Problem solve Get help with specific problems with your technologies, process and projects.

Preventing users from installing software

I need a better way of preventing users from installing software than simply setting permissions to folders. We are running Win2000.
To prevent the installation of software is not an easy thing. In Windows 2000 and XP, an ordinary user cannot install software that runs as a service or has components that do so. However, much software consists of executables and libraries, or is downloadable as Java scripts or applets, or VB scripts. If a user has hard drive space where they can write files, it is impossible to prevent them from ever installing some form of software.

However, that said, there are things you can do to make it harder to 'run' unauthorized software. Some of that is permission setting on registry keys and folders. Sorry, but that's a key protective action. You can also use Group Policy to list only the applications that can run (I know, that's a toughie). You can use Terminal Server in application mode and associate software with user groups and specifically identify which software runs when they log on. You can use Group Policy to prevent them from running certain system features, and thus prevent them from say, installing drivers, accessing command lines, adding items to the start menu, adding shortcuts to the desktop, etc. You then must ensure that apps they need to run are listed on their start menu. Another possibility is allowing only 'signed' applications to run (use Group Policy), but then you must ensure that all applications you wish to run are properly signed.

What I am saying here is that you can restrict users and lock them down pretty well with Group Policy. You must also do things such as stop autorun, and perhaps block use of CD-ROM drives and floppy drives. You will need to spend some time configuring IE to prevent the running of scripts that may install programs and use of Java and ActiveX.

This is beginning to sound like a lot of work yes? However, once done, it can be applied network wide using Group Policy.

Do test your work before deploying.

Editor's Note: Additional resources can be found in our Group Policy Best Web Links.

Dig Deeper on Windows 10 security and management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.