Register

Forgot Password

Site FAQ

Home > IT Answers > Microsoft Windows > How can I prevent a user from installing unwanted software?

Windows Security ATE

160 pts.

How can I prevent a user from installing unwanted software?

Group Policy, Windows Security

How can I restrict a user from installing any software by making a Group Policy on domain server?

Software/Hardware used:

ASKED: February 26, 2008 3:59 PM

UPDATED: February 29, 2008 11:30 PM

RELATED QUESTIONS

Answer Wiki:

Software restrictions allows for this scenario by restricting software that can be executed by a user-- including installers. This can be done in two locations, but typically is done in both locations for greater security. The first location os in the computer policy, in Group policy management go to "Computer Configuration -> Windows Settings -> Security Settings -> Software restrictions Policy -> security levels" and set the policy to "Disallowed" to be enabled. (Note that you may not have that last section of Secirity levels until you right click software restrictions policy and create a software restriction policy.) Secondly you do something similar to this in "User Configuration -> Windows Settings -> Security Settings -> Software restrictions Policy -> security levels". Remember, User policies apply to OU's where users are stores and computer policies apply to OU's where computers are stored... there is no benefit of applying a user policy to an OU where only computers reside, unless a child OU contains users. The hardest part of getting software restrictions right is that by default it restricts EVERYTHING from running outside of the standard OS components-- thankfully Microsoft gives us these locations and files by default when you create the policy. There are Several ways you can allow applications to run (Or not run): 1. Via a Path 2. Via a FileName 3. Via a MD5 HASH of the file

Software restrictions allows for this scenario by restricting software that can be executed by a user-- including installers.

This can be done in two locations, but typically is done in both locations for greater security. The first location os in the computer policy, in Group policy management go to "Computer Configuration -> Windows Settings -> Security Settings -> Software restrictions Policy -> security levels" and set the policy to "Disallowed" to be enabled. (Note that you may not have that last section of Secirity levels until you right click software restrictions policy and create a software restriction policy.)

Secondly you do something similar to this in "User Configuration -> Windows Settings -> Security Settings -> Software restrictions Policy -> security levels".

Remember, User policies apply to OU's where users are stores and computer policies apply to OU's where computers are stored... there is no benefit of applying a user policy to an OU where only computers reside, unless a child OU contains users.

The hardest part of getting software restrictions right is that by default it restricts EVERYTHING from running outside of the standard OS components-- thankfully Microsoft gives us these locations and files by default when you create the policy.

There are Several ways you can allow applications to run (Or not run):

1. Via a Path
2. Via a FileName
3. Via a MD5 HASH of the file

Last Wiki Answer Submitted: February 26, 2008 4:25 pm by Jerry Lees

5,320 pts.

All Answer Wiki Contributors: Jerry Lees

5,320 pts.

To see all answers submitted to the Answer Wiki: View Answer History.

RSS - Discussions Help

Discuss This Question:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

POSTED: Feb 29, 2008 11:30 PM (GMT)

You can use group policy to restrict user’s ability to install and run software as outlined above. For example, you can restrict access to Add/Remote programs and if I remember correctly, also use of the Microsoft Installer but if users do not have privileges to install software in the first place, such as by not being local administrators on their computers, then much of this worry is avoided. If this is not possible, then group policy can definitely be of use in accomplishing these and other tasks.

Wrobinson

5,610 pts.

Ask a Question

Browse IT Answers by Topic

>>VIEW ALL TAGS

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.
All Rights Reserved, Copyright 1999-2013, TechTarget | Read our Privacy Policy
Questions and Answers Index 1 | Questions and Answers Index 2 | IT Topics Index 1 | IT Topics Index 2 | Blogs Index | Blogs Tags