/ Sign-up
Your question

Group policy - block flash install

  • Facebook
  • Networking
Last response: in Networking
May 6, 2009 3:11:06 AM

Sorry if I posted this in the wrong Category - couldn't really find one that fit :wahoo: 

Very recently the organization has allowed users access to FaceBook and MySpace because these tools are more and more being used by companies to get their name out there for free. They are great online collaboration tools for people, communities and organizations to come together.

Anyone that's used FaceBook knows that they have a ton of "apps" and it prompts you to "Allow" the install of these apps before proceeding.
A user in our organization allowed an app to install and then became infected by the koobface worm which is picked up from FaceBook and MySpace.
Yes our anti-virus saw it recognized it by why it allowed it through is another story for another day...
We have since blocked access to FaceBook and MySpace.

Today we noticed that users were installing Yammer desktop client on their desktops without prior authorization. This is installed via Flash as well.

The users are "Power Users" on the machines and I would like to block these Flash downloads via Group Policy.
Is anyone else running into the same problem with Flash installs even if they aren't administrators?
Has anyone else blocked Flash installs via Group Policy and can provide some insight?
Any other ideas on how to block/prevent this from occurring again?

Thank you all so very much for taking your time to read this and thank you in advance for any feedback.

More about : group policy block flash install

May 6, 2009 3:45:13 PM

Group policy might be your easiest bet. Although do these users need to be able to install software on their own or does the organization provide them the software?

You can run gpedit.msc, expand computer configurations and administrative
templates, click on windows installer, in the right hand pane you will see
prohibit installs double click and enable it. If you are running a domain
the must be done on the domain controller.

Otherwise you can create a proxy server and have all users IE browsers point to this server when going out to the Internet. Then just filter out site/apps that you do not want them to have access to.
May 6, 2009 9:59:31 PM

That's the whole thing on this is that the users do NOT have the ability to install software so they are forced to come to us if they want / need anything.
These Flash installs are happening without administrator rights so they can install these at will without us knowing.
This is why I am wanting to know the best practice to blocking unsafe Flash installs. If I block all flash installs my call volume will go up dramatically about "how come I can't see this web page", etc.
Surely their must be a way to block these unsafe flash files and I really don't care to block all flash and then add Class IDs of the safe flash installers because that would be a full time job in itself.

Thanks very much for your response Zakkas, I will be exploring the proxy server idea as well.
August 2, 2012 6:18:01 PM

This topic has been closed by Mousemonkey