Well you cannot ever just release a GPO and expect to fit everyone. From
administrators to developers people will need different access. How do
you handle exceptiions?
-----Original Message-----
From: Harlan Carvey [mailto:keydet89@yahoo.com]
Sent: Friday, October 08, 2004 5:39 PM
To: Paul Aviles; focus-ms@securityfocus.com
Cc: chang zhu
Subject: RE: Can we really block users from installing applications
through Group policy?
Paul,
This is very interesting topic. I think this
approach will work, but
will also give you a lot of problems since many
applications including MS ones will need this.
Need what? What problems are you referring to?
Additionally, how will you handle exceptions to
the GPO?
Well...as an exception.
-----Original Message-----
From: Harlan Carvey [mailto:keydet89@yahoo.com]
Sent: Friday, October 08, 2004 11:12 AM
To: focus-ms@securityfocus.com
Cc: chang zhu
Subject: Re: Can we really block users from
installing applications
through Group policy?
The users are not local administrators. We
configure
group policy to prevent user installs but it seems
that it blocks only .msi packages. Users still
can
install applications through ex. setup.exe...Can
we
really block users from installing applications
through Group policy?
Any idea or thoughts on this?
Sure. Disable access to the write to certain
locations of the hard drive. While some
applications
require the ability to write to a temp directory,
most
users shouldn't have write access to the system32
dir...read and execute usually suffice.
First, though...some background. Do you have a
policy
in place that states that users shall not install
software? If you do, the next step should be to put technical
measures in place to not only prevent it, but monitor it. Monitoring
can be done easily through
freeware and WMI.
Plus, if we need to block users from saving .mp3
file
on their computers, can we do it through group
policy?
Again, the first step should be a security policy.
Next, how do they download the .mp3s? If it's via
file sharing (or rather, pretty much any method
other
than FTP, HTTP, or bringing in a CD), then there is
probably an *installed application* that they're
using. Also, there is very likely an *installed
application* they're using to play the .mp3s, right?
You won't be able to completely prevent the download
of files to the local hard drive through ACLs...the
users still need some write access to the drive.
However, you *can* monitor this by simply using
'dir'.
Map a drive (x:\) and type the following command:
c:\>dir /s x:\*.mp3
If you want, you can follow this up with the
judicious
use of 'del'.
Hope that helps,
=====
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery" http://www.windows-ir.com
http://groups.yahoo.com/group/windowsir/
"Meddle not in the affairs of dragons, for
you are crunchy, and good with ketchup."
"The simplicity of this game amuses me.
Bring me your finest meats and cheeses."
------------------------------------------
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
=====
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery" http://www.windows-ir.com
http://groups.yahoo.com/group/windowsir/
"Meddle not in the affairs of dragons, for
you are crunchy, and good with ketchup."
"The simplicity of this game amuses me.
Bring me your finest meats and cheeses."
------------------------------------------
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
