+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 28
Windows Thread, Restrict software installation in Technical; How can we prevent students from installing software on PC's. Is there somewhere in the GPO that will alow us ...
  1. #1

    Join Date
    Jul 2005
    Location
    51°44’45.75”N 2°13’57.28”W With 182ft Elevation
    Posts
    35
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Restrict software installation

    How can we prevent students from installing software on PC's. Is there somewhere in the GPO that will alow us to restrict this.

    Thanks

  2. #2

    Join Date
    Jul 2005
    Location
    Corby
    Posts
    1,056
    Thank Post
    12
    Thanked 20 Times in 18 Posts
    Rep Power
    24

    Re: Restrict software installation

    If you are using Windows XP you can pretty much get quite granular control over which applications your users can install and run (but with 2000 and pre-2000 machines it is more difficult).

    If you need more information on how to do this, and no-one else replies before I get home from work, I can help.

    Good luck!

    Paul

  3. #3

    Join Date
    Jul 2005
    Location
    51°44’45.75”N 2°13’57.28”W With 182ft Elevation
    Posts
    35
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Restrict software installation

    Hi kingswood,
    I would be greatful for any help you can offer. To explain the problem a little more clearly we want the students to be able to install their usb pen drive with out restricts, but not able to install software or run .exe that are not already install eg. doom95.exe on their pen drive or local area. More important it the restriction of software. We are running a mixture of 2000 and xp clients on server2003 if thats any help.

  4. #4

    Join Date
    Jul 2005
    Location
    Corby
    Posts
    1,056
    Thank Post
    12
    Thanked 20 Times in 18 Posts
    Rep Power
    24

    Re: Restrict software installation

    Hey.

    Here goes: you can restrict software for specific users (never tried that myself) or for all users on a specific machine. You can find the templates for controlling software access in:

    Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies.

    Right click the node and choose "New Software Restriction Policy"

    I usually tie the GPO for software restriction to an OU where computer accounts are stored that I want to have the policy apply to. Generally it will depend on your restriction policy as to how you will handle the whole affair. There's the: "Allow everything to run except specified items" outlook, and this lets users run everything you haven't locked down freely. You could enter your doom.exe file etc here and make sure that users can't run that specified application/tool/utility.

    There is also the "don't allow applications of a certain type to run" thinking, and here you can stop all files of a type (say all .VBS files) but you can at the same time tell XP to allow VBS files that are signed digitally from your department to run (that way you can still get the flexibility of a script but stop users from executing them).

    There is also a "full lockdown" philosophy. The "disallowed" option is selected in the GPO rather than "unrestricted", and so nothing is allowed to run except the OS and items you explicitly name. It's heavy handed, high octane stuff- and can get you into trouble fast!

    You can find out lots of ways of restricting software too- there is the "hash" method whereby even if a user ranames doom.exe to gloom.exe the file still won't execute (there are ways around this though). There's a "path rule" where you can specify to restrict applications based on where they are on the hard drive; there's certificate rules (don't know that much about these type); and zone rules- you're probably familiar with these in IE. You could find out about these methods by searching Google etc.

    Phew!

    I type this quickly, so accept my apologies if there are errors in there. IN any case, use the ADM template path given above and poke around. Do you have a copy of the 2000/2003 Server resource kit? If so there is an excellent book in there about Group Policies. I would also recommend "Group Policy, Profiles, and Intellimirror" by Jeremy Moskowitz which has taught me pretty much all I needed to know as far as GPOs are concerned.

    If you get stuck- shout and I'll see if I can help!

    Paul

  5. #5

    Join Date
    Oct 2005
    Location
    Kent and London
    Posts
    13
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Restrict software installation

    Is this a question about preventing users installing sofware (easy) or preventing them running executable content from a removable disk (or other location) that does not require an install (hard)?

  6. #6

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180

    Re: Restrict software installation

    Quote Originally Posted by Westbrooke
    Is this a question about preventing users installing sofware (easy) or preventing them running executable content from a removable disk (or other location) that does not require an install (hard)?
    The latter.

  7. #7
    eejit's Avatar
    Join Date
    Jun 2005
    Location
    Ireland
    Posts
    606
    Thank Post
    52
    Thanked 12 Times in 12 Posts
    Rep Power
    22

    Re: Restrict software installation

    This is still a problem for us. We use the "software restriction policies" mentioned above, but it's a never-ending process. Stopping the "Windows Installer" helps, but it would be nice to stop the other installers from running, there only appears to be 4/5 of them. I don't know if it's possible to, for instance, stop the "InstallShield" installer from running. That would be a major breakthrough I think.

