Link to home
Start Free TrialLog in
Avatar of mspolter
mspolter

asked on

How can I restrict access to a software program based on time of day?

I need to restrict access to a certain program that our users use - to specific times during the day. How can I do this? Is there a Group Policy for this?

Right Now I can use the following command in a batch file take permission away from one of the files.

cacls \\ServerName\Directory\ProgramName.zzz /e /p everyone:n

The problem with this method is that all the people using the file when the batch file is run don't lose permissions on it until they disconnect. How can I force the disconnect automatically. Or is there another way to do this?

We are running a mixed 2000/2003 Domain (just 1 domain) with XP clients.
Avatar of ahoffmann
ahoffmann
Flag of Germany image

> The problem with this method is that all the people using the file when the batch file is run don't lose permissions ..
You have to set the permissions on the client host itself, then you also need to ensure that the program periodically checks something (permissions, timestamp, whetever), otherwise if it is running from memory only there is probably no way to stop it.
I do not think the OS has the specific option

If you only want it there for beginning of one shift of staff, and not there for the next (for example, the staff are all allowed to run backups, but you want the default to be only during the non-peak hours), then:

One emulation that should work, is to copy the file to the shared area using the scheduler, then delete it from the shared area at the end of the shift using the scheduler. The original file is still there. The file copied can be a batch file to handle numerous simliar enabler actions, or it can be a shortcut, so that there is not much time needed to complete the copying process.

If there is an enormous amount of data or files involved, consider putting them all on the same server, and shut down the server during the times you do not want the files accessed. That can help get to point of backing it all up without bothering users, running upgrades,etc., and even validating a contingency plan
Avatar of giltjr
Windows does not allow this, in fact I don't think anything in the Linux/Unix world does.  Only OS's I have seen that can do it are IBM's mainframe OS's (z/OS, z/VM and VSE).

Why do you not want them to run the program at a specific time of day?
If that is a webrelated program you could block outgoing ip/port requests in your firewall, thinking about an application like e.g. icq.


To really kill/stop a program take a look at:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/taskkill.mspx?mfr=true

Ends one or more tasks or processes. Processes can be killed by process ID or image name.

Syntax: taskkill [/s Computer] [/u Domain\User [/p Password]]] [/fi FilterName] [/pid ProcessID]|[/im ImageName] [/f][/t]

Examples
The following examples show how you can use the taskkill command:

taskkill /pid 1230 /pid 1241 /pid 1253
taskkill /f /fi "USERNAME eq NT AUTHORITY\SYSTEM" /im notepad.exe
taskkill /s srvmain /f /im notepad.exe
taskkill /s srvmain /u maindom\hiropln /p p@ssW23 /fi "IMAGENAME eq note*" /im *
taskkill /s srvmain /u maindom\hiropln /fi "USERNAME ne NT*" /im *
taskkill /f /fi "PID ge 1000" /im *

Tolomir
This taskkill command needs to be inserted into an appropriate scheduler task of cause.

Tolomir
Avatar of mspolter
mspolter

ASKER

Are there any third party applications that would help with this? You could limit what programs can be run in AD, so I would think that you would be able to control this by time, but I have not found out how or with what.
Windows cannot kill a program on it's own but it can restrict access.

Here is how to setup the scheduler, all you need is to create a abtchfile with that kill command and use it as entry in the scheduler.

http://support.asna.com/kb/nonasna/kb000195.asp
>I need to restrict access to a certain program that our users use - to specific times during the day. How can I do this? Is there a Group Policy for this?

Since you are in a domain, take a look at the GPO :
User configuration -> admin templates -> system -> don't run specified applications

That allows you to prevent a user from executing a file with a specific filename. If your user is smart enough to rename the executable, you can try to prevent the execution of the DLL related to the app.

it's maybe not the best way but pretty easy to implement and quick
bluntguy76, how is doing this going to do what the author asked.  Preventing based on time of day?

What are you suggesting, he rename the file between the hours of the day he does not want users to execute it.
Thank You for your suggestions. We put the application on its own server and are restricting access to it via firewall with a policy that restricts access based on the time of day.
Well to answer giltjr.

There's a "not easy way"
Create a GPO template, that disallow access to the specific software
Create another one that allows it

apply these templates through a script using secedit.exe

Force a gpupdate on whichever workstations that you are concerned about. This could also be done by a script OR there's a feature in GP that forces GPO updates every X mn ( but it doesn't work that well when it's a large network ).

