Jake said:
Hello everyone
We are in the process of migrating from NT 4.0 server to
Win2k server and I was hoping there was some way to stop
our users from installing 3rd Party software. I know in
Group Policy I can stop the "Windows Installer" from
working, but can you stop other software installs?
Thanks in advance,
Jake
Man, this is a tough nut to crack.
I don't know of any single "cure all" to this problem, but I think there are
a few options.
First, what rights do the users have on their machines? If they haven't
been given elevated local rights on the computer they're using, they won't
be able to install software. This holds true for most software, although
I've seen a few applications that were able to be installed by
non-privledged users. This approach can lead to problems running certain
applications, although you can get around some of these problems by applying
the compatws.inf security template.
Another thing you can do is restrict access to drives. Create an OU with
the users you wish to restrict & lock down access to the floppy & CD-ROM
drives. This can cut down on problems if people bring things from home.
If you're like me, my greatest problem came from people downloading junk on
the Internet. In active directory, you can set a policy to prevent file
downloads. Obviously, if they don't download it, they won't install it.
This leads to other problems, though, as it blocks *all* file downloads -
exe or pdf, it doesn't matter. If you choose to do this, be ready to do a
lot of downloading for your users, or spend time setting up "trusted sites".
I think a more eloquent solution to blocking downloads is to set up a
transparent caching proxy server (say Squid) and allow it to filter based on
file extension.
Those are my observations, take them for what they're worth.
Good luck.
