Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


How can I prevent user from installing any software

Posted on 2003-02-23
Medium Priority
Last Modified: 2013-12-04
How can I prevent user from installing any software on there computers? I want to prevent any software installation even it doesn’t update the registry. Also I want to prevent all users from running any exe file not installed by an Administrator.
Can you help me please?
 thank you

Question by:nilehawk

Expert Comment

ID: 8002754
set up a domain policy for all workstations, very easy to setup, alot easier if you are running ADS.

Expert Comment

ID: 8002812
Greetings nilehawk,

The first thing to realize is that you cannot secure Windows 2000 systems that are installed on FAT file systems, so be sure to use NTFS and limit access to running programs from another (FAT) partition or drive, including removable media drives.

Got to:

(This is also contained in the Help files on a W2K Pro workstation.)

Select the Index tab, navigate to Security / Default settings / Default security settings.

In the right pane select the "users" settings. This will give you an overview of the default settings.

Navigate to Related Topics in the workstation help files, or Predefined Security Templates on the web page, and look at the procedures for installing the Compatible Workstation / Server security template to further control access by users. (compatws.inf)

Author Comment

ID: 8002839
I am using NTFS. I know that I can set up a domain policy, but which policy? Is there is a built in policy in windows2000 need to be activated or I have to create this policy?
 If I have to create this policy then how I will do this?
thank you
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!


Expert Comment

ID: 8003661
Fat or NTFS can be restricted, by putting users in the "user" group and not in the Admin or power user's groupd. I have touched on this many times, here are the previous posts. NTFS is great, but I think you'll find that groups will speed up the process. Locking the registry is also a good option, and there are tons of builtin security functions, go to start>run and type:
under local policies you'll see auditing, and security settings. The ADM files will help you out tremendiously.
here are the links from previous post's:

The EXE thing, that will be tough, you'll have to find every exe, and make sure that the exe's you do want run are in a folder with the proper NTFS perms... What you can do, is lock the machine down real nice, and remove any exe's that you don't want them to access. Also without priviledges, they won't be able to do much, and if you can stay prett current with your updates and patches, then you won't have much to worry about. After SP in 2k, it's pretty hard to get your privledges escalted, not impossible, but tough. The guest's account don't have rights to do snit;)

Author Comment

ID: 8006603
 I want to use user group becuae it is easer and faster as NEOsporinc said.
 also i locked the registry but there is some exe and some setup files that don’t update the registry
NEO I didn’t understand what you said about The EXE thing you do want run are in a folder with the proper NTFS perms
What do you want me to do ??
Thank you
LVL 13

Expert Comment

ID: 8008152
With group policies you can keep people from running specific file names such as setup.exe.  There is a User Policy under Administrative Templates - System called "Don't run specified Windows Applications."  You can enable this and add common installation exe's such as setup, install, etc.  Beware this policy is only looking for the string, so if the users are smart they can copy programs to their temp directory, rename the installer and run.  But at least it's a start.
As far as the EXE that only admins install, that's possible, but you'd better be ready to sit down and go through each exe on the system to determine what permissions are needed to run.  Also, users have to have some kind of read/write permission somewhere on their local disk, so how are you going to stop them in those locations?  These are the questions that have been trying admins souls for years!!

Expert Comment

ID: 8042711
I had the same problem and I fixed it simply by disabling the installer service.

Author Comment

ID: 8051098
hi geoff_h
 all you have done is dissabling Microsoft installer service !!
Good idea but is this working for all software?? What about the updates [ I mean  updated version  of the software  send remotely to the user not a new installation ] ??From where can I disable this service  ??
LVL 12

Accepted Solution

trywaredk earned 1200 total points
ID: 8621615
Here's what to do:

As NEOSPORIN told you, the users must only be member of the local users group, thus not being able to install programs.

Builtin and predefined groups in Windows 2000 Pro

Tell your users, not to download or install anything, because you are auditing, what they are doing:

Enabling Windows Security Auditing
a. In the right pane, double-click the policy that you want to enable or disable. Choose Audit object access (succesfull)

Setting, Viewing, Changing, or Removing Windows File or Folder Auditing:
a. Choose the root of drive C:
b. Choose Reset auditing entries on all child objects ...
c. Choose Add
d. In the Name box, choose domain users.
e. Choose This folder, subfolders and files
f. Choose Traverse Folder / Execute file (succesfull)
g. Don't choose Apply these auditing entries to objects

How to Archive a Windows Security Log:
a. Don't  - use EventComb (number 3 below)
b.. Look for event id 560
c. If you choose to save, then save as *.txt - then you can search for .exe

Security Guide Scripts Download:
With EventComb from Microsoft you can view all your event logs from one machine. The program allow you to scan your network and bring in all events that match certain criteria, e.g. type = error, event ID, etc. The tool is part of the software included in Security Operations Guide for Windows 2000.

4. Install every program yourself - maybe using a system management tool.

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open

Author Comment

ID: 8627432
 Thank you Jorgen  for you answer  
LVL 12

Expert Comment

ID: 8631189
:o) Glad I could help you - thank you for the accepted answer points

Maybe you should consider if NEOSPORIN should have assisted answer points (number 1 of my 4 answers).

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question