Software Restriction Policies

  • Thread starter Thread starter Matt Ball
  • Start date Start date
M

Matt Ball

I am running Windows 2000 Advanced Server (SP4) and Windows 2000 Pro (SP4)
clients. I would like to restrict certain programs (i.e. telnet) for one of
my Global Groups.

I undertand that in Windows 2003 Server there is a Global Policy setting
(http://support.microsoft.com/default.aspx?kbid=324036) where you can enter
the path of any application you want blocked from use. But that setting is
not in Advanced Server 2000. Does anyone know of a workaround for this?
Can I block an executable for a group somehow?
 
Matt,

2003's new feature for Software Restriction is supposed to solve these
issues... However I am not able to use it in the way I would like, nor has
there been any help forthcoming in the newsgroups to date...

In 2000 However... the only what that I know of is still using the Restrict
Run List... Which was available in NT 4 as well... You can set the setting
in Policy, the drawback being it is restricted through the Windows Shell
ONLY... which means if they execute through a command prompt... well they
have full unfettered access... You have to do some trickery to avoid them
running cmd.exe... Take away command prompt so they cannot access command
line inferences...

Stew Basterash
 
There is no work around. You can however use Software Restriction Policies on XP Pro
computers in a W2K domain by managing the policy from a XP Pro domain member. For W2K
you will have to rely on ntfs permissions [which is hard as users can usually
copy/execute some programs from their user profile]and populating the disallowed
Windows Program list [or only run allowed programs, that can take quite a bit
tweaking and read the details list for both settings]. You can see these settings
under user configuration/administrative templates/system. This is not foolproof as if
a user is able to change a files name they may still be able to execute it. While
there you should also consider disabling the command prompt and adding command.com to
the disallowed list. Another possibility is to use ipsec filtering policy, which is
machine configuration, to block access to telnet, etc from all but allowed IP
addresses. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
 
Thanks Stew!


Uncle Stewie said:
Matt,

2003's new feature for Software Restriction is supposed to solve these
issues... However I am not able to use it in the way I would like, nor has
there been any help forthcoming in the newsgroups to date...

In 2000 However... the only what that I know of is still using the Restrict
Run List... Which was available in NT 4 as well... You can set the setting
in Policy, the drawback being it is restricted through the Windows Shell
ONLY... which means if they execute through a command prompt... well they
have full unfettered access... You have to do some trickery to avoid them
running cmd.exe... Take away command prompt so they cannot access command
line inferences...

Stew Basterash

one
Click to expand...
 
Thanks Steve!

Steven L Umbach said:
There is no work around. You can however use Software Restriction Policies on XP Pro
computers in a W2K domain by managing the policy from a XP Pro domain member. For W2K
you will have to rely on ntfs permissions [which is hard as users can usually
copy/execute some programs from their user profile]and populating the disallowed
Windows Program list [or only run allowed programs, that can take quite a bit
tweaking and read the details list for both settings]. You can see these settings
under user configuration/administrative templates/system. This is not foolproof as if
a user is able to change a files name they may still be able to execute it. While
there you should also consider disabling the command prompt and adding command.com to
the disallowed list. Another possibility is to use ipsec filtering policy, which is
machine configuration, to block access to telnet, etc from all but allowed IP
addresses. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;323525

Matt Ball said:
I am running Windows 2000 Advanced Server (SP4) and Windows 2000 Pro (SP4)
clients. I would like to restrict certain programs (i.e. telnet) for one of
my Global Groups.

I undertand that in Windows 2003 Server there is a Global Policy setting
(http://support.microsoft.com/default.aspx?kbid=324036) where you can enter
the path of any application you want blocked from use. But that setting is
not in Advanced Server 2000. Does anyone know of a workaround for this?
Can I block an executable for a group somehow?
Click to expand...
Click to expand...
 
Back
Top