run only allowed windows applications

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I am interested in enabling the 'run only allowed apps' policy.
How do I go about finding all the .exe's that are necessary?

Is there somewhere a list of required .exe's for office2003, IE6,
Macromedia, HP printers etc?

Thanks
7 answers Last reply
More about allowed windows applications
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    If you happen to have any XP Pro computers, look into using Software
    Restriction Policies instead. It can be difficult to track down all the
    files involved. I don't know of the list you request but you can use the
    free filemon utility from SysInternals which monitors file use in real time.
    The logs will be huge but you should be able to spot the .exe files that are
    used. Don't forget files for Windows Updates and antivirus software. ---
    Steve

    http://www.sysinternals.com/ntw2k/source/filemon.shtml

    "Fabrussio" <Fabrussio@discussions.microsoft.com> wrote in message
    news:4A2BBD1A-E4F7-4CD7-AEBF-A4528D0319CA@microsoft.com...
    >I am interested in enabling the 'run only allowed apps' policy.
    > How do I go about finding all the .exe's that are necessary?
    >
    > Is there somewhere a list of required .exe's for office2003, IE6,
    > Macromedia, HP printers etc?
    >
    > Thanks
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    I work in a school where security is always a problem. all our computers are
    w2k.
    The problem at the moment is students are bringing in regedit.exe on disk
    and running it, then importing .reg files that get around security set by GPO.
    If I did use 'run only allowed win apps' and they rename their regedit.exe
    to winword.exe (which will be allowed of course, will it still work for them?)
    Any ideas of other 3rd party software that can get round these kind of
    problems. We can not upgrade to XP.

    Thanks

    "Steven L Umbach" wrote:

    > If you happen to have any XP Pro computers, look into using Software
    > Restriction Policies instead. It can be difficult to track down all the
    > files involved. I don't know of the list you request but you can use the
    > free filemon utility from SysInternals which monitors file use in real time.
    > The logs will be huge but you should be able to spot the .exe files that are
    > used. Don't forget files for Windows Updates and antivirus software. ---
    > Steve
    >
    > http://www.sysinternals.com/ntw2k/source/filemon.shtml
    >
    > "Fabrussio" <Fabrussio@discussions.microsoft.com> wrote in message
    > news:4A2BBD1A-E4F7-4CD7-AEBF-A4528D0319CA@microsoft.com...
    > >I am interested in enabling the 'run only allowed apps' policy.
    > > How do I go about finding all the .exe's that are necessary?
    > >
    > > Is there somewhere a list of required .exe's for office2003, IE6,
    > > Macromedia, HP printers etc?
    > >
    > > Thanks
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    =?Utf-8?B?RmFicnVzc2lv?= <Fabrussio@discussions.microsoft.com> said

    > I work in a school where security is always a problem. all our computers
    > are w2k.
    > The problem at the moment is students are bringing in regedit.exe on
    > disk and running it, then importing .reg files that get around security
    > set by GPO. If I did use 'run only allowed win apps' and they rename
    > their regedit.exe to winword.exe (which will be allowed of course, will
    > it still work for them?) Any ideas of other 3rd party software that can
    > get round these kind of problems. We can not upgrade to XP.
    >

    You can still use software restriction policies to do this on Windows 2000.
    I have done this on the computers of some troublesome users I have.

    I don't have the details in front of me but IIRC it was something like:
    -Make sure drives are formatted NTFS
    -Make sure users do not have write or update access to c:\windows or c:
    \program files.
    -Use a GPO to prevent access to and hide the C drive from Explorer.
    -Set a default software restriction policy to disallow all applications.
    -Set another policy to allow .lnk and .url files to run from "c:\documents
    and settings" (this allows shortcuts to run from the users profiles -
    Desktop, Start menu etc.)
    -Create another policy to allow any executable to run from C:\Windows and
    subdirectories and "C:\Program Files" and subdirectories. As you have made
    sure the users can't save anything here you are pretty safe.

    When the users open Explorer they will only see their floppy drive, 'My
    Documents", and their CD-ROM (if they have one). They will not be able to
    run executables of any name from any of these locations and will not have
    permission to copy them to c:\windows or c:\program files to run them from
    there.
    They can copy them to their desktops but, as they can only run shortcuts
    from there, they still won't run.

    You should also look at the policy to prevent Registry Editing tools
    running. It won't stop all such tools but it will work with Regedit (even
    if renamed) and TweakUI.

    --

    Andy.
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi Andrew.

