Exceptions are handled based on OUs. If the GPO applies to a specific
users' OU, then you make sure that the exceptions are not part of that
OU. This is the reason why a good OU structure is important. Have a
"developers" OU, then a "marketing" OU, etc. A GPO applied to
"marketing" will not affect "developers". If a GPO however applies to
computers, and the same are shared by users of different levels, then
the process becomes a bit more complicated.
Paul Aviles wrote:
> Well you cannot ever just release a GPO and expect to fit everyone. From
> administrators to developers people will need different access. How do
> you handle exceptiions?
>
> -----Original Message-----
> From: Harlan Carvey [mailto:keydet89 (at) yahoo (dot) com [email concealed]]
> Sent: Friday, October 08, 2004 5:39 PM
> To: Paul Aviles; focus-ms (at) securityfocus (dot) com [email concealed]
> Cc: chang zhu
> Subject: RE: Can we really block users from installing applications
> through Group policy?
>
>
> Paul,
>
>
>>This is very interesting topic. I think this
>>approach will work, but
>>will also give you a lot of problems since many
>>applications including MS ones will need this.
>
>
> Need what? What problems are you referring to?
>
>
>>Additionally, how will you handle exceptions to
>>the GPO?
>
>
> Well...as an exception.
>
>
>>-----Original Message-----
>>From: Harlan Carvey [mailto:keydet89 (at) yahoo (dot) com [email concealed]]
>>Sent: Friday, October 08, 2004 11:12 AM
>>To: focus-ms (at) securityfocus (dot) com [email concealed]
>>Cc: chang zhu
>>Subject: Re: Can we really block users from
>>installing applications
>>through Group policy?
>>
>>
>>
>>
>>
>>>The users are not local administrators. We
>>>configure
>>>group policy to prevent user installs but it seems
>>>that it blocks only .msi packages. Users still
>>
>>can
>>
>>>install applications through ex. setup.exe...Can
>>
>>we
>>
>>>really block users from installing applications
>>>through Group policy?
>>>
>>>Any idea or thoughts on this?
>>
>>Sure. Disable access to the write to certain
>>locations of the hard drive. While some
>>applications
>>require the ability to write to a temp directory,
>>most
>>users shouldn't have write access to the system32
>>dir...read and execute usually suffice.
>>
>>First, though...some background. Do you have a
>>policy
>>in place that states that users shall not install
>>software? If you do, the next step should be to put technical
>>measures in place to not only prevent it, but monitor it. Monitoring
>>can be done easily through
>>freeware and WMI.
>>
>>
>>>Plus, if we need to block users from saving .mp3
>>>file
>>>on their computers, can we do it through group
>>>policy?
>>
>>Again, the first step should be a security policy.
>>Next, how do they download the .mp3s? If it's via
>>file sharing (or rather, pretty much any method
>>other
>>than FTP, HTTP, or bringing in a CD), then there is
>>probably an *installed application* that they're
>>using. Also, there is very likely an *installed
>>application* they're using to play the .mp3s, right?
>>
>>You won't be able to completely prevent the download
>>of files to the local hard drive through ACLs...the
>>users still need some write access to the drive.
>>However, you *can* monitor this by simply using
>>'dir'.
>> Map a drive (x:\) and type the following command:
>>
>>c:\>dir /s x:\*.mp3
>>
>>If you want, you can follow this up with the
>>judicious
>>use of 'del'.
>>
>>Hope that helps,
>>
>>
>>=====
>>------------------------------------------
>>Harlan Carvey, CISSP
>>"Windows Forensics and Incident Recovery" http://www.windows-ir.com
>>http://groups.yahoo.com/group/windowsir/
>>
>>"Meddle not in the affairs of dragons, for
>>you are crunchy, and good with ketchup."
>>
>>"The simplicity of this game amuses me.
>>Bring me your finest meats and cheeses."
>>------------------------------------------
>>
>>
>
> ------------------------------------------------------------------------
>
>>---
>>
>>
>
>
>
> =====
> ------------------------------------------
> Harlan Carvey, CISSP
> "Windows Forensics and Incident Recovery" http://www.windows-ir.com
> http://groups.yahoo.com/group/windowsir/
>
> "Meddle not in the affairs of dragons, for
> you are crunchy, and good with ketchup."
>
> "The simplicity of this game amuses me.
> Bring me your finest meats and cheeses."
> ------------------------------------------
>
> ------------------------------------------------------------------------
users' OU, then you make sure that the exceptions are not part of that
OU. This is the reason why a good OU structure is important. Have a
"developers" OU, then a "marketing" OU, etc. A GPO applied to
"marketing" will not affect "developers". If a GPO however applies to
computers, and the same are shared by users of different levels, then
the process becomes a bit more complicated.
