This is when you could use WMI filtering perhaps, or security
restrictions on the GPO itself.
Tim
-----Original Message-----
From: vic brown [mailto:vabrown (at) mailer.fsu (dot) edu [email concealed]]
Sent: Tuesday, October 12, 2004 10:05 AM
To: Paul Aviles; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: Can we really block users from installing applications
through Group policy?
Exceptions are handled based on OUs. If the GPO applies to a specific
users' OU, then you make sure that the exceptions are not part of that
OU. This is the reason why a good OU structure is important. Have a
"developers" OU, then a "marketing" OU, etc. A GPO applied to
"marketing" will not affect "developers". If a GPO however applies to
computers, and the same are shared by users of different levels, then
the process becomes a bit more complicated.
Paul Aviles wrote:
> Well you cannot ever just release a GPO and expect to fit everyone.
> From administrators to developers people will need different access.
> How do you handle exceptiions?
>
> -----Original Message-----
> From: Harlan Carvey [mailto:keydet89 (at) yahoo (dot) com [email concealed]]
> Sent: Friday, October 08, 2004 5:39 PM
> To: Paul Aviles; focus-ms (at) securityfocus (dot) com [email concealed]
> Cc: chang zhu
> Subject: RE: Can we really block users from installing applications
> through Group policy?
>
>
> Paul,
>
>
>>This is very interesting topic. I think this approach will work, but
>>will also give you a lot of problems since many applications including
>>MS ones will need this.
>
>
> Need what? What problems are you referring to?
>
>
>>Additionally, how will you handle exceptions to the GPO?
>
>
> Well...as an exception.
>
>
>>-----Original Message-----
>>From: Harlan Carvey [mailto:keydet89 (at) yahoo (dot) com [email concealed]]
>>Sent: Friday, October 08, 2004 11:12 AM
>>To: focus-ms (at) securityfocus (dot) com [email concealed]
>>Cc: chang zhu
>>Subject: Re: Can we really block users from installing applications
>>through Group policy?
>>
>>
>>
>>
>>
>>>The users are not local administrators. We configure group policy to
>>>prevent user installs but it seems that it blocks only .msi packages.
>>>Users still
>>
>>can
>>
>>>install applications through ex. setup.exe...Can
>>
>>we
>>
>>>really block users from installing applications through Group policy?
>>>
>>>Any idea or thoughts on this?
>>
>>Sure. Disable access to the write to certain locations of the hard
>>drive. While some applications require the ability to write to a temp
>>directory, most users shouldn't have write access to the system32
>>dir...read and execute usually suffice.
>>
>>First, though...some background. Do you have a policy in place that
>>states that users shall not install software? If you do, the next
>>step should be to put technical measures in place to not only prevent
>>it, but monitor it. Monitoring can be done easily through freeware
>>and WMI.
>>
>>
>>>Plus, if we need to block users from saving .mp3 file on their
>>>computers, can we do it through group policy?
>>
>>Again, the first step should be a security policy.
>>Next, how do they download the .mp3s? If it's via file sharing (or
>>rather, pretty much any method other than FTP, HTTP, or bringing in a
>>CD), then there is probably an *installed application* that they're
>>using. Also, there is very likely an *installed
>>application* they're using to play the .mp3s, right?
>>
>>You won't be able to completely prevent the download of files to the
>>local hard drive through ACLs...the users still need some write access
>>to the drive.
>>However, you *can* monitor this by simply using 'dir'.
>> Map a drive (x:\) and type the following command:
>>
>>c:\>dir /s x:\*.mp3
>>
>>If you want, you can follow this up with the judicious use of 'del'.
>>
>>Hope that helps,
>>
>>
>>=====
>>------------------------------------------
>>Harlan Carvey, CISSP
>>"Windows Forensics and Incident Recovery" http://www.windows-ir.com
>>http://groups.yahoo.com/group/windowsir/
>>
>>"Meddle not in the affairs of dragons, for you are crunchy, and good
>>with ketchup."
>>
>>"The simplicity of this game amuses me.
>>Bring me your finest meats and cheeses."
>>------------------------------------------
>>
>>
>
> ----------------------------------------------------------------------
> --
>
>>---
>>
>
> ----------------------------------------------------------------------
> --
>
>>---
>>
>>
>
>
>
> =====
> ------------------------------------------
> Harlan Carvey, CISSP
> "Windows Forensics and Incident Recovery" http://www.windows-ir.com
> http://groups.yahoo.com/group/windowsir/
>
> "Meddle not in the affairs of dragons, for you are crunchy, and good
> with ketchup."
>
> "The simplicity of this game amuses me.
> Bring me your finest meats and cheeses."
> ------------------------------------------
>
> ----------------------------------------------------------------------
> --
> ---
> ----------------------------------------------------------------------
> --
> ---
>
>
> ----------------------------------------------------------------------
> -----
> ----------------------------------------------------------------------
> -----
restrictions on the GPO itself.
