Restrict software installation

Restrict software installation

 Here goes: you can restrict software for specific users (never tried that myself) or for all users on a specific machine. You can find the templates for controlling software access in:

Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies.

Right click the node and choose "New Software Restriction Policy"

I usually tie the GPO for software restriction to an OU where computer accounts are stored that I want to have the policy apply to. Generally it will depend on your restriction policy as to how you will handle the whole affair. There's the: "Allow everything to run except specified items" outlook, and this lets users run everything you haven't locked down freely. You could enter your doom.exe file etc here and make sure that users can't run that specified application/tool/utility.

There is also the "don't allow applications of a certain type to run" thinking, and here you can stop all files of a type (say all .VBS files) but you can at the same time tell XP to allow VBS files that are signed digitally from your department to run (that way you can still get the flexibility of a script but stop users from executing them).

There is also a "full lockdown" philosophy. The "disallowed" option is selected in the GPO rather than "unrestricted", and so nothing is allowed to run except the OS and items you explicitly name. It's heavy handed, high octane stuff- and can get you into trouble fast!

You can find out lots of ways of restricting software too- there is the "hash" method whereby even if a user ranames doom.exe to gloom.exe the file still won't execute (there are ways around this though). There's a "path rule" where you can specify to restrict applications based on where they are on the hard drive; there's certificate rules (don't know that much about these type); and zone rules- you're probably familiar with these in IE. You could find out about these methods by searching Google etc.

Phew!

I type this quickly, so accept my apologies if there are errors in there. IN any case, use the ADM template path given above and poke around. Do you have a copy of the 2000/2003 Server resource kit? If so there is an excellent book in there about Group Policies. I would also recommend "Group Policy, Profiles, and Intellimirror" by Jeremy Moskowitz which has taught me pretty much all I needed to know as far as GPOs are concerned.

If you get stuck- shout and I'll see if I can help!