run only allowed windows applications

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I am interested in enabling the 'run only allowed apps' policy.
How do I go about finding all the .exe's that are necessary?

Is there somewhere a list of required .exe's for office2003, IE6,
Macromedia, HP printers etc?

Thanks

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

If you happen to have any XP Pro computers, look into using Software
Restriction Policies instead. It can be difficult to track down all the
files involved. I don't know of the list you request but you can use the
free filemon utility from SysInternals which monitors file use in real time.
The logs will be huge but you should be able to spot the .exe files that are
used. Don't forget files for Windows Updates and antivirus software. ---
Steve

http://www.sysinternals.com/ntw2k/source/filemon.shtml

"Fabrussio" <Fabrussio@discussions.microsoft.com> wrote in message
news:4A2BBD1A-E4F7-4CD7-AEBF-A4528D0319CA@microsoft.com...
>I am interested in enabling the 'run only allowed apps' policy.
> How do I go about finding all the .exe's that are necessary?
>
> Is there somewhere a list of required .exe's for office2003, IE6,
> Macromedia, HP printers etc?
>
> Thanks

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I work in a school where security is always a problem. all our computers are
w2k.
The problem at the moment is students are bringing in regedit.exe on disk
and running it, then importing .reg files that get around security set by GPO.
If I did use 'run only allowed win apps' and they rename their regedit.exe
to winword.exe (which will be allowed of course, will it still work for them?)
Any ideas of other 3rd party software that can get round these kind of
problems. We can not upgrade to XP.

Thanks

"Steven L Umbach" wrote:

> If you happen to have any XP Pro computers, look into using Software
> Restriction Policies instead. It can be difficult to track down all the
> files involved. I don't know of the list you request but you can use the
> free filemon utility from SysInternals which monitors file use in real time.
> The logs will be huge but you should be able to spot the .exe files that are
> used. Don't forget files for Windows Updates and antivirus software. ---
> Steve
>
> http://www.sysinternals.com/ntw2k/source/filemon.shtml
>
> "Fabrussio" <Fabrussio@discussions.microsoft.com> wrote in message
> news:4A2BBD1A-E4F7-4CD7-AEBF-A4528D0319CA@microsoft.com...
> >I am interested in enabling the 'run only allowed apps' policy.
> > How do I go about finding all the .exe's that are necessary?
> >
> > Is there somewhere a list of required .exe's for office2003, IE6,
> > Macromedia, HP printers etc?
> >
> > Thanks
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

=?Utf-8?B?RmFicnVzc2lv?= <Fabrussio@discussions.microsoft.com> said

> I work in a school where security is always a problem. all our computers
> are w2k.
> The problem at the moment is students are bringing in regedit.exe on
> disk and running it, then importing .reg files that get around security
> set by GPO. If I did use 'run only allowed win apps' and they rename
> their regedit.exe to winword.exe (which will be allowed of course, will
> it still work for them?) Any ideas of other 3rd party software that can
> get round these kind of problems. We can not upgrade to XP.
>

You can still use software restriction policies to do this on Windows 2000.
I have done this on the computers of some troublesome users I have.

I don't have the details in front of me but IIRC it was something like:
-Make sure drives are formatted NTFS
-Make sure users do not have write or update access to c:\windows or c:
\program files.
-Use a GPO to prevent access to and hide the C drive from Explorer.
-Set a default software restriction policy to disallow all applications.
-Set another policy to allow .lnk and .url files to run from "c:\documents
and settings" (this allows shortcuts to run from the users profiles -
Desktop, Start menu etc.)
-Create another policy to allow any executable to run from C:\Windows and
subdirectories and "C:\Program Files" and subdirectories. As you have made
sure the users can't save anything here you are pretty safe.

When the users open Explorer they will only see their floppy drive, 'My
Documents", and their CD-ROM (if they have one). They will not be able to
run executables of any name from any of these locations and will not have
permission to copy them to c:\windows or c:\program files to run them from
there.
They can copy them to their desktops but, as they can only run shortcuts
from there, they still won't run.

You should also look at the policy to prevent Registry Editing tools
running. It won't stop all such tools but it will work with Regedit (even
if renamed) and TweakUI.

--

Andy.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Andrew.

