RE: Can we really block users from installing applications through Group policy?

This is when you could use WMI filtering perhaps, or security
restrictions on the GPO itself.

Tim 

-----Original Message-----
From: vic brown [mailto:vabrown@mailer.fsu.edu] 
Sent: Tuesday, October 12, 2004 10:05 AM
To: Paul Aviles; focus-ms@securityfocus.com
Subject: Re: Can we really block users from installing applications
through Group policy?

Exceptions are handled based on OUs.  If the GPO applies to a specific
users' OU, then you make sure that the exceptions are not part of that
OU.  This is the reason why a good OU structure is important.  Have a
"developers" OU, then a "marketing" OU, etc. A GPO applied to
"marketing" will not affect "developers".  If a GPO however applies to
computers, and the same are shared by users of different levels, then
the process becomes a bit more complicated.

Paul Aviles wrote:
> Well you cannot ever just release a GPO and expect to fit everyone. 
> From administrators to developers people will need different access. 
> How do you handle exceptiions?
>
> -----Original Message-----
> From: Harlan Carvey [mailto:keydet89@yahoo.com]
> Sent: Friday, October 08, 2004 5:39 PM
> To: Paul Aviles; focus-ms@securityfocus.com
> Cc: chang zhu
> Subject: RE: Can we really block users from installing applications 
> through Group policy?
>
>
> Paul,
>
>
> > This is very interesting topic. I think this approach will work, but 
> > will also give you a lot of problems since many applications including

> > MS ones will need this.
>
>
> Need what?  What problems are you referring to?
>
>
> > Additionally, how will you handle exceptions to the GPO?
>
>
> Well...as an exception.
>
>
> > -----Original Message-----
> > From: Harlan Carvey [mailto:keydet89@yahoo.com]
> > Sent: Friday, October 08, 2004 11:12 AM
> > To: focus-ms@securityfocus.com
> > Cc: chang zhu
> > Subject: Re: Can we really block users from installing applications 
> > through Group policy?
> >
> >
> >
> >
> >
> > > The users are not local administrators.  We configure group policy to

> > > prevent user installs but it seems that it blocks only .msi packages.

> > > Users still
> >
> > can
> >
> > > install applications through ex. setup.exe...Can
> >
> > we
> >
> > > really block users from installing applications through Group policy?
> > >
> > > Any idea or thoughts on this?
> >
> > Sure.  Disable access to the write to certain locations of the hard 
> > drive.  While some applications require the ability to write to a temp

> > directory, most users shouldn't have write access to the system32 
> > dir...read and execute usually suffice.
> >
> > First, though...some background.  Do you have a policy in place that 
> > states that users shall not install software?  If you do, the next 
> > step should be to put technical measures in place to not only prevent 
> > it, but monitor it.  Monitoring can be done easily through freeware 
> > and WMI.
> >
> >
> > > Plus, if we need to block users from saving .mp3 file on their 
> > > computers, can we do it through group policy?
> >
> > Again, the first step should be a security policy.
> > Next, how do they download the .mp3s?  If it's via file sharing (or 
> > rather, pretty much any method other than FTP, HTTP, or bringing in a 
> > CD), then there is probably an *installed application* that they're 
> > using.  Also, there is very likely an *installed
> > application* they're using to play the .mp3s, right?
> >
> > You won't be able to completely prevent the download of files to the 
> > local hard drive through ACLs...the users still need some write access

> > to the drive.
> > However, you *can* monitor this by simply using 'dir'.
> > Map a drive (x:\) and type the following command:
> >
> > c:\>dir /s x:\*.mp3
> >
> > If you want, you can follow this up with the judicious use of 'del'.
> >
> > Hope that helps,
> >
> >
> > =====
> > ------------------------------------------
> > Harlan Carvey, CISSP
> > "Windows Forensics and Incident Recovery" http://www.windows-ir.com 
> > http://groups.yahoo.com/group/windowsir/
> >
> > "Meddle not in the affairs of dragons, for you are crunchy, and good 
> > with ketchup."
> >
> > "The simplicity of this game amuses me.
> > Bring me your finest meats and cheeses."
> > ------------------------------------------
>
> ----------------------------------------------------------------------
> --
>
> > ---
>
> ----------------------------------------------------------------------
> --
>
> > ---
>
>
>
> =====
> ------------------------------------------
> Harlan Carvey, CISSP
> "Windows Forensics and Incident Recovery" http://www.windows-ir.com 
> http://groups.yahoo.com/group/windowsir/
>
> "Meddle not in the affairs of dragons, for you are crunchy, and good 
> with ketchup."
>
> "The simplicity of this game amuses me. 
> Bring me your finest meats and cheeses."
> ------------------------------------------
>
> ----------------------------------------------------------------------
> --
> ---
> ----------------------------------------------------------------------
> --
> ---
>
>
> ----------------------------------------------------------------------
> -----
> ----------------------------------------------------------------------
> -----

-- 
     ___________ ___________
  __/           V           ;
@  Vic Brown               |
|  Comp Supp Spec          |
|  FSU-Panama              |
  > vabrown@fsu.edu        <
|  Phone: (507)-314-0367   |
|  mailer.fsu.edu/~vabrown |
@__________________________;


------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------