Paul Aviles wrote:
> Well you cannot ever just release a GPO and expect to fit everyone. From
> administrators to developers people will need different access. How do
> you handle exceptiions?
>
> -----Original Message-----
> From: Harlan Carvey [mailto:keydet89 (at) yahoo (dot) com [email concealed]]
> Sent: Friday, October 08, 2004 5:39 PM
> To: Paul Aviles; focus-ms (at) securityfocus (dot) com [email concealed]
> Cc: chang zhu
> Subject: RE: Can we really block users from installing applications
> through Group policy?
>
>
> Paul,
>
>
>>This is very interesting topic. I think this
>>approach will work, but
>>will also give you a lot of problems since many
>>applications including MS ones will need this.
>
>
> Need what? What problems are you referring to?
>
>
>>Additionally, how will you handle exceptions to
>>the GPO?
>
>
> Well...as an exception.
>
>
>>-----Original Message-----
>>From: Harlan Carvey [mailto:keydet89 (at) yahoo (dot) com [email concealed]]
>>Sent: Friday, October 08, 2004 11:12 AM
>>To: focus-ms (at) securityfocus (dot) com [email concealed]
>>Cc: chang zhu
>>Subject: Re: Can we really block users from
>>installing applications
>>through Group policy?
>>
>>
>>
>>
>>
>>>The users are not local administrators. We
>>>configure
>>>group policy to prevent user installs but it seems
>>>that it blocks only .msi packages. Users still
>>
>>can
>>
>>>install applications through ex. setup.exe...Can
>>
>>we
>>
>>>really block users from installing applications
>>>through Group policy?
>>>
>>>Any idea or thoughts on this?
>>
>>Sure. Disable access to the write to certain
>>locations of the hard drive. While some
>>applications
>>require the ability to write to a temp directory,
>>most
>>users shouldn't have write access to the system32
>>dir...read and execute usually suffice.
>>
>>First, though...some background. Do you have a
>>policy
>>in place that states that users shall not install
>>software? If you do, the next step should be to put technical
>>measures in place to not only prevent it, but monitor it. Monitoring
>>can be done easily through
>>freeware and WMI.
>>
>>
>>>Plus, if we need to block users from saving .mp3
>>>file
>>>on their computers, can we do it through group
>>>policy?
>>
>>Again, the first step should be a security policy.
>>Next, how do they download the .mp3s? If it's via
>>file sharing (or rather, pretty much any method
>>other
>>than FTP, HTTP, or bringing in a CD), then there is
>>probably an *installed application* that they're
>>using. Also, there is very likely an *installed
>>application* they're using to play the .mp3s, right?
>>
>>You won't be able to completely prevent the download
>>of files to the local hard drive through ACLs...the
>>users still need some write access to the drive.
>>However, you *can* monitor this by simply using
>>'dir'.
>> Map a drive (x:\) and type the following command:
>>
>>c:\>dir /s x:\*.mp3
>>
>>If you want, you can follow this up with the
>>judicious
>>use of 'del'.
>>
>>Hope that helps,
>>
>>
>>=====
>>------------------------------------------
>>Harlan Carvey, CISSP
>>"Windows Forensics and Incident Recovery" http://www.windows-ir.com
>>http://groups.yahoo.com/group/windowsir/
>>
>>"Meddle not in the affairs of dragons, for
>>you are crunchy, and good with ketchup."
>>
>>"The simplicity of this game amuses me.
>>Bring me your finest meats and cheeses."
>>------------------------------------------
>>
>>
>
> ------------------------------------------------------------------------
>
>>---
>>
>
> ------------------------------------------------------------------------
>
>>---
>>
>>
>
>
>
> =====
> ------------------------------------------
> Harlan Carvey, CISSP
> "Windows Forensics and Incident Recovery" http://www.windows-ir.com
> http://groups.yahoo.com/group/windowsir/
>
> "Meddle not in the affairs of dragons, for
> you are crunchy, and good with ketchup."
>
> "The simplicity of this game amuses me.
> Bring me your finest meats and cheeses."
> ------------------------------------------
>
> ------------------------------------------------------------------------
> ---
> ------------------------------------------------------------------------
> ---
>
>
> ------------------------------------------------------------------------
---
> ------------------------------------------------------------------------
---
--
___________ ___________
__/ V ;
@ Vic Brown |
| Comp Supp Spec |
| FSU-Panama |
> vabrown (at) fsu (dot) edu [email concealed] <
| Phone: (507)-314-0367 |
| mailer.fsu.edu/~vabrown |
@__________________________;
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]