How can I restrict access to a software program based on time of day?

I need to restrict access to a certain program that our users use - to specific times during the day. How can I do this? Is there a Group Policy for this?

Right Now I can use the following command in a batch file take permission away from one of the files.

cacls \\ServerName\Directory\ProgramName.zzz /e /p everyone:n

The problem with this method is that all the people using the file when the batch file is run don't lose permissions on it until they disconnect. How can I force the disconnect automatically. Or is there another way to do this?

We are running a mixed 2000/2003 Domain (just 1 domain) with XP clients.
mspolterAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ahoffmannCommented:
> The problem with this method is that all the people using the file when the batch file is run don't lose permissions ..
You have to set the permissions on the client host itself, then you also need to ensure that the program periodically checks something (permissions, timestamp, whetever), otherwise if it is running from memory only there is probably no way to stop it.
0
SunBowCommented:
I do not think the OS has the specific option

If you only want it there for beginning of one shift of staff, and not there for the next (for example, the staff are all allowed to run backups, but you want the default to be only during the non-peak hours), then:

One emulation that should work, is to copy the file to the shared area using the scheduler, then delete it from the shared area at the end of the shift using the scheduler. The original file is still there. The file copied can be a batch file to handle numerous simliar enabler actions, or it can be a shortcut, so that there is not much time needed to complete the copying process.

If there is an enormous amount of data or files involved, consider putting them all on the same server, and shut down the server during the times you do not want the files accessed. That can help get to point of backing it all up without bothering users, running upgrades,etc., and even validating a contingency plan
0
giltjrCommented:
Windows does not allow this, in fact I don't think anything in the Linux/Unix world does.  Only OS's I have seen that can do it are IBM's mainframe OS's (z/OS, z/VM and VSE).

Why do you not want them to run the program at a specific time of day?
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

TolomirAdministratorCommented:
If that is a webrelated program you could block outgoing ip/port requests in your firewall, thinking about an application like e.g. icq.


To really kill/stop a program take a look at:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/taskkill.mspx?mfr=true

Ends one or more tasks or processes. Processes can be killed by process ID or image name.

Syntax: taskkill [/s Computer] [/u Domain\User [/p Password]]] [/fi FilterName] [/pid ProcessID]|[/im ImageName] [/f][/t]

Examples
The following examples show how you can use the taskkill command:

taskkill /pid 1230 /pid 1241 /pid 1253
taskkill /f /fi "USERNAME eq NT AUTHORITY\SYSTEM" /im notepad.exe
taskkill /s srvmain /f /im notepad.exe
taskkill /s srvmain /u maindom\hiropln /p p@ssW23 /fi "IMAGENAME eq note*" /im *
taskkill /s srvmain /u maindom\hiropln /fi "USERNAME ne NT*" /im *
taskkill /f /fi "PID ge 1000" /im *

Tolomir
0
TolomirAdministratorCommented:
This taskkill command needs to be inserted into an appropriate scheduler task of cause.

Tolomir
0
mspolterAuthor Commented:
Are there any third party applications that would help with this? You could limit what programs can be run in AD, so I would think that you would be able to control this by time, but I have not found out how or with what.
0
TolomirAdministratorCommented:
Windows cannot kill a program on it's own but it can restrict access.

Here is how to setup the scheduler, all you need is to create a abtchfile with that kill command and use it as entry in the scheduler.

http://support.asna.com/kb/nonasna/kb000195.asp
0
bluntguy76Commented:
>I need to restrict access to a certain program that our users use - to specific times during the day. How can I do this? Is there a Group Policy for this?

Since you are in a domain, take a look at the GPO :
User configuration -> admin templates -> system -> don't run specified applications

That allows you to prevent a user from executing a file with a specific filename. If your user is smart enough to rename the executable, you can try to prevent the execution of the DLL related to the app.

it's maybe not the best way but pretty easy to implement and quick
0
giltjrCommented:
bluntguy76, how is doing this going to do what the author asked.  Preventing based on time of day?

What are you suggesting, he rename the file between the hours of the day he does not want users to execute it.
0
mspolterAuthor Commented:
Thank You for your suggestions. We put the application on its own server and are restricting access to it via firewall with a policy that restricts access based on the time of day.
0
bluntguy76Commented:
Well to answer giltjr.

There's a "not easy way"
Create a GPO template, that disallow access to the specific software
Create another one that allows it

apply these templates through a script using secedit.exe

Force a gpupdate on whichever workstations that you are concerned about. This could also be done by a script OR there's a feature in GP that forces GPO updates every X mn ( but it doesn't work that well when it's a large network ).

