[gptalk] Re: Opinion on my Software Restriction Policy

  • From: hans straat <hstraat@xxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 11 Jun 2008 13:03:14 +0000

not to trow in any windows but how do you want to block portable applications 
that don't need installation like firefox portable etc 


From: darren@xxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Opinion on 
my Software Restriction PolicyDate: Wed, 11 Jun 2008 05:58:15 -0700




Pankaj-
Its nearly impossible to prevent any kind of software installation, simply 
because software can be installed anywhere on the file system and its 
impossible to prevent writes to every location on the local file system. 
However, there are a series of things you can do to make it very difficult for 
users to either install or execute unwanted code. Part of that is using 
Software Restriction Policy-based whitelists (i.e. disallow all code as the 
default rule and then allow only the apps below). Part of it is using other 
measures including:
 
--Making sure users are not members of the local Administrators or Power Users 
groups
--Removing the ability for MSI packages to install outside of managed apps 
(i.e. those deployed via GP) by enabling the policy at Computer 
Configuration\Admin. Templates\Windows Components\Windows Installer\Disable 
Windows Installer
 
Again, I think it’s a combination of several steps that you will need to 
perform to ensure that only the code you want is executed.
 
Sincerely,Darren
 
 
 


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Pankaj BhaktaSent: Tuesday, June 10, 2008 10:47 PMTo: 
gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Opinion on my Software Restriction Policy
 



Hi,
We are having a Win 2003 AD based Domain and users running Win XP SP2.
 
The following applications are installed by our IT department on every 
workstation

MS Office 2003 Pro
IE and Firefox
Win Zip
Adobe Reader
Sonic Record Now Plus - for burning CD/DVDs
Cyberlink PowerDVD
I want to setup a Software Restriction Policy to achieve the following:
 
a) Do not permit Users to install any softwareb) All the above mentioned 
applications to run smoothly
 
 
On a test domain I have setup a SRP as following ( User Configuration ):
 
Default Security Level - Disallowed
Enforcement Properties 
- All software files except libraries (such as DLLs)
- All users except Local Administrators
Designate File Types
-Removed the .LNK from the Designated File Types
 
Path rules
The 4 default rules kept intact.
 
Added the following
 
%userprofile%\Start Menu\Programs%allusersprofile%\Start 
Menu\Programs%temp%%windir%\\myserver\netlogon\*.bat - running login 
scripts\\myserver\netlogon\*.vbs - running login scriptsAlthough I removed the 
.LNK from the Designated File Types but the shortcuts on the desktop did not 
seem to work so added the following path rule.
 
%allusersprofile%\desktop\*.lnk
%userprofile%\desktop\*.lnkEverything seems to be working as I wanted. All my 
applications that are already installed are working fine. The applications that 
have desktop shortcuts are working fine.
Also tested and found that the users cannot install any application. 
 
To me things seems to work alright but I would still request your valued 
opinion & suggestion before I apply the policy on production domain. 
 
Cheers,Pankajb

Other related posts: