Users installing programs.

[Guest]

Users installing programs that they download off the internet is a big security problem on my network. I am trying to stop this from happening. I am specifically trying to stop them from installing Yahoo IM. I have been told that I can use GPO to do this but that is a pretty vague answer. Is there another way? Or can someone explain how I would do this with GPO? Thanks.

 

[Laura E. Hunter \(MVP\)]

You'll want to create a "Software Restriction Policy" within a Group Policy
Object in Active Directory. You can either:

* allow all things to run while specifically disallowing certain programs,
or you can take the opposite approach of

* allow -nothing- to run except the things that you specify.

The following KB article:
http://support.microsoft.com/default.aspx?kbid=324036 should give you a good
start in getting this configured on your network.

(All usual caveats regarding the need for testing and your mileage varying
apply.)

 

[Steven L Umbach]

Unfortunately that is not available for W2K. You can however populate the disallowed
Windows applications list in the user configuration/administrative templates/system
being sure to add install.exe and setup.exe to the list. That of course is not near
as foolproof if user can change executable name. Other things to try include making
sure that regular users are not local administrators/power users if at all possible
and possibly look at firewall solutions including blocking unauthorized ports at the
perimeter firewall or possibly installing personal firewalls that have application
rules that are protected by a MD5 hash. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;323525

 

[Laura E. Hunter \(MVP\)]

Which part isn't available in Win2K? The ~/System portion of the GPO
contains entries for both "Run only allowed..." and "Don't run
specified...". As Steven mentions, it's not foolproof since it goes by
filename only, but a casual user isn't likely to be savvy enough to rename
the AIM or Yahoo executable so that they can bypass the restrictions created
by Win2K.

2K3 does a better job of it, and lets you allow/disallow an entire
directory, or filenames based on their hash value. But I've been using the
Win2K stuff for ages, and it's been pretty much foolproof for my fairly
average userbase. As with all things, YMMV.

 

[Laura E. Hunter \(MVP\)]

Sorry, haven't had my coffee yet. I just re-read your post and realized
that I answered my own "which part...?" question in my last post.

*wanders over to the coffee pot*

 

[Steven L Umbach]

Heh heh. Yeah I meant the Software Restriction Policies - I should have been
more explicit about that. I am glad taxes are done for another year so I can
start thinking straight again. -- Steve