I have used the Group Policy "User Configuration/Administrative Templates/System/Run only allowed Windows applications" before. The problem with this policy is that it only works from Explorer. What if you don't want users to have access to Explorer? What if you need users to have access to Cmd or Task Manager, both of which can launch programs regardless of this policy?
Well, the answer is Software Restrictions. When set up with the option to apply to all users except local administrators, you can enable the policy default security level to disallowed. No program will run unless you have a rule for it.
Now, the default rules are OK for starters. They allowed most software in %ProgramFiles% and %SystemRoot% to run. But for my application, I did not want a program to run without a specific rule.
So I disallowed all the default rules and started logging on. I watched the Event Viewer for policy violations until I found all the programs that needed to be allowed:
Name,Type,Security Level
%Temp%\getpaths.cmd,Path,Unrestricted
C:\WINDOWS\Application Compatibility Scripts\acregl.exe,Path,Unrestricted
C:\WINDOWS\Application Compatibility Scripts\end.cmd,Path,Unrestricted
C:\WINDOWS\Application Compatibility Scripts\rootdrv.cmd,Path,Unrestricted
C:\WINDOWS\Application Compatibility Scripts\setpaths.cmd,Path,Unrestricted
C:\WINDOWS\system32\notepad.exe,Path,Unrestricted
C:\WINDOWS\system32\userinit.exe,Path,Unrestricted
C:\WINDOWS\system32\usrlogon.cmd,Path,Unrestricted
This policy let users run Notepad on the Terminal Server cluster as I outlined in my last blog - but nothing else.
For more information, check out this link:
Using Software Restriction Policies to Protect Against Unauthorized Software
No comments:
Post a Comment