Solved

Application whitelisting in Windows 8.1

Posted on 2014-02-19
5
2,108 Views
Last Modified: 2014-02-20
Hi Experts,

Here's a challenge:

Our students need to be able to run only a dozen of programs (Word, Excel, IE, GIMP, Notepad++ etc) and nothing else.

I want to find a way to apply an application white list that students can run.

I need to be able to apply this policy to one user OU in Active Directory (StudentsOU).

Users from all other OUs need to be able to run all software as usual.

What's the best way to do that?

I know that Software Restriction Policy doesn't work well with User OUs (Computer Settings).
AppLocker has problems with whitelisting (we need to block everything what's not on the allowed list and not block programs manually).
We also have Sophos Application Control, but this one again applies to Computer OUs, not User OUs.

We are using Windows 8.1 and Windows 2008 R2.

Any ideas?
0
Comment
Question by:itorana
  • 2
  • 2
5 Comments
 
LVL 11

Expert Comment

by:Manjunath Sullad
ID: 39869710
You need to create a GPO to block the specific applications,  and Link that GPO to specific OU,

if you want to restrict user to access the appliaction add user ID to this OU,

If user is outside the OU, he will be having access to appliations,

Please go through below links and configure the GPO.

http://blogs.technet.com/b/canitpro/archive/2013/06/10/step-by-step-controlling-access-in-windows-8-with-applocker.aspx

http://community.spiceworks.com/how_to/show/21544-block-skydrive-on-windows-8-using-group-policy-and-applocker

http://technet.microsoft.com/en-us/library/dd759117.aspx
0
 

Author Comment

by:itorana
ID: 39869733
Hi Sullad,

Thank you for quick reply.

I know how AppLocker and GPOs work - that's not the question.

See this post for more details about AppLocker and problems with whitelisting:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/5a020ae7-f23b-40a6-824f-8e060bd7a390/using-applocker-to-prevent-all-applications-except-specific-ones?forum=winserverGP
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39869773
Hi.

I use applocker and I cannot see any problems in whitelisting A in my experience and B in your linked story.
Please tell me what part of your story you are referring to. The guy there simply does not know what he is doing :)
0
 

Author Comment

by:itorana
ID: 39869786
hi McKnife,

Thanks for that - I'm glad to hear that whitelisting works for you in AppLocker!

Do you have the default rule as block all and added manual exceptions (allow)?
Do you need to modify exceptions every time application is updated? (new hash)
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 39869896
The problem your linked article mentions is of course somewhat true: if we change the default rules and do not allow certain executables in the windows directory (windows' internals!), then problems may arise - but why should we do that? There is no reason to block access to executables in c:\windows, if you ask me.

"Do you have the default rule as block all and added manual exceptions (allow)?" - right. In addition to the mentioned default rule for c:\windows, NOT for c:\program files.
"Do you need to modify exceptions every time application is updated? (new hash)" - of course, yes, if you use hashing file by file, you need to do that. You could make it easier for you by using the publisher's certificate (for example: allow anything signed by Adobe Corp.) or simple path rules.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
document a domain users/computers 1 34
ticket bloat 3 24
Changing passwords 3 20
DNS Record - External Public IP (Sonicwall VPN) 9 21
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question