Software Restriction Policies - Question

[Emiliano G. Estevez]

Hi,

I like to build a software restriction policy that prevents all users from
running software like ie (Kazaa; Soulseek, and other applications) but
because this applications can be installed in any drive in any folder I can
build a proper path, because if the users install the app in a folder
different than the one I enter the application will run anyway. Any comments
about this will be appreciate.

Best Regards,

 

[Andrew Mitchell]

Hi,

I like to build a software restriction policy that prevents all users
from running software like ie (Kazaa; Soulseek, and other applications)
but because this applications can be installed in any drive in any
folder I can build a proper path, because if the users install the app
in a folder different than the one I enter the application will run
anyway. Any comments about this will be appreciate.

Software restrictions by themselved (in Windows 2000) will not achieve this
but when combined with proper NTFS permissions it can be done.

1. Install all 'approved' applications into the 'program files' directory,
then set permissions on this directory so that users cannot create
directories or files here (or in subdirectories)
2. Create your software restriction policies as follows:
Default policy - Deny
Windows directory and subdirectories - Unrestricted
Program files directory - Unrestricted
*.lnk *.pif and *.url - Unrestricted

This means that even if users copy an executable to another location, it
won't run. Shortcuts will work fine though.

You will probably need to fine tune the software restriction policy but you
should get the general idea.

 

[Ken B]

Also if the users are not local admins on the computers, they will not be
able to install said software.

I haven't looked at the software restriction policies yet, but heard it was
possible to just list programs of an unacceptable name to run. For
instance, could you just enter "setup.exe" as an 'unacceptable name' ?

Also... I was under the impression that software restriction policies could
only be applied to XP machines (2000 will ignore)? I may have just misread,
and it's supposed to read "(in Windows 2000 Server)"... I read it as Pro.

HTH

Ken

 

[Andrew Mitchell]

Also if the users are not local admins on the computers, they will not
be able to install said software.

I haven't looked at the software restriction policies yet, but heard it
was possible to just list programs of an unacceptable name to run. For
instance, could you just enter "setup.exe" as an 'unacceptable name' ?

That's correct but on Windows 2000 clients the user can just rename the file
and it will run.
Windows XP clients allow you to specify a hash value, so renaming the file
won't get around the restriction as the hash doesn't change.

Also... I was under the impression that software restriction policies
could only be applied to XP machines (2000 will ignore)?

AFAIK Windows 2000 will only ignore the hash restrictions.