Solved

Help with GPEDIT.MSC

Posted on 2003-10-28
6
12,500 Views
Last Modified: 2007-12-19
Need a little help locking down an XP Pro workstation in a workgroup environment.  Want to restrict one userid to only running a specific exe and doing nothing else.  I'm figuring to use the group policy editor to do this.  Has anyone done this before?
0
Comment
Question by:Quetzal
  • 4
  • 2
6 Comments
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9637472
Description of the Software Restriction Policies in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;310791

BEGIN ARTICLE

The information in this article applies to:
Microsoft Windows XP Professional

SUMMARY
This article describes software restriction policies in Windows XP.

Administrators can use software restriction policies to allow software to run. By using a software restriction policy, an administrator can prevent unwanted programs from running. This includes viruses and Trojan horse software, or other software that is known to cause problems.

MORE INFORMATION
You can use the Group Policy tool in Windows XP to implement software restriction policies. To enable a software restriction policy, use either of the following methods:
Using Group Policy
Click Start, and then click Run.
Type gpedit.msc, and then click OK.
Expand the following items:
Computer Configuration
Windows Settings
Security Settings
Software Restriction Policies
Using the Local Security Policy
Click Start, and then click Run.
Type secpol.msc, and then click OK.
Follow the instructions to enable a policy.
The Default Security Level and Exceptions
You can configure the default security level and define additional rules that form exceptions to the default rules. The default security level determines the behavior for all programs. Additional rules provide exceptions to the default security level. The two security levels are:
Disallowed - If you set Disallowed as the default rule, no programs are permitted. You must create additional rules that enable particular programs to run.

Using Disallowed as the default is not a good idea unless the administrator has a complete list of permitted programs.
Unrestricted - If you set Unrestricted as the default rule, all programs are allowed to run. You must create additional rules if you want to restrict individual programs.

Unrestricted is best if the administrator does not have a complete list of permitted programs, but needs to prevent certain programs from running.
Additional Rules
You can configure several types of additional rules:
Hash - With a Hash rule, the administrator lists the program file to be blocked or explicitly permitted. It is hashed, resulting in a cryptographic fingerprint that remains the same regardless of the file name or location. You can use this method to prevent a particular version of a program from running, or to prevent a program from running no matter where it is located.
Certificate - You can build Certificate rules by providing a code-signing software publisher certificate. Like Hash rules, Certificate rules apply no matter where the program file is located or what it is named.
Path - Path rules apply to all programs that run from the specified local or network path, or from subfolders that are in the path.
Internet Zone - You can use Internet Zone rules to apply software restriction policy rules based on the Microsoft Internet Explorer security zone in which the program is run. Currently, these rules apply only to Microsoft Windows Installer packages that are run from the zone. Internet Zone rules do not apply to programs that are downloaded by Internet Explorer.
General Configuration Rules
In addition to the default security and additional rules, you can also define general configuration rules to determine how software restriction policies are applied on the computer. These include:
Enforcement - You can use the Enforcement settings to determine which files are enforced, and which users are subject to the security restriction policy configuration. By default, all software files except libraries (such as dynamic-link libraries, or DLLs) are subject to the security restriction policy settings. You can configure the security restriction policies to apply to all software files. Note that this may require that you add rules for each library file that is required by a program.

By default, all users are subject to the security restriction policy settings on the computer. You can configure enforcement for all users except local administrators, which allows local administrators to run disallowed programs.
Designated Files Types - You can use this policy to configure the file types to which the security restriction policy settings apply.
Trusted Providers - You can use the Trusted Providers properties to configure which users can select trusted publishers. You can also determine which, if any, certificate revocation checks are performed before trusting a publisher.
First Published: Oct 17 2001 12:54PM  

COPYRIGHT NOTICE. Copyright 2002 Microsoft Corporation, One Microsoft Way, Redmond, Washington 98052-6399 U.S.A. All rights reserved.
 
END  ARTICLE
0
 
LVL 44

Accepted Solution

by:
CrazyOne earned 250 total points
ID: 9637478
Restrict Users from Running Specific Applications (Windows 2000/Me/XP) New
Category: Home > Security
This setting allows you to specify applications and filenames that users are restricted from running.

Open your registry and find the key [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer]

Create a new DWORD value and name it "DisallowRun" set the value to "1" to enable application restrictions or "0" to allow all applications to run.

Then create a new sub-key called [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\DisallowRun] and define the applications the are to be restricted. Creating a new string value for each application, named as consecutive numbers, and setting the value to the filename to be restriced (e.g. "regedit.exe").

Restart Windows for the changes to take effect.

Settings
Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer]
Value Name: DisallowRun



Restrict Applications Users Can Run (All Versions) Updated Popular
Category: Home > Security
Windows gives the ability to restrict the applications that can be run by users on a workstation.

Open your registry and find the key [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer]

Create a new DWORD value and name it "RestrictRun" set the value to "1" to enable application restrictions or "0" to allow all applications to run.

Then create a new sub-key called [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\RestrictRun] and define the applications that are allowed. Creating a new string value for each application, named as consecutive numbers, and setting the value to the filename to be allowed (e.g. "regedit.exe").

Restart Windows for the changes to take effect.

Note: If you are the person who applies Group Policy, do not apply this policy to yourself. If applied too broadly, this policy can prevent administrators from running Group Policy or the registry editors. As a result, once applied, you cannot change this policy except by reinstalling Windows 2000.
 


Settings
Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer]
Value Name: RestrictRun
0
 
LVL 11

Author Comment

by:Quetzal
ID: 9637731
So...I logon as each user to configure user policies...or is there a way to apply to them to specific users while logged on as an administrator?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 44

Expert Comment

by:CrazyOne
ID: 9637784
>>>or is there a way to apply to them to specific users while logged on as an administrator?

Umm I can't remember but I don't think you can apply towards a specific user unless you temporarily give that account admin previleges and then sign on as that user then do the configuration then login under your account and then remove the admin previleges to that other account
0
 
LVL 11

Author Comment

by:Quetzal
ID: 9637941
hmmm...slightly clunky, but that will work...I'll give it a shot.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9637986
:)
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now