Restrict software installation

[nuttygeek]

How can we prevent students from installing software on PC's. Is there somewhere in the GPO that will alow us to restrict this.

Thanks

[kingswood]

If you are using Windows XP you can pretty much get quite granular control over which applications your users can install and run (but with 2000 and pre-2000 machines it is more difficult).

If you need more information on how to do this, and no-one else replies before I get home from work, I can help.

Good luck!

Paul

[nuttygeek]

Hi kingswood,
I would be greatful for any help you can offer. To explain the problem a little more clearly we want the students to be able to install their usb pen drive with out restricts, but not able to install software or run .exe that are not already install eg. doom95.exe on their pen drive or local area. More important it the restriction of software. We are running a mixture of 2000 and xp clients on server2003 if thats any help.

[kingswood]

Hey.

Here goes: you can restrict software for specific users (never tried that myself) or for all users on a specific machine. You can find the templates for controlling software access in:

Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies.

Right click the node and choose "New Software Restriction Policy"

I usually tie the GPO for software restriction to an OU where computer accounts are stored that I want to have the policy apply to. Generally it will depend on your restriction policy as to how you will handle the whole affair. There's the: "Allow everything to run except specified items" outlook, and this lets users run everything you haven't locked down freely. You could enter your doom.exe file etc here and make sure that users can't run that specified application/tool/utility.

There is also the "don't allow applications of a certain type to run" thinking, and here you can stop all files of a type (say all .VBS files) but you can at the same time tell XP to allow VBS files that are signed digitally from your department to run (that way you can still get the flexibility of a script but stop users from executing them).

There is also a "full lockdown" philosophy. The "disallowed" option is selected in the GPO rather than "unrestricted", and so nothing is allowed to run except the OS and items you explicitly name. It's heavy handed, high octane stuff- and can get you into trouble fast!

You can find out lots of ways of restricting software too- there is the "hash" method whereby even if a user ranames doom.exe to gloom.exe the file still won't execute (there are ways around this though). There's a "path rule" where you can specify to restrict applications based on where they are on the hard drive; there's certificate rules (don't know that much about these type); and zone rules- you're probably familiar with these in IE. You could find out about these methods by searching Google etc.

Phew!

I type this quickly, so accept my apologies if there are errors in there. IN any case, use the ADM template path given above and poke around. Do you have a copy of the 2000/2003 Server resource kit? If so there is an excellent book in there about Group Policies. I would also recommend "Group Policy, Profiles, and Intellimirror" by Jeremy Moskowitz which has taught me pretty much all I needed to know as far as GPOs are concerned.

If you get stuck- shout and I'll see if I can help!

Paul

[Westbrooke]

Is this a question about preventing users installing sofware (easy) or preventing them running executable content from a removable disk (or other location) that does not require an install (hard)?

[Ric_]

Is this a question about preventing users installing sofware (easy) or preventing them running executable content from a removable disk (or other location) that does not require an install (hard)?

The latter.

[eejit]

This is still a problem for us. We use the "software restriction policies" mentioned above, but it's a never-ending process. Stopping the "Windows Installer" helps, but it would be nice to stop the other installers from running, there only appears to be 4/5 of them. I don't know if it's possible to, for instance, stop the "InstallShield" installer from running. That would be a major breakthrough I think.

[penguinpowered]

We've tackled the problem of kids installing software using GPO, pretty much exactly how kingswood describes above. All 'approved software' is installed when windows starts up using remote installation.
It's extremely effective.

[eejit]

So, do you basically "Deny *.exe" apart from the following - winword.exe, etc, etc.?

[tarquel]

thats how i have it on the old 98 policy setup [just out of interest] - deny all except....

but like Paul [kingswood] says, the shit will hit the fan pretty quick like that without testing it first.

I havent tried this with XP & the AD / GP system but i imagine the effect is the same. Those damn hp scaner drivers were a big prob on 98 - so many dependant exe's to add to the exclusion list that it was really difficult, though it should be easier in the GP setup

What Paul decribes sounds good although I havent had to use software retension yet tho oddly - think i've adjusted some oher settings lol

Cheers
N.

[eejit]

Yes, the fan being hit was the reason I haven't even bothered testing out the "deny all except" way of doing things. Is anyone one here doing that in an AD XP network?

[secman]

Hi,

Found this thread searching for "Group Policies".

We are looking at AD/Group Policies as an alternative to our Winsuite 2000 installation. As Winsuite controls what can and can't be run and prevents installs, downloads & installs and installs from floppy or USB drive etc, we need to be confident that any alternative will be at least as effective and easy to set up. From the posts in this thread, it looks as if it is difficult to cover all bases effectively without considerable setting up. We have in excess of 100 apps on the Winsuite menu system and don't really want to start again from scratch. Are we right in consering a change away from Winsuite? Advice, views, opinions, please.

Thanks

[Dos_Box]

All Winsuite does is put a nice shiny front on GPO's. Anything that Winsuite can do AD can do.

[eejit]

It looks like the new Microsoft XP Shared Computer Toolkit free add-on may solve all these problems. It's got some great features, but the one that jumps out is the ability to 'lock' your computer's C: drive so that any changes made are lost during the next reboot. Setting it up will take time though as you need to re-partition your systemdrive so that you can devote 10% to a special partition. If it truely works as Microsoft describe then this should really mean the end of viruses and spyware.

[beeswax]

when I last looked at the shared computer toolkit, I thought the same, but further down the it says (or said) that it wasn't recommended for use with a large network (or words to that effect) and that most of this could be achieved with AD.
beeswax