Step-by-Step Guide

Step 4: The "block the application" approach

Locking down unwanted application installations -- i.e., keeping non-administrators from installing software -- should be a standard policy for any company. It not only keeps chat and P2P software out, but it also prevents breaking and overwriting other things you do want.

If you want to allow people to install their own software but don't want to allow IM/P2P applications, use a more targeted approach to stop specific executables from running. If you're using Active Directory in a domain, you can configure a Group Policy to prevent specific applications from running -- a process described in detail in Microsoft Knowledge Base article 323525. This, however, requires that you have the exact name of the executable to block (such as MSMSGS.EXE for MSN Messenger). If someone's using a program that can simply be renamed to something else, this approach won't work, so it may only work with the most obvious programs.

Even better is a hash rule, which works not by blocking an executable by name but by creating a cryptographic hash of the file you want to block. This is far more precise and will withstand the file being renamed, but it will only work on one specific version of any given executable. If an update for the program comes out, you must create a new hash.

To create a hash rule on a given machine:

  1. 1. Type Start | Run | secpol.msc on the machine in question.
  2. 2. Under Software Restriction Policies, double-click and select Additional Rules. If you need to create a new policy by enabling Software Restriction Policies according to the instructions on the page, do that first.
  3. 3. Right-click Additional Rules and select New Hash Rule.
  4. 4. Click Browse to find the file you want to create a hash for and select "Disallowed" under Security Level. Fill in the rest of the boxes as needed.
  5. 5. Click OK to close all the forms.

To create a hash rule security policy for a domain or organizational unit rather than a single machine:

  1. 1. Type dsa.msc from Start | Run.
  2. 2. Right-click on the domain or OU to apply the policy to it and select Properties | Group Policy tab | New/Edit.
  3. 3. Drill down to User Configuration | Windows Settings | Security Settings | Software Restriction Policies and continue as above from step three.

Blocking IM and P2P

 Home: Introduction
 Step 1: The "easy, but stupid" approach
 Step 2: The "block the nexus" approach: IM
 Step 3: The "block the nexus" approach: P2P
 Step 4: The "block the application" approach


More information from SearchWindowsSecurity.com

  • News: Malcode targets Windows, IM users
  • Tip: Five steps to lockdown peer-to-peer networks

  • ABOUT THE AUTHOR:
    Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

    Copyright 2005 TechTarget

    This was first published in January 2006

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: