0
Is there any option beyond separating administrator and standard users to prevent the installation of user-space programs (such as Spotify, using portable software, etc.)?
We have a set of predefined software for our users and there is no need to even execute .exe files to install something or run portable software.
Is there any way of preventing this to keep the user account clean and prevent possible malicious software from being run in the first place?
Prototype700
Posted 2019-10-30T14:45:53.130
Reputation: 131
There may be a setting in the Group Policy editor>Run>gpedit.msc – Moab – 2019-10-30T15:03:43.677
1"We have a set of predefined software for our users and there is no need to even execute .exe files to install something or run portable software." - You can only allow specific executables with a group policy, but if done the incorrect way, would prevent Administrators from performing required functions. – Ramhound – 2019-10-30T15:08:10.900
1https://blog.brankovucinec.com/2014/10/24/use-software-restriction-policies-to-block-viruses-and-malware/ – Moab – 2019-10-30T15:10:57.710
1
should also be set>>>>https://www.thewindowsclub.com/how-to-prevent-users-from-installing-programs-in-windows-7
– Moab – 2019-10-30T15:11:20.423What kind of installations? Using standard user accounts, only the Administrator account can install software. This affects only Windows Installer and does not prevent using other methods. – harrymc – 2019-10-30T15:13:16.270
Unfortunately exe's are used to run many programs in Windows, so you cannot block them system wide, all you can do is mitigate their use as mention in my comments with links above – Moab – 2019-10-30T15:15:35.990
@Moab: We will try the group policy/path rule solution. Our users can only logically execute binary files from one partition, if we are able to prevent it on this specific location, it should disable them from running downloaded .exe-files. Do you happen to know if there are any ways around this by renaming the files and executing them manually somehow? Together with disabling msiexec for the user, this could become a comprehensively secured environment. Do you want to rework your comment into an answer, in case this is a solution to the issue? – Prototype700 – 2019-11-18T13:37:09.207
@Moab: I tried your suggested links and they have the potential to solve the issue in this case, unfortunately, I have been unable to set the path recursively, so a user only has to create a subfolder to circumvent them in this case. If this weren't the case, they would be perfect. I opened a second question to solve this issue, if you have a solution, please join in: https://superuser.com/questions/1503500/how-to-include-subfolders-in-a-windows-path
– Prototype700 – 2019-11-19T21:26:59.837