Re: run only allowed windows applications

From: Andrew Mitchell (amitchell_at_removecasey.vic.gov.au)
Date: 02/11/05 

Date: Fri, 11 Feb 2005 05:21:14 -0800

=?Utf-8?B?RmFicnVzc2lv?= <Fabrussio@discussions.microsoft.com> said

> I work in a school where security is always a problem. all our computers
> are w2k.
> The problem at the moment is students are bringing in regedit.exe on
> disk and running it, then importing .reg files that get around security
> set by GPO. If I did use 'run only allowed win apps' and they rename
> their regedit.exe to winword.exe (which will be allowed of course, will
> it still work for them?) Any ideas of other 3rd party software that can
> get round these kind of problems. We can not upgrade to XP.
>

You can still use software restriction policies to do this on Windows 2000.
I have done this on the computers of some troublesome users I have.

I don't have the details in front of me but IIRC it was something like:
-Make sure drives are formatted NTFS
-Make sure users do not have write or update access to c:\windows or c:
\program files.
-Use a GPO to prevent access to and hide the C drive from Explorer.
-Set a default software restriction policy to disallow all applications.
-Set another policy to allow .lnk and .url files to run from "c:\documents
and settings" (this allows shortcuts to run from the users profiles -
Desktop, Start menu etc.)
-Create another policy to allow any executable to run from C:\Windows and
subdirectories and "C:\Program Files" and subdirectories. As you have made
sure the users can't save anything here you are pretty safe.

When the users open Explorer they will only see their floppy drive, 'My
Documents", and their CD-ROM (if they have one). They will not be able to
run executables of any name from any of these locations and will not have
permission to copy them to c:\windows or c:\program files to run them from
there.
They can copy them to their desktops but, as they can only run shortcuts
from there, they still won't run.

You should also look at the policy to prevent Registry Editing tools
running. It won't stop all such tools but it will work with Regedit (even
if renamed) and TweakUI. 

-- 
Andy.

Relevant Pages

  • Local Group Policy - Novell mapped drives problem
    ... file name length of Novell mapped drives. ... Policy, all drive mappings done via server- ...
    (microsoft.public.windowsxp.security_admin)
  • RE: How to disable all floppy drives on the network
    ... How to disable all floppy drives on the network ... If you can disable the "Floppy Disk" driver through a policy, ... Note that disabling the floppy driver doesn't prevent people from sticking ...
    (Focus-Microsoft)
  • Re: Mapped F Drive - group policy update problem
    ... again the drives maps correctly. ... users save work locally(not our policy) and on the network. ... If this setting is disabled or not configured (Windows 2000 Server Family ... set to map in the user properties of ...
    (microsoft.public.windows.server.active_directory)
  • RE: How to disable all floppy drives on the network
    ... If you can disable the "Floppy Disk" driver through a policy, ... The "Hide these specified drives" user policy is also quite useful ... Note that disabling the floppy driver doesn't prevent people from sticking ...
    (Focus-Microsoft)
  • Re: XP in an NT Domain Issue - policy problems and drive mapping issues
    ... 1.)In NT I created a blank policy withing Policy Editor and saved this ... XP looks for policies to my new directory. ... Now I can make whatever changes are needed to get my drives to ... > on ?Primary Domain Controller'. ...
    (microsoft.public.windowsxp.help_and_support)