Q

How can we restrict user installs but still allow certain programs to write files to the registry or

How do I restrict a user from installing programs on their Windows 2000 computer without restricting programs installed that require writing files to the registry or system directory?
Program installation is always a toughie. Ideally, we'd like to make sure users can't install programs that are not allowed on our systems. There are two issues here, one of which you've pointed out.

But first, we need to think, what is a program? It's any executable. As such, it's pretty hard to prevent installation of all programs (i.e., if the user has write access he can copy an executable to the hard drive).

You can, however, restrict installation of other types of executables. For example, you can control the installation of programs that use the Windows Installer. Settings abound in group policy. To find them, open the GPO for the desired OU or domain, or even for a local computer, and expand the User and Computer Administrative Template containers. In each, you'll find a subfolder called Windows ComponentsWindows Installer. Several settings can be applied. (Remember that these only affect programs installed using Windows Installer, if another installation program is used these settings do not apply.) Here are some settings that may fulfill your needs:

  • "Always install with elevated privileges": if this setting is enabled, the program can be installed even if it requires the ability to write to the registry or file system where the user has no permissions. The installer will run under system privileges. To make this program work, you must configure it both in the computer and user administrative template settings. If it is not enabled, or not configured in both, the privileges of the user running the installation program will be used, and as you no doubt have experienced, the installation will fail.

  • Please be aware that this setting can become a security risk, as sophisticated users can use it to obtain elevated, privileged access. (See Warnings in the Explain tab on the setting choice.)

  • Finally, if you know exactly where the installation program needs to write, you could modify ACLs on these areas to allow the user account to write to them. However, note that this would allow them to write there at any time, while the other solution above only allows it when using the Windows Installer.

Remember that no solution is perfect and you may want to add some auditing to ensure users are not taking advantage of your solution and to look for malicious code, some periodic cleanup that removes unauthorized code and some user education to promote buy-in to your security policies. While you're not going to convince all employees to do the right thing (by not doing the wrong thing), I've often found that most people want to do what's best, and for the rest? Well, you get to tell them what will happen if security policy is not followed.
This was first published in October 2002
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close