?
Solved

How can I prevent user from installing any software

Posted on 2003-02-23
11
Medium Priority
?
775 Views
Last Modified: 2013-12-04
How can I prevent user from installing any software on there computers? I want to prevent any software installation even it doesn’t update the registry. Also I want to prevent all users from running any exe file not installed by an Administrator.
Can you help me please?
 thank you

0
Comment
Question by:nilehawk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 1

Expert Comment

by:bcastaldo
ID: 8002754
set up a domain policy for all workstations, very easy to setup, alot easier if you are running ADS.
0
 
LVL 1

Expert Comment

by:techtalk
ID: 8002812
Greetings nilehawk,

The first thing to realize is that you cannot secure Windows 2000 systems that are installed on FAT file systems, so be sure to use NTFS and limit access to running programs from another (FAT) partition or drive, including removable media drives.

Got to:
http://www.microsoft.com/windows2000/en/professional/help/

(This is also contained in the Help files on a W2K Pro workstation.)

Select the Index tab, navigate to Security / Default settings / Default security settings.

In the right pane select the "users" settings. This will give you an overview of the default settings.

Navigate to Related Topics in the workstation help files, or Predefined Security Templates on the web page, and look at the procedures for installing the Compatible Workstation / Server security template to further control access by users. (compatws.inf)
0
 

Author Comment

by:nilehawk
ID: 8002839
Hi
I am using NTFS. I know that I can set up a domain policy, but which policy? Is there is a built in policy in windows2000 need to be activated or I have to create this policy?
 If I have to create this policy then how I will do this?
thank you
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 2

Expert Comment

by:NEOsporin
ID: 8003661
Fat or NTFS can be restricted, by putting users in the "user" group and not in the Admin or power user's groupd. I have touched on this many times, here are the previous posts. NTFS is great, but I think you'll find that groups will speed up the process. Locking the registry is also a good option, and there are tons of builtin security functions, go to start>run and type:
SECPOL.MSC
under local policies you'll see auditing, and security settings. The ADM files will help you out tremendiously.
here are the links from previous post's:
http://support.microsoft.com/?kbid=301195
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/gpe_shippedadms.htm
http://support.microsoft.com/?kbid=297780
http://www.microsoft.com/windows2000/en/professional/help/default.asp?url=/windows2000/en/professional/help/windows_security_default_settings.htm

The EXE thing, that will be tough, you'll have to find every exe, and make sure that the exe's you do want run are in a folder with the proper NTFS perms... What you can do, is lock the machine down real nice, and remove any exe's that you don't want them to access. Also without priviledges, they won't be able to do much, and if you can stay prett current with your updates and patches, then you won't have much to worry about. After SP in 2k, it's pretty hard to get your privledges escalted, not impossible, but tough. The guest's account don't have rights to do snit;)
GL
-NEO
0
 

Author Comment

by:nilehawk
ID: 8006603
Hi
 I want to use user group becuae it is easer and faster as NEOsporinc said.
 also i locked the registry but there is some exe and some setup files that don’t update the registry
NEO I didn’t understand what you said about The EXE thing you do want run are in a folder with the proper NTFS perms
What do you want me to do ??
Thank you
nilehawk
0
 
LVL 13

Expert Comment

by:ocon827679
ID: 8008152
With group policies you can keep people from running specific file names such as setup.exe.  There is a User Policy under Administrative Templates - System called "Don't run specified Windows Applications."  You can enable this and add common installation exe's such as setup, install, etc.  Beware this policy is only looking for the string, so if the users are smart they can copy programs to their temp directory, rename the installer and run.  But at least it's a start.
As far as the EXE that only admins install, that's possible, but you'd better be ready to sit down and go through each exe on the system to determine what permissions are needed to run.  Also, users have to have some kind of read/write permission somewhere on their local disk, so how are you going to stop them in those locations?  These are the questions that have been trying admins souls for years!!
0
 

Expert Comment

by:geoff_h
ID: 8042711
I had the same problem and I fixed it simply by disabling the installer service.
0
 

Author Comment

by:nilehawk
ID: 8051098
hi geoff_h
 all you have done is dissabling Microsoft installer service !!
Good idea but is this working for all software?? What about the updates [ I mean  updated version  of the software  send remotely to the user not a new installation ] ??From where can I disable this service  ??
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 1200 total points
ID: 8621615
Here's what to do:

1.
As NEOSPORIN told you, the users must only be member of the local users group, thus not being able to install programs.

Builtin and predefined groups in Windows 2000 Pro
http://www.microsoft.com/windows2000/en/professional/help/windows_security_default_settings.htm

2.
Tell your users, not to download or install anything, because you are auditing, what they are doing:

Enabling Windows Security Auditing
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549&sd=tech#2
a. In the right pane, double-click the policy that you want to enable or disable. Choose Audit object access (succesfull)

Setting, Viewing, Changing, or Removing Windows File or Folder Auditing:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549&sd=tech#4
a. Choose the root of drive C:
b. Choose Reset auditing entries on all child objects ...
c. Choose Add
d. In the Name box, choose domain users.
e. Choose This folder, subfolders and files
f. Choose Traverse Folder / Execute file (succesfull)
g. Don't choose Apply these auditing entries to objects

How to Archive a Windows Security Log:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549&sd=tech#6
a. Don't  - use EventComb (number 3 below)
b.. Look for event id 560
c. If you choose to save, then save as *.txt - then you can search for .exe

3.
Security Guide Scripts Download:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=9989D151-5C55-4BD3-A9D2-B95A15C73E92
With EventComb from Microsoft you can view all your event logs from one machine. The program allow you to scan your network and bring in all events that match certain criteria, e.g. type = error, event ID, etc. The tool is part of the software included in Security Operations Guide for Windows 2000.

4. Install every program yourself - maybe using a system management tool.
http://www.capasystems.com/index.asp?p=2&p2=50

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 

Author Comment

by:nilehawk
ID: 8627432
hi
 Thank you Jorgen  for you answer  
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8631189
:o) Glad I could help you - thank you for the accepted answer points

Maybe you should consider if NEOSPORIN should have assisted answer points (number 1 of my 4 answers).
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses
Course of the Month11 days, 20 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question