Solved

Application whitelisting in Windows 8.1

Posted on 2014-02-19
5
2,169 Views
Last Modified: 2014-02-20
Hi Experts,

Here's a challenge:

Our students need to be able to run only a dozen of programs (Word, Excel, IE, GIMP, Notepad++ etc) and nothing else.

I want to find a way to apply an application white list that students can run.

I need to be able to apply this policy to one user OU in Active Directory (StudentsOU).

Users from all other OUs need to be able to run all software as usual.

What's the best way to do that?

I know that Software Restriction Policy doesn't work well with User OUs (Computer Settings).
AppLocker has problems with whitelisting (we need to block everything what's not on the allowed list and not block programs manually).
We also have Sophos Application Control, but this one again applies to Computer OUs, not User OUs.

We are using Windows 8.1 and Windows 2008 R2.

Any ideas?
0
Comment
Question by:itorana
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 11

Expert Comment

by:Manjunath Sullad
ID: 39869710
You need to create a GPO to block the specific applications,  and Link that GPO to specific OU,

if you want to restrict user to access the appliaction add user ID to this OU,

If user is outside the OU, he will be having access to appliations,

Please go through below links and configure the GPO.

http://blogs.technet.com/b/canitpro/archive/2013/06/10/step-by-step-controlling-access-in-windows-8-with-applocker.aspx

http://community.spiceworks.com/how_to/show/21544-block-skydrive-on-windows-8-using-group-policy-and-applocker

http://technet.microsoft.com/en-us/library/dd759117.aspx
0
 

Author Comment

by:itorana
ID: 39869733
Hi Sullad,

Thank you for quick reply.

I know how AppLocker and GPOs work - that's not the question.

See this post for more details about AppLocker and problems with whitelisting:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/5a020ae7-f23b-40a6-824f-8e060bd7a390/using-applocker-to-prevent-all-applications-except-specific-ones?forum=winserverGP
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39869773
Hi.

I use applocker and I cannot see any problems in whitelisting A in my experience and B in your linked story.
Please tell me what part of your story you are referring to. The guy there simply does not know what he is doing :)
0
 

Author Comment

by:itorana
ID: 39869786
hi McKnife,

Thanks for that - I'm glad to hear that whitelisting works for you in AppLocker!

Do you have the default rule as block all and added manual exceptions (allow)?
Do you need to modify exceptions every time application is updated? (new hash)
0
 
LVL 55

Accepted Solution

by:
McKnife earned 500 total points
ID: 39869896
The problem your linked article mentions is of course somewhat true: if we change the default rules and do not allow certain executables in the windows directory (windows' internals!), then problems may arise - but why should we do that? There is no reason to block access to executables in c:\windows, if you ask me.

"Do you have the default rule as block all and added manual exceptions (allow)?" - right. In addition to the mentioned default rule for c:\windows, NOT for c:\program files.
"Do you need to modify exceptions every time application is updated? (new hash)" - of course, yes, if you use hashing file by file, you need to do that. You could make it easier for you by using the publisher's certificate (for example: allow anything signed by Adobe Corp.) or simple path rules.
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question