2
4
I'm using Windows 8 Pro. I'm trying to create a very limited Windows account. The account will only have:
Remote Desktop Access
Shell replaced by our own in-house application
Access to the one FTP client (currently
FileZilla
) that our in-house application will launch for them (sends log-in info on command line)
I do not want them to be able to run any other applications. I've disabled task manager and replaced the shell, so the only way they can currently run other applications is from inside FileZilla
, since it allows you to "open" an EXE (runs it) or other files that open other apps.
I tried Group Policy Editor, and from what I can tell all that does is not allow an admin user to run apps.. but has no effect on non-admin users. I've seen HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\DisallowRun
, but I need a white-list, not black, and also I think that only works for processes that Explorer starts, not other apps like FileZilla
.
I'd like the blacklist to use the full path of the EXE also, not just the name. Since users will have FTP ability, and ability to rename files (nothing in the system or program files folders though, since this is a limited account).
I also tried going to the root of the C drive and adding a "Deny execute/traverse
" permission at the file system level, but I get tons of errors about access denied on lots of folders like c:\windows
and even stuff under c:\users
. I then started to go to each sub-folder and add that permission, but it was taking forever and I was still getting lots of access denied errors (I was doing this from an admin account).
Update -- with the accepted answer, plus the info I found here, I got what I needed.
Start the MMC (Microsoft Management Console). Type mmc into the Start menu search box or command prompt window or you may use the “Run…” feature.
Select File andchoose Add/Remove Snap-in… from the drop-down menu.
The Add or Remove Snap-ins dialog box will appear. On the left-hand pane, highlight Group Policy Object Editor and click Add >;.
The Select Group Policy Object dialog box will now appear. Click the Browse… button. Switch to the Users tab and select Non-Administrators in the list. Click OK.
The Group Policy Object should now display, “Local ComputerNon-Administrators.” Click Finish.
Once I was able to set policies for the one user, using the above steps, I just had to go to "Admin Templates->System->Run only specified Windows applications". I had already tried that, but was missing the part about how to edit policies for only one user, not "admin users only" (which seems like a weird default to me).
2
Software restriction policies. http://technet.microsoft.com/en-us/library/hh994606.aspx
– Zoredache – 2013-09-13T00:13:00.807Thanks for the link, I'm not using a domain, but towards the top of the page it says "Beginning with Windows Server 2008 R2 and Windows 7, Windows AppLocker can be used instead of or in concert with SRP for a portion of your application control strategy." -- so I'm looking in to that also now. – eselk – 2013-09-13T15:50:02.783
AppLocker is Win8 Enterprise only.. so after about an hour of getting it setup (all the setup is there, even the service), I find out that isn't an option on Win8 Pro. – eselk – 2013-09-13T17:04:25.833