Sign in with
Sign up | Sign in
Your question

Power User Security - Lock Down App Installs

Last response: in Windows 2000/NT
Share
December 9, 2004 10:53:12 AM

Archived from groups: microsoft.public.win2000.security (More info?)

There are many appliacations in my environment that require users to be
members of the "Power Users" group.

How can I lock down these users so that they cannot install unapproved
software?
December 9, 2004 11:48:25 PM

Archived from groups: microsoft.public.win2000.security (More info?)

"Nick" <Nick@discussions.microsoft.com> wrote in message
news:381B28E0-3911-4159-B222-DDA2B24DC5E3@microsoft.com...
> There are many appliacations in my environment that require users to be
> members of the "Power Users" group.
>
> How can I lock down these users so that they cannot install unapproved
> software?

Nick

one possible solution is to trace where these apps read/write by means of
filemon/regmon (www.sysinternals.com), change the ACLs and then remove the
users from the Power Users group. One disadvantage of this solution is that
you will basically have to open the ACLs to everyone.

Another solution, not free, is our own product which allows you to manage
privileges on a per-application basis.

cheers,

Marco
www.neovalens.com
Anonymous
a b 8 Security
December 11, 2004 2:40:26 AM

Archived from groups: microsoft.public.win2000.security (More info?)

If you can not modify the application permissions to run as a regular user
which usually are permissions to the application folder, registry key in
local machine, and/or all users profile then your options are to use
Software Restriction Policies on XP Pro computers only or to look at the
Group Policy options under user configuration/administrative
templates/system for do not run these Windows applications or run only these
Windows applications. It can help to add install.exe and setup.exe to the
disallowed Windows applications list. Another option is a strict computer
user policy with stated consequences. --- Steve


"Nick" <Nick@discussions.microsoft.com> wrote in message
news:381B28E0-3911-4159-B222-DDA2B24DC5E3@microsoft.com...
> There are many appliacations in my environment that require users to be
> members of the "Power Users" group.
>
> How can I lock down these users so that they cannot install unapproved
> software?
Related resources
!