G
Guest
How would set up a AD group policy to restrict users from installing
programs. My goal is to prvent users from installing spyware.
programs. My goal is to prvent users from installing spyware.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
G
Guest
My approach was to use the following to restrict running *.msi msiexec.exe
setup.exe and install.exe, and disable windows installer. But I think this
will not be very effective on spyware since spyware usually don't carry names
like setup or install.
User Config\Administrative Templates\System\Don't run specified Windows
applications
"Prevents Windows from running the programs you specify in this setting. If
you enable this setting, users cannot run programs that you add to the list
of disallowed applications. This setting only prevents users from running
programs that are started by the Windows Explorer process. It does not
prevent users from running programs, such as Task Manager, that are started
by the system process or by other processes. Also, if you permit users to
gain access to the command prompt, Cmd.exe, this setting does not prevent
them from starting programs in the command window that they are not permitted
to start by using Windows Explorer. Note: To create a list of disallowed
applications, click Show, click Add, and then enter the application
executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe)."
Comp Config\Administrative Templates\Windows Components\Windows
Installer\Disable Windows Installer
"Disables or restricts the use of Windows Installer. This setting can
prevent users from installing software on their systems or permit users to
install only those programs offered by a system administrator. If you enable
this setting, you can use the options in the Disable Windows Installer box to
establish an installation setting. -- The Never option indicates Windows
Installer is fully enabled. Users can install and upgrade software. This is
the default behavior for Windows Installer on Windows 2000 Professional and
Windows XP Professional when the policy is not configured. -- The For
non-managed apps only option permits users to install only those programs
that a system administrator assigns (offers on the desktop) or publishes
(adds them to Add or Remove Programs). This is the default behavior of
Windows Installer on Windows Server 2003 family when the policy is not
configured. -- The Always option indicates that Windows Installer is
disabled. This setting affects Windows Installer only. It does not prevent
users from using other methods to install and upgrade programs."
BR,
Denis
setup.exe and install.exe, and disable windows installer. But I think this
will not be very effective on spyware since spyware usually don't carry names
like setup or install.
User Config\Administrative Templates\System\Don't run specified Windows
applications
"Prevents Windows from running the programs you specify in this setting. If
you enable this setting, users cannot run programs that you add to the list
of disallowed applications. This setting only prevents users from running
programs that are started by the Windows Explorer process. It does not
prevent users from running programs, such as Task Manager, that are started
by the system process or by other processes. Also, if you permit users to
gain access to the command prompt, Cmd.exe, this setting does not prevent
them from starting programs in the command window that they are not permitted
to start by using Windows Explorer. Note: To create a list of disallowed
applications, click Show, click Add, and then enter the application
executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe)."
Comp Config\Administrative Templates\Windows Components\Windows
Installer\Disable Windows Installer
"Disables or restricts the use of Windows Installer. This setting can
prevent users from installing software on their systems or permit users to
install only those programs offered by a system administrator. If you enable
this setting, you can use the options in the Disable Windows Installer box to
establish an installation setting. -- The Never option indicates Windows
Installer is fully enabled. Users can install and upgrade software. This is
the default behavior for Windows Installer on Windows 2000 Professional and
Windows XP Professional when the policy is not configured. -- The For
non-managed apps only option permits users to install only those programs
that a system administrator assigns (offers on the desktop) or publishes
(adds them to Add or Remove Programs). This is the default behavior of
Windows Installer on Windows Server 2003 family when the policy is not
configured. -- The Always option indicates that Windows Installer is
disabled. This setting affects Windows Installer only. It does not prevent
users from using other methods to install and upgrade programs."
BR,
Denis
G
Gautam Anand
1. You could remove their ability to install software - like Dennis
pointed out
2. A lot of spyware comes in in the form of IE BHOs. You can disable -
"Enable 3rd party Browser Extensions' from IE - Tools - Options
3. You can lock down the Internet zone to not allow any apps from
being run from there
4. Evaluate how many users needs IE/Internet Web Access
5. Consider Mozilla/Firefox as an alternate Web Broswer if all/most
users needs Web Browsing access
--
+----------------------------------+
I reply at the news groups only on weekends. If you need to contact
me, Im available on MSN Messenger at heygautam at hotmail
Thanks
Gautam Anand
+----------------------------------+
| How would set up a AD group policy to restrict users from installing
| programs. My goal is to prvent users from installing spyware.
pointed out
2. A lot of spyware comes in in the form of IE BHOs. You can disable -
"Enable 3rd party Browser Extensions' from IE - Tools - Options
3. You can lock down the Internet zone to not allow any apps from
being run from there
4. Evaluate how many users needs IE/Internet Web Access
5. Consider Mozilla/Firefox as an alternate Web Broswer if all/most
users needs Web Browsing access
--
+----------------------------------+
I reply at the news groups only on weekends. If you need to contact
me, Im available on MSN Messenger at heygautam at hotmail
Thanks
Gautam Anand
+----------------------------------+
| How would set up a AD group policy to restrict users from installing
| programs. My goal is to prvent users from installing spyware.
K
Ken B
Or there's option 6 that nobody mentioned yet... don't give the users
admin/power user rights to the workstation, and they won't be able to
install anything.... at least I don't think they should.
Ken
admin/power user rights to the workstation, and they won't be able to
install anything.... at least I don't think they should.
Ken
G
Guest
You can refer to the following Microsoft link on Managing Group Policy
Software Installation:
http://www.microsoft.com/resources/...tandard/proddocs/en-us/sag_adeconcepts_02.asp
Software Installation:
http://www.microsoft.com/resources/...tandard/proddocs/en-us/sag_adeconcepts_02.asp