Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Application whitelisting in Windows 8.1

Posted on 2014-02-19
5
Medium Priority
?
2,244 Views
Last Modified: 2014-02-20
Hi Experts,

Here's a challenge:

Our students need to be able to run only a dozen of programs (Word, Excel, IE, GIMP, Notepad++ etc) and nothing else.

I want to find a way to apply an application white list that students can run.

I need to be able to apply this policy to one user OU in Active Directory (StudentsOU).

Users from all other OUs need to be able to run all software as usual.

What's the best way to do that?

I know that Software Restriction Policy doesn't work well with User OUs (Computer Settings).
AppLocker has problems with whitelisting (we need to block everything what's not on the allowed list and not block programs manually).
We also have Sophos Application Control, but this one again applies to Computer OUs, not User OUs.

We are using Windows 8.1 and Windows 2008 R2.

Any ideas?
0
Comment
Question by:itorana
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 11

Expert Comment

by:Manjunath Sullad
ID: 39869710
You need to create a GPO to block the specific applications,  and Link that GPO to specific OU,

if you want to restrict user to access the appliaction add user ID to this OU,

If user is outside the OU, he will be having access to appliations,

Please go through below links and configure the GPO.

http://blogs.technet.com/b/canitpro/archive/2013/06/10/step-by-step-controlling-access-in-windows-8-with-applocker.aspx

http://community.spiceworks.com/how_to/show/21544-block-skydrive-on-windows-8-using-group-policy-and-applocker

http://technet.microsoft.com/en-us/library/dd759117.aspx
0
 

Author Comment

by:itorana
ID: 39869733
Hi Sullad,

Thank you for quick reply.

I know how AppLocker and GPOs work - that's not the question.

See this post for more details about AppLocker and problems with whitelisting:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/5a020ae7-f23b-40a6-824f-8e060bd7a390/using-applocker-to-prevent-all-applications-except-specific-ones?forum=winserverGP
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39869773
Hi.

I use applocker and I cannot see any problems in whitelisting A in my experience and B in your linked story.
Please tell me what part of your story you are referring to. The guy there simply does not know what he is doing :)
0
 

Author Comment

by:itorana
ID: 39869786
hi McKnife,

Thanks for that - I'm glad to hear that whitelisting works for you in AppLocker!

Do you have the default rule as block all and added manual exceptions (allow)?
Do you need to modify exceptions every time application is updated? (new hash)
0
 
LVL 56

Accepted Solution

by:
McKnife earned 2000 total points
ID: 39869896
The problem your linked article mentions is of course somewhat true: if we change the default rules and do not allow certain executables in the windows directory (windows' internals!), then problems may arise - but why should we do that? There is no reason to block access to executables in c:\windows, if you ask me.

"Do you have the default rule as block all and added manual exceptions (allow)?" - right. In addition to the mentioned default rule for c:\windows, NOT for c:\program files.
"Do you need to modify exceptions every time application is updated? (new hash)" - of course, yes, if you use hashing file by file, you need to do that. You could make it easier for you by using the publisher's certificate (for example: allow anything signed by Adobe Corp.) or simple path rules.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question