hammermtl Posted April 6, 2005 Share Posted April 6, 2005 Hey guysI tried searching the forums for a few hours but didn't find anythingI'm starting to use the group policy editor in xp pro (gpedit.msc)I like the option to restrict all software but I'm having trouble enabling programs.Once I have restricted all software, how can i enable certain programs?My goal is to do a fresh install on a system using my unattended cd, load all the applications (office...) and have only those programs which i installed be usable.Any help with this would be greatly appreciatedThanksJosh Link to comment Share on other sites More sharing options...
duomenox Posted April 7, 2005 Share Posted April 7, 2005 We tried this at work for a long time and decided the upkeep for this procedure was way too much workWe invested in a program from Bardon Data Systems Called Full Control (Http://www.bardon.com). This was a very comprehensive lockdown program that was easy to administrate. Plus the great thing was that we could get the computer the way we want it, then click on the stability button, it would scan the computer and build a config that would not allow any other programs to be run until you log in as the FC Admin and do another stability scan.Instead of using gpedit.msc make yourself an Admin and make the other accounts Limited (not admin). This will allow you to use NTFS permissions to limit the use of the computer and it's programs. This may be easier to configure eventhough it may take longer to get the initial setup working.I just wanted to give you some alternatives to look at. Link to comment Share on other sites More sharing options...
grond Posted April 7, 2005 Share Posted April 7, 2005 Hi there,to add specified applications, go to the following area within GPEDIT.MSCUser Configuration/System/Run Only Allowed Windows Applicationsclick on Enabled, then SHOW, then the ADD button ....Add whichever apps you wish to let the user run.Grond from Oz Link to comment Share on other sites More sharing options...
colinbate Posted April 7, 2005 Share Posted April 7, 2005 @grond I have tried your sugestion and cant findUser Configuration/System/Run Only Allowed Windows ApplicationsUser configuration only has Software settings (Nothing in this section)Windows settings or administrative templates Link to comment Share on other sites More sharing options...
grond Posted April 7, 2005 Share Posted April 7, 2005 Hi,My bad, should be:User Configuration/Administrative Templates/Systemthen selectRun Only Allowed Windows Applications on the right panel...AdiosGrond from Oz Link to comment Share on other sites More sharing options...
army20 Posted April 7, 2005 Share Posted April 7, 2005 Use DeepFreeze or CleanState It's an non restrictive security software that undo all changes made to a computer at each reboot. Link to comment Share on other sites More sharing options...
Takeshi Posted April 8, 2005 Share Posted April 8, 2005 My goal is to do a fresh install on a system using my unattended cd, load all the applications (office...) and have only those programs which i installed be usable.Sorry I don't follow the logic. If you only install programs you're going to use and allow, there should be nothing left to restrict!That aside, any policy in GP on the computer (not joined to a domain) applies to all users. Link to comment Share on other sites More sharing options...
hammermtl Posted April 8, 2005 Author Share Posted April 8, 2005 @TakeshiWhen i install this on a system, there's nothing to stop someone from installing other programs such as p2p and filling the computer with spyware and crap. my goal is to stop people from being able to load their own programs and accidentally install anything elseI've been testing these methods with a simple keylogger to see if it will install on my system and it never fails. It is always able to install itself from the web and send emails to my account. This is the test I'm using to see if the computer is secure Link to comment Share on other sites More sharing options...
Takeshi Posted April 8, 2005 Share Posted April 8, 2005 Ah, I see, then you goal really is to stop other people from installing any programs but allowing Windows updates, I suppose?As to malware from browsing the internet it's not quite the same category. This one is not too hard to manage. Link to comment Share on other sites More sharing options...
bandana Posted April 10, 2005 Share Posted April 10, 2005 You could try WINROLLBACK. I have used it myself, and it does work - you can even surf without an AV, as everything is restored to what it was when you reboot. You can make changes if you want to by removing the protection temporarily, and you need to know the password to do this, so you have complete control (it says here). WinRollBack sorts out everything, which might befall a Windows PC during a day. Simply restart your PC – immediately, all unwanted modifications, manipulations, installations and even virus infestation has completely and entirely disappeared. All this is solely based on software; no installation of additional hardware or repartitioning is necessary.Read more here:http://www.datapol-technologies.com/dpe/prod/winrollback/index.html Link to comment Share on other sites More sharing options...
hammermtl Posted April 11, 2005 Author Share Posted April 11, 2005 That program seems really goodone question though. How does it work with saving data files? Link to comment Share on other sites More sharing options...
albator Posted April 11, 2005 Share Posted April 11, 2005 Use DeepFreeze or CleanState It's an non restrictive security software that undo all changes made to a computer at each reboot.<{POST_SNAPBACK}>Using deepfreeze on your own computer is pointless, This software is to lock computer from non-sysadmin change.To secure xp, disable service,and use a 3rd party firewall that updat often...And if it fail just recolone it with acronis, only 30-60 on a a fast computer, no hd space taken, no software install needed and most important no perfomance downgrade. I hugely recommend a mature solution to your needs. Link to comment Share on other sites More sharing options...
army20 Posted April 12, 2005 Share Posted April 12, 2005 why getting a mature solution for non-mature users ? Link to comment Share on other sites More sharing options...
Marsden Posted April 12, 2005 Share Posted April 12, 2005 If you use GPO correctly, your users can only run programs you specify. You can lock that down to a specific version number of the program. You can disable everything else a user might try other than the programs you allow. If you want programs A,B,C to run and nothing else; you can lock it down. No Control Panel, DOS prompt, no IE, nothing but the programs you specify. They won't be able to install anything either.Do your homework... Link to comment Share on other sites More sharing options...
hammermtl Posted April 12, 2005 Author Share Posted April 12, 2005 @MarsdenIf you read the first post you would notice that the group policy editor was the topic of this post. I know what it does but it doesn't seem to work all the time. If i set the GP to allow calc.exe to work i can then rename any executable file to calc.exe and it will run. It also won't stop people from installing non msi based installers from the web. We are looking for a solution to compliment the group policy. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now