Seems as though some users on my network have been enjoying too much 'Internet Spades', and so we needed to figure out an easy way of disabling these applications from a central management location.My environment: Windows AD 2003 with XP SP2 workstations.
Thou shalt not tempt me with Solitaire!
Of course, the first thought is to uninstall the games, but I realized that disabling them might be the best course of action, as you never know when someone will attempt to bring in some copies on a USB drive.
Nah, why not be mean and tempt them with the game icon...?
So, with that, I jumped head-first into the world of Software Restriction Policies!
Here's a quick blurb from Microsoft about Software Restriction Policies:
Administrators can use software restriction policies to allow software to run. By using a software restriction policy, an administrator can prevent unwanted programs from running. This includes viruses and Trojan horse software, or other software that is known to cause problems.In this case, my software that "is known to cause problems" is the set of games that came with Windows.
The software policy restrictions have four available methods (or "rules") for you to block programs from running:
- Certificates
- Hash
- Internet Zone
- Path
- Hash - With a Hash rule, the administrator lists the program file to be blocked or explicitly permitted. It is hashed, resulting in a cryptographic fingerprint that remains the same regardless of the file name or location. You can use this method to prevent a particular version of a program from running, or to prevent a program from running no matter where it is located.
- Certificate - You can build Certificate rules by providing a code-signing software publisher certificate. Like Hash rules, Certificate rules apply no matter where the program file is located or what it is named.
- Path - Path rules apply to all programs that run from the specified local or network path, or from subfolders that are in the path.
- Internet Zone - You can use Internet Zone rules to apply software restriction policy rules based on the Microsoft Internet Explorer security zone in which the program is run. Currently, these rules apply only to Microsoft Windows Installer packages that are run from the zone. Internet Zone rules do not apply to programs that are downloaded by Internet Explorer.
First step is to open up the GPO MMC. If you don't see this on your workstation, you may need to install the Adminpak.msi from the Server CD i386 folder. This will install all the needed DLLs in order to use the GPO MMC (and others).
Note: You may need to get the updated Group Policy Management Console w/SP1 from Microsoft as well. This is a slightly more polished version of the console.
Once you have the GPO Console open, expand 'Group Policy Management'> 'Forest xxxx (where "xxxx" is your domain)'> 'Domains'. Right-click 'Group Policy Objects'> 'New'.
When prompted, give your new policy a name (mine is "Test").
A decision has to be made... Apply to users or computers?It is time for you to make a decision. You can choose whether you wish for this policy to be applied to user or computer objects. If you want it to apply to both, you will need to create the settings for them both (you can do this in the same policy).
Creating the rule
I need to apply this to my user objects, so when the Group Policy editor comes up, we'll need to expand 'User Configuration'> 'Windows Settings'> 'Security Settings'.
If this is a brand-new policy, you should see the message:
"No Software Restriction Policies Defined. This group policy has no software restriction policies defined already on it. You can define such policies, but they will override policies defined by parent objects. To define software restriction policies, in the Admin menu click Create New Policies."Right-click 'Software Restriction Policies'> 'Create New Policies'.
In the right-hand pane (or below 'Security Settings' in the left pane), double click 'Additional Rules'.When the list of rules appears - there should be four already defined - right-click in the right-hand pane, and click 'New Hash Rule'.
You will see a 'New Hash Rule' dialog box appear.This box allows you to browse for the file in question (either on your system or through the network). The file hash is calculated after you've selected your file, and the information is automatically pulled and populates the 'File information' text box. If this information does not exist, you can enter it manually.
Below this, you can set the Security level to 'Disallowed' or 'Unrestricted' - you may want 'Unrestricted' if you are locking down everything and want to create some exceptions...
Finally, in the Description field, you can enter whatever text you like.
When you hit 'OK', the rule will be applied to this GPO.
Apply the GPO to an OUYour final step is to apply this GPO to an OU that contains user objects, by right-clicking the OU in question> 'Link an existing GPO'. Once this GPO is applied, it should refresh automatically (default time is 90 minutes), disallowing access to the programs you specified.
If you want to speed up the GP update process on a particular computer, you can run 'GPUpdate /force' on the computer in question.
Not sure if the policy is applying correctly? Run 'GPResult' on the box and get a detailed output of applied policies and settings to the logged in user and computer.
So, now, when your user attempts to run a restricted program, they will see a message like the following:
"Windows cannot open the program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator."
If you still have problems with some people who are able to run freecell, etc., you may need to create a new rule using their executable as the base file, since it may be a different version than what you created the rule for.
4 comments:
fantastic!
very easy anf helpfull.
Thanks
You're welcome...glad it helped you out!
Most Excellent walkthrough. Worked perfectly!
...and how would one reverse this from a non-admin point of view??
Post a Comment