Jump to content

Prevent Third Party Installations


Asin

Recommended Posts

Is there a way to restrict users from installing anything but still allow for things like Windows Update and SAV to search for and install updates in the background?

I was thinking some sort of group permissions and then Run As command. But I don't think that that's going to work. I have a feeling that Group Policy Objects would work, but I'm not too familiar with those.

I'm trying to help out a friend who is now working at my previous position. I no longer have the resources for virtual or actual testing. So, I may need a explanation or two on how to do things.

Any help is greatly appreciated.

Link to comment
Share on other sites


Hi,

If we're talking stand-alone/workgroup PCs here, then just make your local user accounts members of the "users" group - and not Administrators.

Using automatic updates will still install updates if configured correctly, and LiveUpdate should still look after SAV.

Members of the "Users" group can't usually install much software/make serious changes to the OS.

If these machines are on a domain then the same applies - though you will want to move domain users into "users" and not "power users" or "Admiistrators".

Group policy could be useful for configuring automatic updates if you have a domain setup and lots of PCs.

Good luck,

Andy

Edited by Fencer128
Link to comment
Share on other sites

As far as I know, it's just one laptop that's causing trouble.

It's a horribly set up IT environment where everyone is running with Administrative privileges. But that's beside the point. The supervisor wants this one laptop to be essentially crippled. Things like LimeWire should not be able to be installed.

It is on a domain, but since it's a laptop for a remote user, they may or may not be connected to the domain (physically) when they log in. So the settings need to be local.

Can you please tell me how I can still let Windows Update through properly under Limited User accounts? From what I hear, my friend isn't able to get this to work properly.

Oh, another thing that I vaguely remember from working there. Limited User accounts also screws over the ability to use Outlook among other things properly despite the fact that the PST file is in that user's local settings folder under that specific domain.

Edited by Asin
Link to comment
Share on other sites

If these machines are on a domain then the same applies - though you will want to move domain users into "users" and not "power users" or "Admiistrators".

Power Users won't be able to install any software either, from my experience--they will be able to add equipment requiring drivers, such as printers, but only if the drivers have already been installed by a member of the Administrators group.

Link to comment
Share on other sites

Note that if the software doesn't need to write to HKLM or HKCR keys, even regular users can install them (because regular users do need write access to the HKCU portion of the registry). It's better to have software restrictions and run restrictions policies in group policy set - users can install the app, but they won't be able to run them when the .exe matches a restriction policy (and they'll get a message stating such as well).

Link to comment
Share on other sites

Note that if the software doesn't need to write to HKLM or HKCR keys, even regular users can install them (because regular users do need write access to the HKCU portion of the registry). It's better to have software restrictions and run restrictions policies in group policy set - users can install the app, but they won't be able to run them when the .exe matches a restriction policy (and they'll get a message stating such as well).

That sounds a little closer to what my friend needs, but it also sounds like he'll need to make some sort of list or filtering option to make it work.

Are there third party applications that can prevent third party applications? :P

Link to comment
Share on other sites

In that situtation (horribly configured lan) I always suggest catching & firing the person involved with such activities. One warning then termination. Fear is better than any security measures you can take when you have nothing to build from.

also Is disabling the Internet an option? Put in 1.1.1.1 for the gateway & change account to User. Then the laptop can only access the LAN with their IP but not the Internet because the gateway is invalid.

Then install MS Software Update Server & Symantec Command Console and update internally.

Edited by KAndle
Link to comment
Share on other sites

It's a remote user that sent in their laptop because it was having trouble with SAP.

I don't think that firing is common place with this company. They work with Sales and pretty much everything else.

Link to comment
Share on other sites

Power Users won't be able to install any software either, from my experience--they will be able to add equipment requiring drivers, such as printers, but only if the drivers have already been installed by a member of the Administrators group.

Sorry - but that's incorrect. Power Users can install some software (that require registry changes), and just about any malware can install via Power User as well. User is a lot better, though as someone pointed out already - if you don't need to play with the registry at all there's nothing stopping you running programs still.

If the laptop's only running a couple of applications, you could always use software restriction policies (have a google). THey need a little setting up, but you say there's only one laptop affected anyhow.

If you set up automatic updates to "Automatically donload reccommended updates for my computer and install them ..." it will occur in the background if logged on as a local user and no indication will be given by the PC when doing so.

Hope that helps,

Andy

Edited by Fencer128
Link to comment
Share on other sites

I'm not aware of any software that restricts software being installed, but software restriction policies work very well on Windows XP (if you're willing to invest the time in configuring it, which I highly recommend in any case). Note that software restrictions policies don't affect Windows 2000 machines, so other more draconian measures may need to be inflicted to the 2000 users :)

For a little more info on Software Restriction Policies in XP via Group Policy, review the following:

http://support.microsoft.com/?kbid=310791

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...