    Your advice is right on but unless you know something I don't about Windows
    2000 [entirely possible] Software Restriction Policies are not available for
    it. --- Steve


    "Andrew Mitchell" <amitchell@removecasey.vic.gov.au> wrote in message
    news:Xns95FB3DFBE61FAA12F32EDB83F@207.46.248.16...
    > =?Utf-8?B?RmFicnVzc2lv?= <Fabrussio@discussions.microsoft.com> said
    >
    >> I work in a school where security is always a problem. all our computers
    >> are w2k.
    >> The problem at the moment is students are bringing in regedit.exe on
    >> disk and running it, then importing .reg files that get around security
    >> set by GPO. If I did use 'run only allowed win apps' and they rename
    >> their regedit.exe to winword.exe (which will be allowed of course, will
    >> it still work for them?) Any ideas of other 3rd party software that can
    >> get round these kind of problems. We can not upgrade to XP.
    >>
    >
    > You can still use software restriction policies to do this on Windows
    > 2000.
    > I have done this on the computers of some troublesome users I have.
    >
    > I don't have the details in front of me but IIRC it was something like:
    > -Make sure drives are formatted NTFS
    > -Make sure users do not have write or update access to c:\windows or c:
    > \program files.
    > -Use a GPO to prevent access to and hide the C drive from Explorer.
    > -Set a default software restriction policy to disallow all applications.
    > -Set another policy to allow .lnk and .url files to run from "c:\documents
    > and settings" (this allows shortcuts to run from the users profiles -
    > Desktop, Start menu etc.)
    > -Create another policy to allow any executable to run from C:\Windows and
    > subdirectories and "C:\Program Files" and subdirectories. As you have made
    > sure the users can't save anything here you are pretty safe.
    >
    > When the users open Explorer they will only see their floppy drive, 'My
    > Documents", and their CD-ROM (if they have one). They will not be able to
    > run executables of any name from any of these locations and will not have
    > permission to copy them to c:\windows or c:\program files to run them from
    > there.
    > They can copy them to their desktops but, as they can only run shortcuts
    > from there, they still won't run.
    >
    > You should also look at the policy to prevent Registry Editing tools
    > running. It won't stop all such tools but it will work with Regedit (even
    > if renamed) and TweakUI.
    >
    > --
    >
    > Andy.
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> said

    > Hi Andrew.
    >
    > Your advice is right on but unless you know something I don't about
    > Windows 2000 [entirely possible] Software Restriction Policies are not
    > available for it.

    Hmmm. Looks like you are correct.
    I could have sworn they were there (in a cut down form) in W2k.

    The other thing you could do (if you have some programming skills) is to
    write a small dll that implements a system wide hook. Trap all calls to the
    WinExec or CreateProcess API's and check the lpCmdLine parameter to see that
    they are executing applications in allowed locations. The permitted locations
    could be set using a custom GPO template. If they are not running from
    allowed locations don't pass the message on to Windows and the app will never
    run.

    I suspect the WindowsXP software restriction policy is doing a more complex
    version of this.

    --

    Andy.
  6. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Thanks for all your thoughts...unfortunately we are almost entirely win2000,
    a win2003 server upgrade is imminent but our workstations are simply not up
    to an XP upgrade, and our budget (school) is simply not up to buying new
    hardware!

    As all machines work on a simple build, a very straighforward settting to
    allow all .exe files in C:\winnt\* (and \\server\apps$\*) but nowhere else
    would do the trick....I have no programming experience......is there no
    downloads\addins\tweaks that are possible?

    Thanks again

    "Andrew Mitchell" wrote:

    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> said
    >
    > > Hi Andrew.
    > >
    > > Your advice is right on but unless you know something I don't about
    > > Windows 2000 [entirely possible] Software Restriction Policies are not
    > > available for it.
    >
    > Hmmm. Looks like you are correct.
    > I could have sworn they were there (in a cut down form) in W2k.
    >
    > The other thing you could do (if you have some programming skills) is to
    > write a small dll that implements a system wide hook. Trap all calls to the
    > WinExec or CreateProcess API's and check the lpCmdLine parameter to see that
    > they are executing applications in allowed locations. The permitted locations
    > could be set using a custom GPO template. If they are not running from
    > allowed locations don't pass the message on to Windows and the app will never
    > run.
    >
    > I suspect the WindowsXP software restriction policy is doing a more complex
    > version of this.
    >
    > --
    >
    > Andy.
    >
  7. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi,

    >I work in a school where security is always a problem. all our
    >computers are w2k. The problem at the moment is students are bringing
    >in regedit.exe on disk and running it, then importing .reg files that
    >get around security set by GPO. If I did use ’run only allowed
    >win apps’ and they rename their regedit.exe to winword.exe
    >(which will be allowed of course, will it still work for them?) Any
    >ideas of other 3rd party software that can get round these kind of
    >problems. We can not upgrade to XP.
    >Thanks

    Make sure you enable the Group Policy User Config- Admin
    Templates-System - Prevent access to Registry Editing Tools – Enabled

    This will give them the error "Registry Editing has been disabled by
    your Administrator" when they try to run Regedit (or any renamed form
    of it). I have tested it and it works.

    The other idea is to set Mandatory Profiles. By default users only
    have write access to the HKCurrent User setting. However, with
    Mandatory Profiles any changes are deleted on Logoff. My website
    talks about
    how to do that http://www.sd61.bc.ca/windows2000

    Also, check out my Group Policy settings. They are pretty restrictive.
    http://www.sd61.bc.ca/windows2000/downloads/grouppolicysettings.doc

    Cheers,

    Lara

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/Group-Policy-run-allowed-windows-applications-ftopict263189.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=832327
Ask a new question

Read More

Policy Windows