Could you please identify the GPO setting in question? Thanks.
Laura
From: Joshua Feek <jfeek@yahoo.com.au>
Date: 2004/10/25 Mon PM 11:05:12 EDT
To: Laura Robinson <larobins@verizon.net>,
Paul Aviles <paviles@adjoined.com>,
Harlan Carvey <keydet89@yahoo.com>, focus-ms@securityfocus.com
CC: chang zhu <cyz2000@yahoo.com>
Subject: Re: RE: Can we really block users from installing applications
through Group policy?
This is not related to software restriction but a
method that can be used via group policy to restrict
the applications that can be installed, software
restriction only stops the application being launched.
Within a GPO you can specify that only a cert
certified applciation can be installed and then
specify the trusted cert provider. By enforcing this a
user cannot install unauthorised applications.
The original question was how to stop users from
installing apps via a gpo method. This fits the bill
and works very well, except you have to repackage
applications to msi format (or anything else) so that
you can sign the installation with your cert.
--- Laura Robinson <larobins@verizon.net> wrote:
While your reply actually seems to be in response to
something other than the message to which it is
attached, I did want to comment on a couple of
items. First, implementing software restriction
policies does not require one to repackage all
applications into signed .msi packages- it depends
on which of the four methods of restriction you
implement. Second, you are only mentioning one way
to implement software restriction policies- there
are numerous ways of going about it. It's not quite
as facile as the description below indicates.
Laura
From: Joshua Feek <jfeek@yahoo.com.au>
Date: 2004/10/18 Mon PM 09:13:01 EDT
To: Laura Robinson <larobins@verizon.net>, Paul
Aviles <paviles@adjoined.com>,
Harlan Carvey <keydet89@yahoo.com>,
focus-ms@securityfocus.com
CC: chang zhu <cyz2000@yahoo.com>
Subject: Re: RE: Can we really block users from
installing applications through Group policy?
Of course you can though it requires you to
package
all applications into MSI format and certify using
a
PKI cert. You then config a GPO to only allow apps
that are certified by your cert to be installed.
This
will stop dead every other application
installation.
You can of course include other certs from verdors
to
minimise this repackage requirement
--- Laura Robinson <larobins@verizon.net> wrote:
Um, I don't recall Harlan saying that the policy
had
to be applied to *everyone*.
Laura
___________________________________________________________ALL-NEW
Yahoo! Messenger - all new features - even more fun!
http://uk.messenger.yahoo.com
___________________________________________________________ALL-NEW Yahoo!
Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
