Re: Prevent users/admin from installing softwares.

On 2007-02-27 Rocky wrote:
> Actually this is for my client with a small network that requires not
> to install anything from the client station.They are frequently
> infected by worm/Trojan viruses because most of them had admin rights.

Have them use normal user accounts for day-to-day work. If some software
refuses to run with LUA the steps described in [1] may help.

> A limited user accounts can also install a softwares by changing the
> directory location like C:\.

Changing the default permissions on C:\ has been a Best Practice for
years. Even Microsoft themselves suggested it in one of their security
bulletins [2]. I usually grant full access to administrators and SYSTEM,
and read access to authenticated users. The only software that caused
any trouble with this setup is the Corel Graphics Suite, which had to be
configured to not use C:\ for the Bitmap Tile Manager's swap.

> So if there's no way to restrict this on registry/gpedit would just
> recommend to get a 3rd party software.

Third party software won't help you either. It is simply not possible to
restrict local admins without revoking their admin privileges.

[1] http://www.planetcobalt.net/sdb/submission.shtml
[2] www.microsoft.com/technet/security/bulletin/ms02-064.mspx

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq