Solved

Application whitelisting in Windows 8.1

Posted on 2014-02-19
5
2,067 Views
Last Modified: 2014-02-20
Hi Experts,

Here's a challenge:

Our students need to be able to run only a dozen of programs (Word, Excel, IE, GIMP, Notepad++ etc) and nothing else.

I want to find a way to apply an application white list that students can run.

I need to be able to apply this policy to one user OU in Active Directory (StudentsOU).

Users from all other OUs need to be able to run all software as usual.

What's the best way to do that?

I know that Software Restriction Policy doesn't work well with User OUs (Computer Settings).
AppLocker has problems with whitelisting (we need to block everything what's not on the allowed list and not block programs manually).
We also have Sophos Application Control, but this one again applies to Computer OUs, not User OUs.

We are using Windows 8.1 and Windows 2008 R2.

Any ideas?
0
Comment
Question by:itorana
  • 2
  • 2
5 Comments
 
LVL 11

Expert Comment

by:Manjunath Sullad
ID: 39869710
You need to create a GPO to block the specific applications,  and Link that GPO to specific OU,

if you want to restrict user to access the appliaction add user ID to this OU,

If user is outside the OU, he will be having access to appliations,

Please go through below links and configure the GPO.

http://blogs.technet.com/b/canitpro/archive/2013/06/10/step-by-step-controlling-access-in-windows-8-with-applocker.aspx

http://community.spiceworks.com/how_to/show/21544-block-skydrive-on-windows-8-using-group-policy-and-applocker

http://technet.microsoft.com/en-us/library/dd759117.aspx
0
 

Author Comment

by:itorana
ID: 39869733
Hi Sullad,

Thank you for quick reply.

I know how AppLocker and GPOs work - that's not the question.

See this post for more details about AppLocker and problems with whitelisting:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/5a020ae7-f23b-40a6-824f-8e060bd7a390/using-applocker-to-prevent-all-applications-except-specific-ones?forum=winserverGP
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39869773
Hi.

I use applocker and I cannot see any problems in whitelisting A in my experience and B in your linked story.
Please tell me what part of your story you are referring to. The guy there simply does not know what he is doing :)
0
 

Author Comment

by:itorana
ID: 39869786
hi McKnife,

Thanks for that - I'm glad to hear that whitelisting works for you in AppLocker!

Do you have the default rule as block all and added manual exceptions (allow)?
Do you need to modify exceptions every time application is updated? (new hash)
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 39869896
The problem your linked article mentions is of course somewhat true: if we change the default rules and do not allow certain executables in the windows directory (windows' internals!), then problems may arise - but why should we do that? There is no reason to block access to executables in c:\windows, if you ask me.

"Do you have the default rule as block all and added manual exceptions (allow)?" - right. In addition to the mentioned default rule for c:\windows, NOT for c:\program files.
"Do you need to modify exceptions every time application is updated? (new hash)" - of course, yes, if you use hashing file by file, you need to do that. You could make it easier for you by using the publisher's certificate (for example: allow anything signed by Adobe Corp.) or simple path rules.
0

Join & Write a Comment

Suggested Solutions

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now