Solved

prevent Chrome installing

Posted on 2013-01-21
7
651 Views
Last Modified: 2013-01-22
win2008 r2 domain
win7 clients

my users are local admins but I need to prevent them installing Chrome. they are being prompted by adverts etc to get chrome so I need to stop them installing it. maybe Software Restriction Policies?
0
Comment
Question by:Pete
  • 4
  • 3
7 Comments
 
LVL 23

Expert Comment

by:Ayman Bakr
ID: 38802128
Download files can be restricted when you enable the GPO setting under:

 User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone > "Allow file download"

You can also restrict using other browsers through AppLocker Policy since you have Win 7 clients.

The best is not to give your users Local Admin privileges.
0
 
LVL 1

Author Comment

by:Pete
ID: 38802813
thanks for the reply, staff need local admin rights so they run our poorly written school management software.

I was hoping for paths and filenames i can restrict to prevent chrome downloading and installing?
0
 
LVL 23

Expert Comment

by:Ayman Bakr
ID: 38802908
Well, paths and filenames will not solve your issue if the user is a tech savvy and discovers how to change the execution file name or the default path of installation. Moreover, the more you try to be restrictive the more your users become tech-knowing and the more determined to break the restrictions!

Check this thread for more information and different ideas presented - AppLocker would be very great and efficient; read through to Jason Sandys comment:

http://social.technet.microsoft.com/Forums/en-US/configmgrswdist/thread/36f404ba-95e5-4808-8f17-b6875f76b72a
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 1

Author Comment

by:Pete
ID: 38803082
http://social.technet.microsoft.com/Forums/eu/winserverGP/thread/a7abcfea-8819-4680-9010-d2604a59c9bd

how about this, not too worried about staff renaming installers etc. but not sure of implications of blocking googleupdater.exe
0
 
LVL 23

Expert Comment

by:Ayman Bakr
ID: 38804534
Well, first you need to focus on what stage you want to put the restrictions:
1. At the download level
2. At the installation level
3. Post-Installation level

Once clear about that, then you can use the suggestion that suits your objective. GPO to disallow downloads, or GPO to disallow the installation or GPO to disallow the launch of an application that is already installed (again I would stress here that perhaps the best here is AppLocker Policy).

In the link you mentioned, googleupdate.exe restrictions will affect, not only chrome updates but any google related updates. You might want to stick to chrome_installer.exe; but if google changes the name of the file, the users will be able to download it again.

Frankly speaking, I would prefer the post-installation level restrictions because by this you avoid the hassle of changing file names rendering restrictions on the first two levels useless.
0
 
LVL 1

Author Comment

by:Pete
ID: 38804546
Applocker is not available for Win7 Pro which is what we have.

I would like to prevent both the downloading and the running. so maybe a SRP of *chrome.exe for the running and not sure about the downloading, any ideas what to block?

Thanks
0
 
LVL 23

Accepted Solution

by:
Ayman Bakr earned 500 total points
ID: 38805783
To prevent from running chrome installation you can create a SRP of chrome.exe and chromesetup.exe with a hash rule (so that even if they change the name of the file or path, they will still not be able to run the installation).

To prevent the download you can set the 'Allow File Download' to disabled in the GPO:
User Configuration > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone

But this will diallow download of all files in that zone.

To prevent select file types or certain file downloads like chromesetup.exe I believe you'll be better equipped to have it set on your firewall appliance (cisco, juniper - whatever is your firewall).
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question