That should take care of it but the firewall is definitely the easier way.
0
mspolterAuthor Commented:
Our firewall solution is more flawed than I thought. For users that have a connection, once the firewall policy says a user cannot have access, it does not kill the still alive connection - it does not cut the users off. We need the users to be cut off at a certain time.
0
giltjrCommented:
bluntguy76, so you are suggesting that you dynamical change GPO based on time of day.  If I am already executing the program will it stop me right then in there.  I have already accessed the file and I am running it.  I don't think it will kill the current execution.

mspolter:

What does the application do?  Do you really want users to be "killed" during the middle of executing an application?  If this applicaiton allows updates to sometype of file/database, I would expect that this could cause corrupted data and or database locks that do not get cleaned up.

Yes, most firewalls timers are based on allowing new connections, not tearing down exsting connections.  Just like with everything else, most things are designed to prevent "new" connection/execution, not to kill an exsting connection/execution.



0
TolomirAdministratorCommented:
You could reset your firewall at a given time.

Permitting once granted connections is a technique called stateful inspection.

so this is no flaw but a speed improving feature.

Tolomir
0
mspolterAuthor Commented:
The application lets people look up information from a database stored on a server. For whatever reason, the decision makers at the company (not me) have decided that the users (salespeople) waste too much time during the day getting this information. they should be spending the working hours on the phones selling. Once 9:00 hits, they cannot use this application. They don't update any info, just look it up, so no corruption should occur. They have read only access.

Microsoft should allow control of GP based on time of day.
0
giltjrCommented:
You can always make a request.  Umm, interesting, not allowing sales people to lookup information on a database.  I hope that is not a database that contains something that they need.

Is this a program that "you" (meaning your company) wrote?

Do you want to disable for all users or just specific users?

What about taking the database out of service?  If its not in service, then they even if they can run the program, they aren't going to get anything.

If there are others that must use this program/database and you wrote the program, then I would suggest adding this as a function to your program.  

Although there are security/access systems that do allow time of day restrictions, normally once you are connected/running they will not kill you.  Even on the most secure of systems.

0
mspolterAuthor Commented:
Obviously they don't need that information or the managers would not restrict them from accessing it. But that is not for me or you to decide. We did not write the program and have no ability to make any changes to it.

I thought of another answer. Connect the server that hosts the database to a mini hub. Put a manual timer on the hub that shuts off power at certain times of the day. When the hub turns off, all access will be restricted immediately. When the power returns (automatically) access will be restored.
 
0
giltjrCommented:
If you are doing that, I would just schedule shutting down the dbms instance.  This leaves access to the server, but removes access to the database.

0
mspolterAuthor Commented:
What is the dbms instance? And will this cut the users off?
0
giltjrCommented:
The DBMS instance is the DBMS task.  If you are running MSSQL server, you shutdown MSSQL server.  

Yes it will cut the users off.  If the batabase is not up and running, they can't talk to it.  The reason that this, IMHO is slightly better than your hub idea, is you still have network access to the server to do anything you need to do without having to go touch the physical box.
0
mspolterAuthor Commented:
I don't think this program uses any DBMS instances. It's not SQL server - it's its own database that they wrote.
0
giltjrCommented:
I would contact the vendor.  There are only three possibilities that I know of

     1) they are using some type of DBMS
     2) they are using file shares
     3) this is a client/server application

If they are using a DBMS, you can stop and start it at the time of day you want.

If they are using file shares, this means you have may have a TON of traffic as each user will be reading the whole file over the network, however all you need to do is rename the file, that way to the application the file will not exist.

If this is a client/server application, then you just stop and start the server part of the application at the time of day you want.
0
raffraffraffCommented:
Microsoft's SMS 2.0 provides software metering functionality as a means to reducing the number of licenses purchased while ensuring that you do not exceed the number of licenses used in total. For example, you could install a MS Office on 1000 machines, but only purchase 500 licenses. SMS can ensure that no more than 500 instances of the software can be started at one time. However, it alsp also you to prevent the access to software between specific times.

NOTE 1: Software metering in SMS 2003 only records application usage. Unlike software metering in SMS 2.0, it does not deny access based on licensing, time of day, computer, and so on. [source http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/tfaq06.mspx]

NOTE 2: Just remember that as well as implementing a time based metering solution, you will also need to control the time on each PC using the Windows Time service.

There may be other software metering solutions that can restrict usage based on the time, but this is the only one I can think of. Google for "time based software metering".
0
mspolterAuthor Commented:
You can close this question. A lot of good thoughts, but no useful answers.
0
GranModCommented:
PAQed with points refunded (500)

GranMod
Community Support Moderator
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.