Indestructable Windows XP

[hammermtl]

Hey guys

I tried searching the forums for a few hours but didn't find anything

I'm starting to use the group policy editor in xp pro (gpedit.msc)

I like the option to restrict all software but I'm having trouble enabling programs.

Once I have restricted all software, how can i enable certain programs?

My goal is to do a fresh install on a system using my unattended cd, load all the applications (office...) and have only those programs which i installed be usable.

Any help with this would be greatly appreciated

Thanks

Josh

[duomenox]

We tried this at work for a long time and decided the upkeep for this procedure was way too much work

We invested in a program from Bardon Data Systems Called Full Control (Http://www.bardon.com). This was a very comprehensive lockdown program that was easy to administrate. Plus the great thing was that we could get the computer the way we want it, then click on the stability button, it would scan the computer and build a config that would not allow any other programs to be run until you log in as the FC Admin and do another stability scan.

Instead of using gpedit.msc make yourself an Admin and make the other accounts Limited (not admin). This will allow you to use NTFS permissions to limit the use of the computer and it's programs. This may be easier to configure eventhough it may take longer to get the initial setup working.

I just wanted to give you some alternatives to look at.

[grond]

Hi there,

to add specified applications, go to the following area within GPEDIT.MSC

User Configuration/System/Run Only Allowed Windows Applications

click on Enabled, then SHOW, then the ADD button ....

Add whichever apps you wish to let the user run.

Grond from Oz

[colinbate]

@grond

I have tried your sugestion and cant find

User Configuration/System/Run Only Allowed Windows Applications

User configuration only has Software settings (Nothing in this section)

Windows settings or administrative templates

[grond]

Hi,

My bad, should be:

User Configuration/Administrative Templates/System

then select

Run Only Allowed Windows Applications on the right panel...

Adios

Grond from Oz

[army20]

Use DeepFreeze or CleanState It's an non restrictive security software that undo all changes made to a computer at each reboot.

[Takeshi]

My goal is to do a fresh install on a system using my unattended cd, load all the applications (office...) and have only those programs which i installed be usable.

Sorry I don't follow the logic. If you only install programs you're going to use and allow, there should be nothing left to restrict!

That aside, any policy in GP on the computer (not joined to a domain) applies to all users.

[hammermtl]

@Takeshi

When i install this on a system, there's nothing to stop someone from installing other programs such as p2p and filling the computer with spyware and crap.

my goal is to stop people from being able to load their own programs and accidentally install anything else

I've been testing these methods with a simple keylogger to see if it will install on my system and it never fails. It is always able to install itself from the web and send emails to my account. This is the test I'm using to see if the computer is secure

[Takeshi]

Ah, I see, then you goal really is to stop other people from installing any programs but allowing Windows updates, I suppose?

As to malware from browsing the internet it's not quite the same category. This one is not too hard to manage.

[bandana]

You could try WINROLLBACK. I have used it myself, and it does work - you can even surf without an AV, as everything is restored to what it was when you reboot. You can make changes if you want to by removing the protection temporarily, and you need to know the password to do this, so you have complete control (it says here).

WinRollBack sorts out everything, which might befall a Windows PC during a day. Simply restart your PC – immediately, all unwanted modifications, manipulations, installations and even virus infestation has completely and entirely disappeared. All this is solely based on software; no installation of additional hardware or repartitioning is necessary.

Read more here:

http://www.datapol-technologies.com/dpe/prod/winrollback/index.html

[hammermtl]

That program seems really good

one question though. How does it work with saving data files?

[albator]

Use DeepFreeze or CleanState It's an non restrictive security software that undo all changes made to a computer at each reboot.

<{POST_SNAPBACK}>

Using deepfreeze on your own computer is pointless, This software is to lock computer from non-sysadmin change.

To secure xp, disable service,and use a 3rd party firewall that updat often...

And if it fail just recolone it with acronis, only 30-60 on a a fast computer, no hd space taken, no software install needed and most important no perfomance downgrade. I hugely recommend a mature solution to your needs.

[army20]

why getting a mature solution for non-mature users ?

[Marsden]

If you use GPO correctly, your users can only run programs you specify. You can lock that down to a specific version number of the program. You can disable everything else a user might try other than the programs you allow.

If you want programs A,B,C to run and nothing else; you can lock it down. No Control Panel, DOS prompt, no IE, nothing but the programs you specify. They won't be able to install anything either.

Do your homework...

[hammermtl]

@Marsden

If you read the first post you would notice that the group policy editor was the topic of this post. I know what it does but it doesn't seem to work all the time.

If i set the GP to allow calc.exe to work i can then rename any executable file to calc.exe and it will run. It also won't stop people from installing non msi based installers from the web. We are looking for a solution to compliment the group policy.