission to copy them to c:\windows or c:\program files to run them from
there.
They can copy them to their desktops but, as they can only run shortcuts
from there, they still won't run.

You should also look at the policy to prevent Registry Editing tools
running. It won't stop all such tools but it will work with Regedit (even
if renamed) and TweakUI.

 

[Steven L Umbach]

Hi Andrew.

Your advice is right on but unless you know something I don't about Windows
2000 [entirely possible] Software Restriction Policies are not available for
it. --- Steve

 

[Andrew Mitchell]

Hi Andrew.

Your advice is right on but unless you know something I don't about
Windows 2000 [entirely possible] Software Restriction Policies are not
available for it.

Hmmm. Looks like you are correct.
I could have sworn they were there (in a cut down form) in W2k.

The other thing you could do (if you have some programming skills) is to
write a small dll that implements a system wide hook. Trap all calls to the
WinExec or CreateProcess API's and check the lpCmdLine parameter to see that
they are executing applications in allowed locations. The permitted locations
could be set using a custom GPO template. If they are not running from
allowed locations don't pass the message on to Windows and the app will never
run.

I suspect the WindowsXP software restriction policy is doing a more complex
version of this.

 

[Guest]

Thanks for all your thoughts...unfortunately we are almost entirely win2000,
a win2003 server upgrade is imminent but our workstations are simply not up
to an XP upgrade, and our budget (school) is simply not up to buying new
hardware!

As all machines work on a simple build, a very straighforward settting to
allow all .exe files in C:\winnt\* (and \\server\apps$\*) but nowhere else
would do the trick....I have no programming experience......is there no
downloads\addins\tweaks that are possible?

Thanks again

Hi Andrew.

Your advice is right on but unless you know something I don't about
Windows 2000 [entirely possible] Software Restriction Policies are not
available for it.

Hmmm. Looks like you are correct.
I could have sworn they were there (in a cut down form) in W2k.

The other thing you could do (if you have some programming skills) is to
write a small dll that implements a system wide hook. Trap all calls to the
WinExec or CreateProcess API's and check the lpCmdLine parameter to see that
they are executing applications in allowed locations. The permitted locations
could be set using a custom GPO template. If they are not running from
allowed locations don't pass the message on to Windows and the app will never
run.

I suspect the WindowsXP software restriction policy is doing a more complex
version of this.

 

[lforbes]

Hi,

I work in a school where security is always a problem. all our
computers are w2k. The problem at the moment is students are bringing
in regedit.exe on disk and running it, then importing .reg files that
get around security set by GPO. If I did use ’run only allowed
win apps’ and they rename their regedit.exe to winword.exe
(which will be allowed of course, will it still work for them?) Any
ideas of other 3rd party software that can get round these kind of
problems. We can not upgrade to XP.
Thanks

Make sure you enable the Group Policy User Config- Admin
Templates-System - Prevent access to Registry Editing Tools – Enabled

This will give them the error "Registry Editing has been disabled by
your Administrator" when they try to run Regedit (or any renamed form
of it). I have tested it and it works.

The other idea is to set Mandatory Profiles. By default users only
have write access to the HKCurrent User setting. However, with
Mandatory Profiles any changes are deleted on Logoff. My website
talks about
how to do that http://www.sd61.bc.ca/windows2000

Also, check out my Group Policy settings. They are pretty restrictive.
http://www.sd61.bc.ca/windows2000/downloads/grouppolicysettings.doc

Cheers,

Lara