Application whitelisting in Windows 8.1

Hi Experts,

Here's a challenge:

Our students need to be able to run only a dozen of programs (Word, Excel, IE, GIMP, Notepad++ etc) and nothing else.

I want to find a way to apply an application white list that students can run.

I need to be able to apply this policy to one user OU in Active Directory (StudentsOU).

Users from all other OUs need to be able to run all software as usual.

What's the best way to do that?

I know that Software Restriction Policy doesn't work well with User OUs (Computer Settings).
AppLocker has problems with whitelisting (we need to block everything what's not on the allowed list and not block programs manually).
We also have Sophos Application Control, but this one again applies to Computer OUs, not User OUs.

We are using Windows 8.1 and Windows 2008 R2.

Any ideas?
itoranaAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
McKnifeConnect With a Mentor Commented:
The problem your linked article mentions is of course somewhat true: if we change the default rules and do not allow certain executables in the windows directory (windows' internals!), then problems may arise - but why should we do that? There is no reason to block access to executables in c:\windows, if you ask me.

"Do you have the default rule as block all and added manual exceptions (allow)?" - right. In addition to the mentioned default rule for c:\windows, NOT for c:\program files.
"Do you need to modify exceptions every time application is updated? (new hash)" - of course, yes, if you use hashing file by file, you need to do that. You could make it easier for you by using the publisher's certificate (for example: allow anything signed by Adobe Corp.) or simple path rules.
0
 
Manjunath SulladTechnical ConsultantCommented:
You need to create a GPO to block the specific applications,  and Link that GPO to specific OU,

if you want to restrict user to access the appliaction add user ID to this OU,

If user is outside the OU, he will be having access to appliations,

Please go through below links and configure the GPO.

http://blogs.technet.com/b/canitpro/archive/2013/06/10/step-by-step-controlling-access-in-windows-8-with-applocker.aspx

http://community.spiceworks.com/how_to/show/21544-block-skydrive-on-windows-8-using-group-policy-and-applocker

http://technet.microsoft.com/en-us/library/dd759117.aspx
0
 
itoranaAuthor Commented:
Hi Sullad,

Thank you for quick reply.

I know how AppLocker and GPOs work - that's not the question.

See this post for more details about AppLocker and problems with whitelisting:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/5a020ae7-f23b-40a6-824f-8e060bd7a390/using-applocker-to-prevent-all-applications-except-specific-ones?forum=winserverGP
0
 
McKnifeCommented:
Hi.

I use applocker and I cannot see any problems in whitelisting A in my experience and B in your linked story.
Please tell me what part of your story you are referring to. The guy there simply does not know what he is doing :)
0
 
itoranaAuthor Commented:
hi McKnife,

Thanks for that - I'm glad to hear that whitelisting works for you in AppLocker!

Do you have the default rule as block all and added manual exceptions (allow)?
Do you need to modify exceptions every time application is updated? (new hash)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.