Your advice is right on but unless you know something I don't about Windows
2000 [entirely possible] Software Restriction Policies are not available for
it. --- Steve


"Andrew Mitchell" <amitchell@removecasey.vic.gov.au> wrote in message
news:Xns95FB3DFBE61FAA12F32EDB83F@207.46.248.16...
> =?Utf-8?B?RmFicnVzc2lv?= <Fabrussio@discussions.microsoft.com> said
>
>> I work in a school where security is always a problem. all our computers
>> are w2k.
>> The problem at the moment is students are bringing in regedit.exe on
>> disk and running it, then importing .reg files that get around security
>> set by GPO. If I did use 'run only allowed win apps' and they rename
>> their regedit.exe to winword.exe (which will be allowed of course, will
>> it still work for them?) Any ideas of other 3rd party software that can
>> get round these kind of problems. We can not upgrade to XP.
>>
>
> You can still use software restriction policies to do this on Windows
> 2000.
> I have done this on the computers of some troublesome users I have.
>
> I don't have the details in front of me but IIRC it was something like:
> -Make sure drives are formatted NTFS
> -Make sure users do not have write or update access to c:\windows or c:
> \program files.
> -Use a GPO to prevent access to and hide the C drive from Explorer.
> -Set a default software restriction policy to disallow all applications.
> -Set another policy to allow .lnk and .url files to run from "c:\documents
> and settings" (this allows shortcuts to run from the users profiles -
> Desktop, Start menu etc.)
> -Create another policy to allow any executable to run from C:\Windows and
> subdirectories and "C:\Program Files" and subdirectories. As you have made
> sure the users can't save anything here you are pretty safe.
>
> When the users open Explorer they will only see their floppy drive, 'My
> Documents", and their CD-ROM (if they have one). They will not be able to
> run executables of any name from any of these locations and will not have
> permission to copy them to c:\windows or c:\program files to run them from
> there.
> They can copy them to their desktops but, as they can only run shortcuts
> from there, they still won't run.
>
> You should also look at the policy to prevent Registry Editing tools
> running. It won't stop all such tools but it will work with Regedit (even
> if renamed) and TweakUI.
>
> --
>
> Andy.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> said

> Hi Andrew.
>
> Your advice is right on but unless you know something I don't about
> Windows 2000 [entirely possible] Software Restriction Policies are not
> available for it.

Hmmm. Looks like you are correct.
I could have sworn they were there (in a cut down form) in W2k.

The other thing you could do (if you have some programming skills) is to
write a small dll that implements a system wide hook. Trap all calls to the
WinExec or CreateProcess API's and check the lpCmdLine parameter to see that
they are executing applications in allowed locations. The permitted locations
could be set using a custom GPO template. If they are not running from
allowed locations don't pass the message on to Windows and the app will never
run.

I suspect the WindowsXP software restriction policy is doing a more complex
version of this.

--

Andy.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks for all your thoughts...unfortunately we are almost entirely win2000,
a win2003 server upgrade is imminent but our workstations are simply not up
to an XP upgrade, and our budget (school) is simply not up to buying new
hardware!

As all machines work on a simple build, a very straighforward settting to
allow all .exe files in C:\winnt\* (and \\server\apps$\*) but nowhere else
would do the trick....I have no programming experience......is there no
downloads\addins\tweaks that are possible?

Thanks again

"Andrew Mitchell" wrote:

> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> said
>
> > Hi Andrew.
> >
> > Your advice is right on but unless you know something I don't about
> > Windows 2000 [entirely possible] Software Restriction Policies are not
> > available for it.
>
> Hmmm. Looks like you are correct.
> I could have sworn they were there (in a cut down form) in W2k.
>
> The other thing you could do (if you have some programming skills) is to
> write a small dll that implements a system wide hook. Trap all calls to the
> WinExec or CreateProcess API's and check the lpCmdLine parameter to see that
> they are executing applications in allowed locations. The permitted locations
> could be set using a custom GPO template. If they are not running from
> allowed locations don't pass the message on to Windows and the app will never
> run.
>
> I suspect the WindowsXP software restriction policy is doing a more complex
> version of this.
>
> --
>
> Andy.
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,

>I work in a school where security is always a problem. all our
>computers are w2k. The problem at the moment is students are bringing
>in regedit.exe on disk and running it, then importing .reg files that
>get around security set by GPO. If I did use ’run only allowed
>win apps’ and they rename their regedit.exe to winword.exe
>(which will be allowed of course, will it still work for them?) Any
>ideas of other 3rd party software that can get round these kind of
>problems. We can not upgrade to XP.
>Thanks

Make sure you enable the Group Policy User Config- Admin
Templates-System - Prevent access to Registry Editing Tools – Enabled

This will give them the error "Registry Editing has been disabled by
your Administrator" when they try to run Regedit (or any renamed form
of it). I have tested it and it works.

The other idea is to set Mandatory Profiles. By default users only
have write access to the HKCurrent User setting. However, with
Mandatory Profiles any changes are deleted on Logoff. My website
talks about
how to do that http://www.sd61.bc.ca/windows2000

Also, check out my Group Policy settings. They are pretty restrictive.
http://www.sd61.bc.ca/windows2000/downloads/grouppolicysettings.doc

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-run-allowed-windows-applications-ftopict263189.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=832327