Solved

Block Install of Firefox

Posted on 2013-05-20
20
466 Views
Last Modified: 2013-06-11
My machines are locked down and my users have no rights to install anything, however, one user was able to install firefox.  We can't use firefox in this environment because of certain software that's not compatible with it.  Is there some way, (GPP or GPO) I can stop users from installing this? If so how?
0
Comment
Question by:WellingtonIS
  • 12
  • 4
  • 3
  • +1
20 Comments
 
LVL 22

Expert Comment

by:Haresh Nikumbh
ID: 39180847
In GPOs in Windows XP and Vista have a mechanism called Software Restriction Policies that will allow you to block firefox either by path or file hash (I would suggest using both) as requested. Windows 7 introduced an enhanced version of this called AppLocker. Both can be found under Computer Configuration\Windows Settings\Security Settings.


http://technet.microsoft.com/en-us/library/bb457006.aspx

http://technet.microsoft.com/en-us/library/dd723678(WS.10).aspx
0
 
LVL 10

Expert Comment

by:ienaxxx
ID: 39180857
yeah, you can use a GPO with software restriction policy to prevent:

the hash of the main firefox executable (obtain various to get the console analyze them)
the name of the exe (i mean firefox.exe).

Pay serious attention when enabling SRP and test it on a test-OU before.
You should leave an enable all/deny specific policy for the ease of implementation IMO.
0
 
LVL 10

Expert Comment

by:ienaxxx
ID: 39180869
The correct path is:
computer settings->windows settings->security settings->software restriction policies.
0
 

Author Comment

by:WellingtonIS
ID: 39180919
Will GPO Applocker work on XP machines?
0
 
LVL 22

Expert Comment

by:Haresh Nikumbh
ID: 39180934
Windows 7 introduced an enhanced version of this called AppLocker
for XP Software Restriction Policies
0
 

Author Comment

by:WellingtonIS
ID: 39180981
OK great I will test this. Thanks!
0
 

Author Comment

by:WellingtonIS
ID: 39181048
I did the following.  See attached and tried it on my test machine.  I WAS able to install it. I also turned on Application Identity too as instructed in the instructions...  Do I make the Scope the machines or the users? (Maybe that's my issue?)
GPO.png
0
 
LVL 22

Expert Comment

by:Haresh Nikumbh
ID: 39181095
run Gpupdate.exe /force on client machine and verify
0
 

Author Comment

by:WellingtonIS
ID: 39181099
Ran that and also RSOP it's applied.
0
 
LVL 10

Expert Comment

by:ienaxxx
ID: 39181152
OK, you was able to install it.
Are you able to use it?

I mean: I told you to get hashes for the main firefox executables because IMO it's useless to block the installers...
There are also portable versions of firefox that doesn't require the setup....
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:WellingtonIS
ID: 39181157
Yes you're correct about the portable part.  I'm now trying to block the %osdrive%\User\%username%\AppData\Loca\Mozilla\* -
0
 
LVL 10

Expert Comment

by:ienaxxx
ID: 39181168
Why?
Why don't you block path *\firefox.exe and all the firefox.exe file versions hashes?
0
 

Author Comment

by:WellingtonIS
ID: 39181190
just did thanks.  Let's see if that works.
0
 

Author Comment

by:WellingtonIS
ID: 39181205
Wow this thing is a Beast!  I can't stop the installing no matter what I do?  It installs and works.
0
 

Author Comment

by:WellingtonIS
ID: 39181269
In addition I added the following security settings too to try to stop the install in Appdata..
additional.png
0
 

Author Comment

by:WellingtonIS
ID: 39181341
OK if I do an RSOP on the server (Advanced View) the Application Control Policy isn't showing up... I wonder if that's my issue...
0
 

Author Comment

by:WellingtonIS
ID: 39181618
ok I FINALLY GOT IT to work! It does install but you can't run it.
You have to block
C:\users\%username%\AppData\Local\Mozilla Firefox\*.*
I don't know the path for XP.  Anyone???
0
 

Author Comment

by:WellingtonIS
ID: 39184407
Strangely enough, just doing the app blocker didn't do the trick for me.  I had to add the registry setting too. I will install but it  will not run.
For XP I had to use c:\documents and settings\%username%\Local Settings\Application Data\Mozilla firefox\Firefox.exe
Once I added that and the other registry setting for windows 7 it worked.  I'm not sure why just running the app blocker didn't fix the issue.
the other thing with the APP blocker is unless you have the app installed you can't block it.  That to me doesn't make much sense but OK.
0
 
LVL 4

Accepted Solution

by:
Tushar_Darwatkar earned 500 total points
ID: 39200451
Hello,

Just go through the link below which suggest that you can block the executable file download on Proxy Server only. If you are not using Proxy server then you can try the other steps mentioned to configure the AppLocker as well.

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/53f4bf00-8441-4a79-b023-6c225f883391

http://www.edugeek.net/forums/windows-7/82380-blocking-firefox-install.html
0
 

Author Closing Comment

by:WellingtonIS
ID: 39238802
thx this worked.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now