  8. #8

    Join Date
    Nov 2005
    Location
    Preston, Lancs
    Posts
    43
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Restrict software installation

    We've tackled the problem of kids installing software using GPO, pretty much exactly how kingswood describes above. All 'approved software' is installed when windows starts up using remote installation.
    It's extremely effective.

  9. #9
    eejit's Avatar
    Join Date
    Jun 2005
    Location
    Ireland
    Posts
    606
    Thank Post
    52
    Thanked 12 Times in 12 Posts
    Rep Power
    22

    Re: Restrict software installation

    So, do you basically "Deny *.exe" apart from the following - winword.exe, etc, etc.?

  10. #10
    tarquel's Avatar
    Join Date
    Jun 2005
    Location
    Powys, Mid-Wales, UK
    Posts
    1,740
    Thank Post
    13
    Thanked 44 Times in 34 Posts
    Rep Power
    29

    Re: Restrict software installation

    thats how i have it on the old 98 policy setup [just out of interest] - deny all except....

    but like Paul [kingswood] says, the shit will hit the fan pretty quick like that without testing it first.

    I havent tried this with XP & the AD / GP system but i imagine the effect is the same. Those damn hp scaner drivers were a big prob on 98 - so many dependant exe's to add to the exclusion list that it was really difficult, though it should be easier in the GP setup

    What Paul decribes sounds good although I havent had to use software retension yet tho oddly - think i've adjusted some oher settings lol

    Cheers
    N.

  11. #11
    eejit's Avatar
    Join Date
    Jun 2005
    Location
    Ireland
    Posts
    606
    Thank Post
    52
    Thanked 12 Times in 12 Posts
    Rep Power
    22

    Re: Restrict software installation

    Yes, the fan being hit was the reason I haven't even bothered testing out the "deny all except" way of doing things. Is anyone one here doing that in an AD XP network?

  12. #12
    secman's Avatar
    Join Date
    Nov 2005
    Location
    Romford, Essex
    Posts
    107
    Thank Post
    0
    Thanked 2 Times in 2 Posts
    Rep Power
    18

    Re: Restrict software installation

    Hi,

    Found this thread searching for "Group Policies".

    We are looking at AD/Group Policies as an alternative to our Winsuite 2000 installation. As Winsuite controls what can and can't be run and prevents installs, downloads & installs and installs from floppy or USB drive etc, we need to be confident that any alternative will be at least as effective and easy to set up. From the posts in this thread, it looks as if it is difficult to cover all bases effectively without considerable setting up. We have in excess of 100 apps on the Winsuite menu system and don't really want to start again from scratch. Are we right in consering a change away from Winsuite? Advice, views, opinions, please.

    Thanks

  13. #13

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,855
    Thank Post
    583
    Thanked 2,162 Times in 987 Posts
    Blog Entries
    23
    Rep Power
    627

    Re: Restrict software installation

    All Winsuite does is put a nice shiny front on GPO's. Anything that Winsuite can do AD can do.

  14. #14
    eejit's Avatar
    Join Date
    Jun 2005
    Location
    Ireland
    Posts
    606
    Thank Post
    52
    Thanked 12 Times in 12 Posts
    Rep Power
    22

    Re: Restrict software installation

    It looks like the new Microsoft XP Shared Computer Toolkit free add-on may solve all these problems. It's got some great features, but the one that jumps out is the ability to 'lock' your computer's C: drive so that any changes made are lost during the next reboot. Setting it up will take time though as you need to re-partition your systemdrive so that you can devote 10% to a special partition. If it truely works as Microsoft describe then this should really mean the end of viruses and spyware.

  15. #15

    beeswax's Avatar
    Join Date
    Jul 2005
    Location
    England
    Posts
    2,285
    Thank Post
    285
    Thanked 225 Times in 153 Posts
    Rep Power
    131

    Re: Restrict software installation

    when I last looked at the shared computer toolkit, I thought the same, but further down the it says (or said) that it wasn't recommended for use with a large network (or words to that effect) and that most of this could be achieved with AD.
    beeswax

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Restrict Logon
    By DSapseid in forum Wireless Networks
    Replies: 7
    Last Post: 28th March 2007, 10:30 AM
  2. Replies: 15
    Last Post: 1st December 2006, 02:13 PM
  3. Software Installation Policies - random issue
    By CM786 in forum Wireless Networks
    Replies: 4
    Last Post: 2nd October 2006, 02:12 PM
  4. Restrict filetypes
    By Gatt in forum How do you do....it?
    Replies: 21
    Last Post: 22nd September 2006, 11:28 AM
  5. Replies: 3
    Last Post: 8th September 2006, 07:49 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •