AD and Group Policy question

[Hankejp]

hey all,

here's the situation: I have roughly 60 computers in my library that we would like to be pretty much locked down. By that I mean, no software installation or modifying the desktop, etc. The problem I'm having is how to stop users from installing messenger programs like yahoo or msn. I looked in Group policy, but couldn't find anything. Does anyone know if I missed something or have another idea? We were using a program called Deep Freeze, but this is too time consuming if I have to make a change.

Thanks ahead of time....

 

[ShackDaddy]

In Group Policies: User -> Admin Templates -> System there is a policy titled "Don't Run Specified Windows Applications." I link that to an OU and specify "msmsgs.exe" as an executable to prevent. That works great in my shop. Specify each of the executable names for yahoo, trillian, MSN and common IRC clients and that should take care of most things. On the other hand, why do the users have admin rights on the local systems? They shouldn't be able to install ANYTHING.

ShackDaddy

 

[kmcferrin]

It is a common misconception that users require admin rights on a PC in order to install applications. It simply doesn't work that way. Power Users can also install most applications. There are even some applications that can be installed with only User privileges.

What truly determines whether an application can be installed is how the application installs. Does it write to the registry? Does it write to other system areas? Does it need to create new directories? Those are the things that determine what an application needs to be installed, not whether a user has admin rights.

There are some programs that only need to be copied to a system, i.e., they'd run just fine with the executable sitting on the desktop (or in My Documents, for that matter). Others may need to create a directory, but that directory could be placed anywhere, not just in C:\Program Files.

I have noticed a trend where fewer and fewer applets need any sort of administrative rights to install. At my compnay I have specifically had problems with Hotbar, Abacast, and numerous other applications getting installed on our systems even without admin rights. Usually it is the spyware/adware/scumware that requires the lowest level of privileges to be installed. I imagine that is mainly because the goal is to generate revenue by getting them installed on as many systems as possible, even those that would normally be restricted.

The worst part of all of this is that even today, most non-MS applications STILL will not run without at least Power User privileges, and there are still many that require admin rights. The situation is even worse when you start getting into vertical market applications.

 

[kmcferrin]

Oh yeah, to answer your question, there's not much you can do. I run Windows 2000 servers and Windows XP workstations, and short of getting third-party software to specify a list of executable files that are permitted to be executed (blocking everything else), there's nothing I can do. I hear that Windows 2003 Server has better GPO settings for software restrictions that will lock things down, but I haven't tested it yet.

You might look at APPSEC.EXE from the Windows 2000 Server Resource Kit. It might work for general use, but it was designed for use on Terminal Servers. I decided not to bother.