Tim
-----Original Message-----
From: vic brown [mailto:vabrown (at) mailer.fsu (dot) edu [email concealed]]
Sent: Tuesday, October 12, 2004 10:05 AM
To: Paul Aviles; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: Can we really block users from installing applications
through Group policy?
Exceptions are handled based on OUs. If the GPO applies to a specific
users' OU, then you make sure that the exceptions are not part of that
OU. This is the reason why a good OU structure is important. Have a
"developers" OU, then a "marketing" OU, etc. A GPO applied to
"marketing" will not affect "developers". If a GPO however applies to
computers, and the same are shared by users of different levels, then
the process becomes a bit more complicated.
Paul Aviles wrote:
> Well you cannot ever just release a GPO and expect to fit everyone.
> From administrators to developers people will need different access.
> How do you handle exceptiions?
>
> -----Original Message-----
> From: Harlan Carvey [mailto:keydet89 (at) yahoo (dot) com [email concealed]]
> Sent: Friday, October 08, 2004 5:39 PM
> To: Paul Aviles; focus-ms (at) securityfocus (dot) com [email concealed]
> Cc: chang zhu
> Subject: RE: Can we really block users from installing applications
> through Group policy?
>
>
> Paul,
>
>
>>This is very interesting topic. I think this approach will work, but
>>will also give you a lot of problems since many applications including
>>MS ones will need this.
>
>
> Need what? What problems are you referring to?
>
>
>>Additionally, how will you handle exceptions to the GPO?
>
>
> Well...as an exception.
>
>
>>-----Original Message-----
>>From: Harlan Carvey [mailto:keydet89 (at) yahoo (dot) com [email concealed]]
>>Sent: Friday, October 08, 2004 11:12 AM
>>To: focus-ms (at) securityfocus (dot) com [email concealed]
>>Cc: chang zhu
>>Subject: Re: Can we really block users from installing applications
>>through Group policy?
>>
>>
>>
>>
>>
>>>The users are not local administrators. We configure group policy to
>>>prevent user installs but it seems that it blocks only .msi packages.
>>>Users still
>>
>>can
>>
>>>install applications through ex. setup.exe...Can
>>
>>we
>>
>>>really block users from installing applications through Group policy?
>>>
>>>Any idea or thoughts on this?
>>
>>Sure. Disable access to the write to certain locations of the hard
>>drive. While some applications require the ability to write to a temp
>>directory, most users shouldn't have write access to the system32
>>dir...read and execute usually suffice.
>>
>>First, though...some background. Do you have a policy in place that
>>states that users shall not install software? If you do, the next
>>step should be to put technical measures in place to not only prevent
>>it, but monitor it. Monitoring can be done easily through freeware
>>and WMI.
>>
>>
>>>Plus, if we need to block users from saving .mp3 file on their
>>>computers, can we do it through group policy?
>>
>>Again, the first step should be a security policy.
>>Next, how do they download the .mp3s? If it's via file sharing (or
>>rather, pretty much any method other than FTP, HTTP, or bringing in a
>>CD), then there is probably an *installed application* that they're
>>using. Also, there is very likely an *installed
>>application* they're using to play the .mp3s, right?
>>
>>You won't be able to completely prevent the download of files to the
>>local hard drive through ACLs...the users still need some write access
>>to the drive.
>>However, you *can* monitor this by simply using 'dir'.
>> Map a drive (x:\) and type the following command:
>>
>>c:\>dir /s x:\*.mp3
>>
>>If you want, you can follow this up with the judicious use of 'del'.
>>
>>Hope that helps,
>>
>>
>>=====
>>------------------------------------------
>>Harlan Carvey, CISSP
>>"Windows Forensics and Incident Recovery" http://www.windows-ir.com
>>http://groups.yahoo.com/group/windowsir/
>>
>>"Meddle not in the affairs of dragons, for you are crunchy, and good
>>with ketchup."
>>
>>"The simplicity of this game amuses me.
>>Bring me your finest meats and cheeses."
>>------------------------------------------
>>
>>
>
> ----------------------------------------------------------------------
> --
>
>>---
>>
>
> ----------------------------------------------------------------------
> --
>
>>---
>>
>>
>
>
>
> =====
> ------------------------------------------
> Harlan Carvey, CISSP
> "Windows Forensics and Incident Recovery" http://www.windows-ir.com
> http://groups.yahoo.com/group/windowsir/
>
> "Meddle not in the affairs of dragons, for you are crunchy, and good
> with ketchup."
>
> "The simplicity of this game amuses me.
> Bring me your finest meats and cheeses."
> ------------------------------------------
>
> ----------------------------------------------------------------------
> --
> ---
> ----------------------------------------------------------------------
> --
> ---
>
>
> ----------------------------------------------------------------------
> -----
> ----------------------------------------------------------------------
> -----
--
___________ ___________
__/ V ;
@ Vic Brown |
| Comp Supp Spec |
| FSU-Panama |
> vabrown (at) fsu (dot) edu [email concealed] <
| Phone: (507)-314-0367 |
| mailer.fsu.edu/~vabrown |
@__________________________;
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]