That should take care of it but the firewall is definitely the easier way.
Our firewall solution is more flawed than I thought. For users that have a connection, once the firewall policy says a user cannot have access, it does not kill the still alive connection - it does not cut the users off. We need the users to be cut off at a certain time.
bluntguy76, so you are suggesting that you dynamical change GPO based on time of day.  If I am already executing the program will it stop me right then in there.  I have already accessed the file and I am running it.  I don't think it will kill the current execution.

mspolter:

What does the application do?  Do you really want users to be "killed" during the middle of executing an application?  If this applicaiton allows updates to sometype of file/database, I would expect that this could cause corrupted data and or database locks that do not get cleaned up.

Yes, most firewalls timers are based on allowing new connections, not tearing down exsting connections.  Just like with everything else, most things are designed to prevent "new" connection/execution, not to kill an exsting connection/execution.



You could reset your firewall at a given time.

Permitting once granted connections is a technique called stateful inspection.

so this is no flaw but a speed improving feature.

Tolomir
The application lets people look up information from a database stored on a server. For whatever reason, the decision makers at the company (not me) have decided that the users (salespeople) waste too much time during the day getting this information. they should be spending the working hours on the phones selling. Once 9:00 hits, they cannot use this application. They don't update any info, just look it up, so no corruption should occur. They have read only access.

Microsoft should allow control of GP based on time of day.
You can always make a request.  Umm, interesting, not allowing sales people to lookup information on a database.  I hope that is not a database that contains something that they need.

Is this a program that "you" (meaning your company) wrote?

Do you want to disable for all users or just specific users?

What about taking the database out of service?  If its not in service, then they even if they can run the program, they aren't going to get anything.

If there are others that must use this program/database and you wrote the program, then I would suggest adding this as a function to your program.  

Although there are security/access systems that do allow time of day restrictions, normally once you are connected/running they will not kill you.  Even on the most secure of systems.

Obviously they don't need that information or the managers would not restrict them from accessing it. But that is not for me or you to decide. We did not write the program and have no ability to make any changes to it.

I thought of another answer. Connect the server that hosts the database to a mini hub. Put a manual timer on the hub that shuts off power at certain times of the day. When the hub turns off, all access will be restricted immediately. When the power returns (automatically) access will be restored.
 
If you are doing that, I would just schedule shutting down the dbms instance.  This leaves access to the server, but removes access to the database.

What is the dbms instance? And will this cut the users off?
The DBMS instance is the DBMS task.  If you are running MSSQL server, you shutdown MSSQL server.  

Yes it will cut the users off.  If the batabase is not up and running, they can't talk to it.  The reason that this, IMHO is slightly better than your hub idea, is you still have network access to the server to do anything you need to do without having to go touch the physical box.
I don't think this program uses any DBMS instances. It's not SQL server - it's its own database that they wrote.
I would contact the vendor.  There are only three possibilities that I know of

     1) they are using some type of DBMS
     2) they are using file shares
     3) this is a client/server application

If they are using a DBMS, you can stop and start it at the time of day you want.

If they are using file shares, this means you have may have a TON of traffic as each user will be reading the whole file over the network, however all you need to do is rename the file, that way to the application the file will not exist.

If this is a client/server application, then you just stop and start the server part of the application at the time of day you want.
Microsoft's SMS 2.0 provides software metering functionality as a means to reducing the number of licenses purchased while ensuring that you do not exceed the number of licenses used in total. For example, you could install a MS Office on 1000 machines, but only purchase 500 licenses. SMS can ensure that no more than 500 instances of the software can be started at one time. However, it alsp also you to prevent the access to software between specific times.

NOTE 1: Software metering in SMS 2003 only records application usage. Unlike software metering in SMS 2.0, it does not deny access based on licensing, time of day, computer, and so on. [source http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/tfaq06.mspx]

NOTE 2: Just remember that as well as implementing a time based metering solution, you will also need to control the time on each PC using the Windows Time service.

There may be other software metering solutions that can restrict usage based on the time, but this is the only one I can think of. Google for "time based software metering".
You can close this question. A lot of good thoughts, but no useful answers.
ASKER CERTIFIED SOLUTION
Avatar of GranMod
GranMod

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial