[gptalk] Re: Restricting only Software Installations

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 23 Aug 2006 16:08:56 -0700

Basically, SRP has two general modes. The default mode is to allow
everything to run and then you create a "blacklist" of disallowed apps using
the 4 types of rules that come with the policy. This is not very secure
since who knows what may end up running that you did not account for in your
blacklist. The other mode is to set the default policy to disallow
everything and then you create rules that only allow the things that you
know you want to run (i.e. business apps, etc.). This is a good article on
how SRP works:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
 
 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason A. Varley
Sent: Wednesday, August 23, 2006 4:04 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Restricting only Software Installations



Thank you for the feedback.  Can you tell me a little more about the white
list ? - that sounds like what I am after.

 

Thanks Darren!

 

Jason

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Wednesday, August 23, 2006 5:01 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Restricting only Software Installations

 

You can prohibit per user installs of MSI packages using the policy at
computer config\admin templates\windows components\windows
installer\prohibit user installs. Since this is a per computer you would
need to apply it at the computer of the user(s) you want to restrict.
Alternatively, if you really needed to button things down, you could set up
a Software Restriction Policy "white list" where only a known set of
applications and setup packages are allowed to run. This would guarantee
that *nothing* runs outside of what you know about. Of course, all this gets
harder if your users are local admin on their workstations.

 

Darren

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason A. Varley
Sent: Wednesday, August 23, 2006 2:20 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Restricting only Software Installations

This may have a simple answer but I can't think of it at the moment.

 

How can I restrict only a users ability to install software?  

 

I know some policies and user groups would probably encompass this
restriction but I was wondering how to do just the one restriction of
installing software.

 

 

Is this possible??

 

 

Thanks for the help!

 

Jason

 

Other related posts: