Q

Preventing users from installing software

I need a better way of preventing users from installing software than simply setting permissions to folders. We are running Win2000.
To prevent the installation of software is not an easy thing. In Windows 2000 and XP, an ordinary user cannot install software that runs as a service or has components that do so. However, much software consists of executables and libraries, or is downloadable as Java scripts or applets, or VB scripts. If a user has hard drive space where they can write files, it is impossible to prevent them from ever installing some form of software.

However, that said, there are things you can do to make it harder to 'run' unauthorized software. Some of that is permission setting on registry keys and folders. Sorry, but that's a key protective action. You can also use Group Policy to list only the applications that can run (I know, that's a toughie). You can use Terminal Server in application mode and associate software with user groups and specifically identify which software...

runs when they log on. You can use Group Policy to prevent them from running certain system features, and thus prevent them from say, installing drivers, accessing command lines, adding items to the start menu, adding shortcuts to the desktop, etc. You then must ensure that apps they need to run are listed on their start menu. Another possibility is allowing only 'signed' applications to run (use Group Policy), but then you must ensure that all applications you wish to run are properly signed.

What I am saying here is that you can restrict users and lock them down pretty well with Group Policy. You must also do things such as stop autorun, and perhaps block use of CD-ROM drives and floppy drives. You will need to spend some time configuring IE to prevent the running of scripts that may install programs and use of Java and ActiveX.

This is beginning to sound like a lot of work yes? However, once done, it can be applied network wide using Group Policy.

Do test your work before deploying.

Editor's Note: Additional resources can be found in our Group Policy Best Web Links.

This was first published in August 2002

Dig deeper on Endpoint security management tools

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close