Well you cannot ever just release a GPO and expect to fit everyone. From
administrators to developers people will need different access. How do
you handle exceptiions?
-----Original Message-----
From: Harlan Carvey [mailto:keydet89 (at) yahoo (dot) com [email concealed]]
Sent: Friday, October 08, 2004 5:39 PM
To: Paul Aviles; focus-ms (at) securityfocus (dot) com [email concealed]
Cc: chang zhu
Subject: RE: Can we really block users from installing applications
through Group policy?
Paul,
> This is very interesting topic. I think this
> approach will work, but
> will also give you a lot of problems since many
> applications including MS ones will need this.
Need what? What problems are you referring to?
> Additionally, how will you handle exceptions to
> the GPO?
Well...as an exception.
> -----Original Message-----
> From: Harlan Carvey [mailto:keydet89 (at) yahoo (dot) com [email concealed]]
> Sent: Friday, October 08, 2004 11:12 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Cc: chang zhu
> Subject: Re: Can we really block users from
> installing applications
> through Group policy?
>
>
>
>
> > The users are not local administrators. We
> > configure
> > group policy to prevent user installs but it seems
> > that it blocks only .msi packages. Users still
> can
> > install applications through ex. setup.exe...Can
> we
> > really block users from installing applications
> > through Group policy?
> >
> > Any idea or thoughts on this?
>
> Sure. Disable access to the write to certain
> locations of the hard drive. While some
> applications
> require the ability to write to a temp directory,
> most
> users shouldn't have write access to the system32
> dir...read and execute usually suffice.
>
> First, though...some background. Do you have a
> policy
> in place that states that users shall not install
> software? If you do, the next step should be to put technical
> measures in place to not only prevent it, but monitor it. Monitoring
> can be done easily through
> freeware and WMI.
>
> > Plus, if we need to block users from saving .mp3
> > file
> > on their computers, can we do it through group
> > policy?
>
> Again, the first step should be a security policy.
> Next, how do they download the .mp3s? If it's via
> file sharing (or rather, pretty much any method
> other
> than FTP, HTTP, or bringing in a CD), then there is
> probably an *installed application* that they're
> using. Also, there is very likely an *installed
> application* they're using to play the .mp3s, right?
>
> You won't be able to completely prevent the download
> of files to the local hard drive through ACLs...the
> users still need some write access to the drive.
> However, you *can* monitor this by simply using
> 'dir'.
> Map a drive (x:\) and type the following command:
>
> c:\>dir /s x:\*.mp3
>
> If you want, you can follow this up with the
> judicious
> use of 'del'.
>
> Hope that helps,
>
>
> =====
> ------------------------------------------
> Harlan Carvey, CISSP
> "Windows Forensics and Incident Recovery" http://www.windows-ir.com
> http://groups.yahoo.com/group/windowsir/
>
> "Meddle not in the affairs of dragons, for
> you are crunchy, and good with ketchup."
>
> "The simplicity of this game amuses me.
> Bring me your finest meats and cheeses."
> ------------------------------------------
>
>
------------------------------------------------------------------------
administrators to developers people will need different access. How do
you handle exceptiions?
-----Original Message-----
From: Harlan Carvey [mailto:keydet89 (at) yahoo (dot) com [email concealed]]
Sent: Friday, October 08, 2004 5:39 PM
To: Paul Aviles; focus-ms (at) securityfocus (dot) com [email concealed]
Cc: chang zhu
Subject: RE: Can we really block users from installing applications
through Group policy?
Paul,
> This is very interesting topic. I think this
> approach will work, but
> will also give you a lot of problems since many
> applications including MS ones will need this.
Need what? What problems are you referring to?
> Additionally, how will you handle exceptions to
> the GPO?
Well...as an exception.
> -----Original Message-----
> From: Harlan Carvey [mailto:keydet89 (at) yahoo (dot) com [email concealed]]
> Sent: Friday, October 08, 2004 11:12 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Cc: chang zhu
> Subject: Re: Can we really block users from
> installing applications
> through Group policy?
>
>
>
>
> > The users are not local administrators. We
> > configure
> > group policy to prevent user installs but it seems
> > that it blocks only .msi packages. Users still
> can
> > install applications through ex. setup.exe...Can
> we
> > really block users from installing applications
> > through Group policy?
> >
> > Any idea or thoughts on this?
>
> Sure. Disable access to the write to certain
> locations of the hard drive. While some
> applications
> require the ability to write to a temp directory,
> most
> users shouldn't have write access to the system32
> dir...read and execute usually suffice.
>
> First, though...some background. Do you have a
> policy
> in place that states that users shall not install
> software? If you do, the next step should be to put technical
> measures in place to not only prevent it, but monitor it. Monitoring
> can be done easily through
> freeware and WMI.
>
> > Plus, if we need to block users from saving .mp3
> > file
> > on their computers, can we do it through group
> > policy?
>
> Again, the first step should be a security policy.
> Next, how do they download the .mp3s? If it's via
> file sharing (or rather, pretty much any method
> other
> than FTP, HTTP, or bringing in a CD), then there is
> probably an *installed application* that they're
> using. Also, there is very likely an *installed
> application* they're using to play the .mp3s, right?
>
> You won't be able to completely prevent the download
> of files to the local hard drive through ACLs...the
> users still need some write access to the drive.
> However, you *can* monitor this by simply using
> 'dir'.
> Map a drive (x:\) and type the following command:
>
> c:\>dir /s x:\*.mp3
>
> If you want, you can follow this up with the
> judicious
> use of 'del'.
>
> Hope that helps,
>
>
> =====
> ------------------------------------------
> Harlan Carvey, CISSP
> "Windows Forensics and Incident Recovery" http://www.windows-ir.com
> http://groups.yahoo.com/group/windowsir/
>
> "Meddle not in the affairs of dragons, for
> you are crunchy, and good with ketchup."
>
> "The simplicity of this game amuses me.
> Bring me your finest meats and cheeses."
> ------------------------------------------
>
>
------------------------------------------------------------------------
> ---
>
------------------------------------------------------------------------
> ---
>
>
=====
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery" http://www.windows-ir.com
http://groups.yahoo.com/group/windowsir/
"Meddle not in the affairs of dragons, for
you are crunchy, and good with ketchup."
"The simplicity of this game amuses me.
Bring me your finest meats and cheeses."
------------------------------------------
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]