[gptalk] Re: Opinion on my Software Restriction Policy
- From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Wed, 11 Jun 2008 05:58:15 -0700
Pankaj-
Its nearly impossible to prevent any kind of software installation, simply
because software can be installed anywhere on the file system and its
impossible to prevent writes to every location on the local file system.
However, there are a series of things you can do to make it very difficult for
users to either install or execute unwanted code. Part of that is using
Software Restriction Policy-based whitelists (i.e. disallow all code as the
default rule and then allow only the apps below). Part of it is using other
measures including:
--Making sure users are not members of the local Administrators or Power Users
groups
--Removing the ability for MSI packages to install outside of managed apps
(i.e. those deployed via GP) by enabling the policy at Computer
Configuration\Admin. Templates\Windows Components\Windows Installer\Disable
Windows Installer
Again, I think it’s a combination of several steps that you will need to
perform to ensure that only the code you want is executed.
Sincerely,
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Pankaj Bhakta
Sent: Tuesday, June 10, 2008 10:47 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Opinion on my Software Restriction Policy
Hi,
We are having a Win 2003 AD based Domain and users running Win XP SP2.
The following applications are installed by our IT department on every
workstation
* MS Office 2003 Pro
* IE and Firefox
* Win Zip
* Adobe Reader
* Sonic Record Now Plus - for burning CD/DVDs
* Cyberlink PowerDVD
I want to setup a Software Restriction Policy to achieve the following:
a) Do not permit Users to install any software
b) All the above mentioned applications to run smoothly
On a test domain I have setup a SRP as following ( User Configuration ):
Default Security Level - Disallowed
Enforcement Properties
- All software files except libraries (such as DLLs)
- All users except Local Administrators
Designate File Types
-Removed the .LNK from the Designated File Types
Path rules
The 4 default rules kept intact.
Added the following
%userprofile%\Start Menu\Programs
%allusersprofile%\Start Menu\Programs
%temp%
%windir%
\\myserver\netlogon\*.bat - running login scripts
\\myserver\netlogon\*.vbs - running login scripts
Although I removed the .LNK from the Designated File Types but the shortcuts on
the desktop did not seem to work so added the following path rule.
%allusersprofile%\desktop\*.lnk
%userprofile%\desktop\*.lnk
Everything seems to be working as I wanted. All my applications that are
already installed are working fine. The applications that have desktop
shortcuts are working fine.
Also tested and found that the users cannot install any application.
To me things seems to work alright but I would still request your valued
opinion & suggestion before I apply the policy on production domain.
Cheers,
Pankajb
Other related posts:
