While this may look like it's working, it shouldn't take long before a user
discovers that all he have to do to circumvent this measure is to rename
the .exe to something else than setup or install.
Although it won't block excutables at this time, the SIDTk module LogProc
was conceived exactly for this purpose. At this time, it will only detect,
and it is based on a time interval check, which means that this tool will
evolve in many ways in the near future, but the idea behind it is that you
define what is permitted to run on the system, hence anything that is not
part of the list gets flagged.
On the plans for future versions wil be trap monitoring for the launch of
executables, and the ability to prevent unwanted programs from executing.
This tool can be downloaded as part of the SIDTk at
http://securit.iquebec.com/.
Hope that helps.
Adam Richard
SécurIT Informatique Inc.
At 11:02 AM 08/10/2004, you wrote:
>One way that we do this is to not allow programs like setup.exe and
>install.exe to run. This is not a perfect solution but keeps 99% of our
>users from installing stuff. To enable and list the programs you don't want
>run go to User Configuration->Administrative Templates->System->Don't allow
>specified Windows applications in group policy editor. I hope this helps.
>
>Eddie
>
>-----Original Message-----
>From: chang zhu [mailto:cyz2000 (at) yahoo (dot) com [email concealed]]
>Sent: Friday, October 08, 2004 8:46 AM
>To: focus-ms (at) securityfocus (dot) com [email concealed]
>Subject: Can we really block users from installing applications through
>Group policy?
>
>Hi, all
>
>The users are not local administrators. We configure
>group policy to prevent user installs but it seems
>that it blocks only .msi packages. Users still can
>install applications through ex. setup.exe...Can we
>really block users from installing applications
>through Group policy?
>
>Any idea or thoughts on this?
>
>Plus, if we need to block users from saving .mp3 file
>on their computers, can we do it through group policy?
>
>we are on windows2000 and XP environment.
>
>Thanks always,
>
>Chang
>
>
>
>
>
>
>_______________________________
>Do you Yahoo!?
>Declare Yourself - Register online to vote today!
>http://vote.yahoo.com
>
>-----------------------------------------------------------------------
----
>-----------------------------------------------------------------------
----
>
>
>
>
>______________________________________________________________________
>This email transmission and any documents, files or previous email
>messages attached to it may contain information that is confidential or
>legally privileged. If you are not the intended recipient or a person
>responsible for delivering this transmission to the intended recipient,
>you are hereby notified that you must not read this transmission and
>that any disclosure, copying, printing, distribution or use of this
>transmission is strictly prohibited. If you have received this transmission
>in error, please immediately notify the sender by telephone or return email
>and delete the original transmission and its attachments without reading
>or saving in any manner.
>
>
>-----------------------------------------------------------------------
----
>-----------------------------------------------------------------------
----
>
>_____________________________________________________________________
>Un mot doux à envoyer? Une sortie ciné à organiser? Faites le en temps
>réel avec MSN Messenger! C'est gratuit! http://ifrance.com/_reloc/m
discovers that all he have to do to circumvent this measure is to rename
the .exe to something else than setup or install.
Although it won't block excutables at this time, the SIDTk module LogProc
was conceived exactly for this purpose. At this time, it will only detect,
and it is based on a time interval check, which means that this tool will
evolve in many ways in the near future, but the idea behind it is that you
define what is permitted to run on the system, hence anything that is not
part of the list gets flagged.
On the plans for future versions wil be trap monitoring for the launch of
executables, and the ability to prevent unwanted programs from executing.
This tool can be downloaded as part of the SIDTk at
http://securit.iquebec.com/.
Hope that helps.
Adam Richard
SécurIT Informatique Inc.
At 11:02 AM 08/10/2004, you wrote:
>One way that we do this is to not allow programs like setup.exe and
>install.exe to run. This is not a perfect solution but keeps 99% of our
>users from installing stuff. To enable and list the programs you don't want
>run go to User Configuration->Administrative Templates->System->Don't allow
>specified Windows applications in group policy editor. I hope this helps.
>
>Eddie
>
>-----Original Message-----
>From: chang zhu [mailto:cyz2000 (at) yahoo (dot) com [email concealed]]
>Sent: Friday, October 08, 2004 8:46 AM
>To: focus-ms (at) securityfocus (dot) com [email concealed]
>Subject: Can we really block users from installing applications through
>Group policy?
>
>Hi, all
>
>The users are not local administrators. We configure
>group policy to prevent user installs but it seems
>that it blocks only .msi packages. Users still can
>install applications through ex. setup.exe...Can we
>really block users from installing applications
>through Group policy?
>
>Any idea or thoughts on this?
>
>Plus, if we need to block users from saving .mp3 file
>on their computers, can we do it through group policy?
>
>we are on windows2000 and XP environment.
>
>Thanks always,
>
>Chang
>
>
>
>
>
>
>_______________________________
>Do you Yahoo!?
>Declare Yourself - Register online to vote today!
>http://vote.yahoo.com
>
>-----------------------------------------------------------------------
----
>-----------------------------------------------------------------------
----
>
>
>
>
>______________________________________________________________________
>This email transmission and any documents, files or previous email
>messages attached to it may contain information that is confidential or
>legally privileged. If you are not the intended recipient or a person
>responsible for delivering this transmission to the intended recipient,
>you are hereby notified that you must not read this transmission and
>that any disclosure, copying, printing, distribution or use of this
>transmission is strictly prohibited. If you have received this transmission
>in error, please immediately notify the sender by telephone or return email
>and delete the original transmission and its attachments without reading
>or saving in any manner.
>
>
>-----------------------------------------------------------------------
----
>-----------------------------------------------------------------------
----
>
>_____________________________________________________________________
>Un mot doux à envoyer? Une sortie ciné à organiser? Faites le en temps
>réel avec MSN Messenger! C'est gratuit! http://ifrance.com/_reloc/m
[ reply ]