• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1726
  • Last Modified:

Using GPO to prohibit the execution/installation of specific applications

There are some applications that I would like to prevent certain groups of users from being able to run. The majority of our users are on XP SP2 or SP3. There is a very small minority of Vista users.

The main program I'd like to outright prevent from running is iTunes. It's a great program, but unfortunately in the hands of some users it is abused and leads to a considerable decrease in productivity (not to mention the consumption of bandwidth when users start firing up streaming radio). I know it's installed on some systems already, but I'm not sure who exactly has it. The easiest solution that I can see is to throw all of these users' computers into their own OU and drop a workstation policy on them that prohibits iTunes (and any other programs I choose) from running. Additionally I'd like to ensure that only domain administrators (not local admins or local powerusers) can install new applications on workstations in this new OU.

I know it's sort of a draconic approach but some users don't listen when you tell them, "You can't do that." I think this is the best solution to the problem.

I think I have a general idea how it's done but I'm not really certain, so I was looking for some verification here. To my knowledge, the process should look something like this:

1. Create the new GPO and assign it to the OU I'll be placing these restricted PCs in.
2. Set the new GPO to Enforced.
3. In the new GPO, go to: Computer Configuration\Windows Settings\Security Settings\Software Restrictions.
4. Select "New Software Restriction Policies."
5. Under the Software Restrictions item, ensure that Enforcement is set to: "All software files except libraries" and "All users."

This is the part where I'm not sure though. I believe I'm supposed to specify the restricted executables under the Additional Rules section of the software restriction policy, but I have a couple questions:

1. What's the best/appropriate way to do this? Hash rule, certificate rule, path rule? How should it look?
2. Ideally I want to block iTunes regardless of where it's installed (and I want to make sure it's blocked in the event they try to get crafty and rename itunes.exe to something else). Will I be able to do this, or is the GPO method specific to the name and exact location of the file/application?
1 Solution
Brian PiercePhotographerCommented:
The has rule is the best compromise - unless you are prepared to sign the required executables then you can't use a certificate rule. Path rules are OK but can be got around by simply renaming the executables. With a hash rule its does not matter if the user renames it - it stioll won't run - the only problem is that you have to have a copy of the executable to create the hash in the first place - and of course if an update is released you will have to create a new hash,
elorcAuthor Commented:
Okay... at the risk of sounding like a complete moron, how do I implement the hash rule? Does the policy editor figure out the hash for me, or do I need to create it myself and import it somehow?

Also, for the sake of being overzealous would it be helpful to use a combination of rules? Such as using both a hash rule and path rule?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Tackle projects and never again get stuck behind a technical roadblock.
Join Now