Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Using GPO to prohibit the execution/installation of specific applications

Posted on 2009-02-24
Medium Priority
Last Modified: 2012-06-20
There are some applications that I would like to prevent certain groups of users from being able to run. The majority of our users are on XP SP2 or SP3. There is a very small minority of Vista users.

The main program I'd like to outright prevent from running is iTunes. It's a great program, but unfortunately in the hands of some users it is abused and leads to a considerable decrease in productivity (not to mention the consumption of bandwidth when users start firing up streaming radio). I know it's installed on some systems already, but I'm not sure who exactly has it. The easiest solution that I can see is to throw all of these users' computers into their own OU and drop a workstation policy on them that prohibits iTunes (and any other programs I choose) from running. Additionally I'd like to ensure that only domain administrators (not local admins or local powerusers) can install new applications on workstations in this new OU.

I know it's sort of a draconic approach but some users don't listen when you tell them, "You can't do that." I think this is the best solution to the problem.

I think I have a general idea how it's done but I'm not really certain, so I was looking for some verification here. To my knowledge, the process should look something like this:

1. Create the new GPO and assign it to the OU I'll be placing these restricted PCs in.
2. Set the new GPO to Enforced.
3. In the new GPO, go to: Computer Configuration\Windows Settings\Security Settings\Software Restrictions.
4. Select "New Software Restriction Policies."
5. Under the Software Restrictions item, ensure that Enforcement is set to: "All software files except libraries" and "All users."

This is the part where I'm not sure though. I believe I'm supposed to specify the restricted executables under the Additional Rules section of the software restriction policy, but I have a couple questions:

1. What's the best/appropriate way to do this? Hash rule, certificate rule, path rule? How should it look?
2. Ideally I want to block iTunes regardless of where it's installed (and I want to make sure it's blocked in the event they try to get crafty and rename itunes.exe to something else). Will I be able to do this, or is the GPO method specific to the name and exact location of the file/application?
Question by:elorc
LVL 70

Accepted Solution

KCTS earned 750 total points
ID: 23721600
The has rule is the best compromise - unless you are prepared to sign the required executables then you can't use a certificate rule. Path rules are OK but can be got around by simply renaming the executables. With a hash rule its does not matter if the user renames it - it stioll won't run - the only problem is that you have to have a copy of the executable to create the hash in the first place - and of course if an update is released you will have to create a new hash,

Author Comment

ID: 23721699
Okay... at the risk of sounding like a complete moron, how do I implement the hash rule? Does the policy editor figure out the hash for me, or do I need to create it myself and import it somehow?

Also, for the sake of being overzealous would it be helpful to use a combination of rules? Such as using both a hash rule and path rule?

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question