I want to prevent people from installing software on their PC's using WS2008. I've read something and it said i should change security level under software restriction policies. But when i set it from unrestricted to basic, some of the programs on my users PC's don't work anymore. How to make exceptions for those programs to work?
3 Answers
There are technological measures you can take to make it more difficult for users to install software on their Windows PC's (which I will mention at the end). However, this is a disciplinary issue, not a technical one, and is probably better dealt with through policies and disciplinary processes - since some clever person will always find a way to skirt your restrictions - unless they perceive a significant consequence to their actions.
I am guessing you are the IT admin for a company. I would make the business case to management that users installing unauthorised software on machines is not just a technical problem but a legal and financial risk - and have them put disciplinary measures in place. Then just do occasional audits and if unauthorised software is found, begin disciplinary proceedings - verbal warning, written warning, etc. Once there is enough pain associated with skirting the policies, people will stop the behavior by themselves.
On Windows XP it can be extremely difficult to tweak software to run as a restricted user rather than an administrative one - Windows Vista and 7 have made some progress in this regard, so upgrading the PCs will help. One of the best ways to tell what permissions you need to grant is to run a tool like Process Monitor, which will show you exactly what a program is trying to access and failing due to rights issues, and you can grant rights.
This can be very tedious, so I will also recommend some other less admin intensive ways to make it harder to install unauthorised software - though these methods will significantly annoy users, and can hamper normal operation occasionally, which is why disciplinary methods are preferred:
- Disable access to USB drives
- Remove Optical drives from PCs - all software will have to come from the network or USB
- Block download of executable and .ZIP (and other archive formats) on the web proxy server
- Block executables and archives on your mail server
- Use Software Restriction Policies (as per your question) Simpler tutorial here
- 453
- 2
- 7
-
Disciplinary measures will be hard to implement and from the methods you suggested i can only use the last one. All other are essential to our work. Thanks again for the answer. – sotir1984 Sep 01 '11 at 09:22
-
1Glad it was of some assistance. I agree the disciplinary approach is more difficult up front. However the long term benefits might just be worth that difficulty. – Bork Blatt Sep 01 '11 at 09:29
@BorkBlatt's answer is pretty good with covering several of the bases. If you wanted to go for an all out prevention solution, there are applications like Deep Freeze. You configure the machine how you want it to be configured, "freeze" it, and no matter what is altered the machine reverts to the "frozen" state at reboot.
In other words you can delete the Windows subdirectory and when you reboot the directory reappears.
This brings its own management overhead, though. You need to use the management tools to create a maintenance window (assuming Windows Updates will work reliably for you), although with Windows 7's new way of installing certain things at reboot we've found this to be a bad idea. Otherwise you need to update the systems by hand. Antiviruses are tricky if you insist on running them on client machines since updated signatures are wiped at reboot, but on the other hand any infections in the system are wiped at reboot as well.
Your users could use either a "thaw space" (another drive letter on the local drive) or network mapped drive for persistent storage if you use DF, and their roaming profile will (or should) keep their desktop/application settings. Basically the only applications they could install would be to their local profile or a mapped drive but changes that rely on sticking files into any Windows directory can be erased at startup. If they insist on installing software they'll find themselves re-installing it each time, usually, so it's just not worth it.
Oh, and with Deep Freeze, you'll need to disable the Active Directory setting that changes the workstation ID's periodically. Otherwise your workstations "fall off" the domain.
I'd also suggest reviewing what your users really need access to. Use the principle of least authority - if they don't need any access above ordinary user, don't give it to them. Don't let people run as administrator. Use the Sysinternals suite of tools to grant minimal privileges to particular subdirectories when programs complain about not being able to read/write to a particular registry key or directory.
Whitelisting allowed executables is more drastic than Deep Freeze, in my opinion, unless you rarely, if ever, change what programs you're running. There are programs like LanSweeper that will watch your network and give you lists of what software is registered as installed, so you can audit software that way.
- 31,092
- 9
- 65
- 87
-
Thanks Bart. But i wanna restrict my users using only Active Directory/ Widows Server 2008 Software restriction policy. – sotir1984 Sep 01 '11 at 12:47
-
1Then you may find the information you're looking for here: http://technet.microsoft.com/en-us/library/bb457006.aspx – Bart Silverstrim Sep 01 '11 at 13:20
Should come in step
- Discplinary / company ict policy
- normal user access login only (windows)
- disable usb drive / optical drive. (most banks & big corporation do)
- disable exe & zip download in http proxy & email server.
most important is no. 1
in my company, every new staff will undergo ICT induction first. they will learn in there, what can & can't.
- 21
- 1