Program Install LOCK DOWN for Win 2000 Users

  • Thread starter Thread starter Roger W
  • Start date Start date
R

Roger W

IS there a way through using Security PErmissions, and
GPEDITOR that we can prevent regular users from being able
to install ANY Application. We want to prevent the
installation of ALL programs( be it from the internet like
Webshots,Weatherbug, Yahoo messenger etc) to trying to
install programs from CDs or Floppies

IS this possible?? (without the use of Active Directory!!!)

Roger W
Network Support
 
The best solution is to upgrade to XP Pro and use Software Restriction Policies which
are very powerful in restricting such via hash, certificate, and path rules. See the
link below for info on that.

http://support.microsoft.com/?kbid=310791

For W2K it is much more difficult but the following can help. Some "applications" may
be a single executable file which are almost impossible to prevent.

-- Do not give users rights beyond to belonging in the default users group.

-- Change ntfs permissions on the root/drive folder to be no more that
read/list/execute for users/everyone being sure to check advanced ntfs permissions
also.

-- Use Local Group Policy [gpedit.msc] to populate the disallowed Windows
applications list in user configuration/administrative templates/system keeping in
mind that by default local Group Policy applies to ALL users including administrators
though there a couple work arounds. Be sure to also put command.com, install.exe and
setup.exe in the list and read the full explanation of the policy setting and what it
does. You may also want to disable the command prompt and registry editing while
there, again reading full explanation.

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q293655&
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525

-- Consider using ipsec filtering via Local Security Policy or a personal firewall
that can map rules to applications protected via a MD5 hash to prevent users from
using unauthorized internet applications if they do somehow install some.


-- Consider modifying the ntfs permissions on the users profile folder to prevent
them from creating folders. This would have to be done via ntfs advanced/special
permissions and may interfere with user functionality or may not. The benefit is that
many applications need to create folders during an installation and that may prevent
those installations from succeeding. It did work on a test computer of mine.

-- Users can easily become local administrators with free programs if they can boot
to an alternate device such as cdrom or floppy. Therefore it is recommended that you
allow only booting from hardrive in cmos and password protect cmos settings and lock
the computer case to prevent access to the cmos reset jumper or hard drive removal.
If possible also disable USB in cmos and use registry setting or Group Policy to
disable auto run for the cdrom. --- Steve
 
Back
Top