Solved

Restrict users from launching executables

Posted on 2014-09-18
7
668 Views
Last Modified: 2014-09-19
Hi!

We have a Windows Server 2012 domain, with Windows 7 and Windows 8.1 cliënt computers. After adding the user to the local Power Users Group, they have obviously have more priviliges on their computers. They also can run every executable. Our security specialist says that this is a risk. For example malware could be installed in the background.

In my search to solve this issue, i came accross 'Software Restriction Policies'. Is this the only way to prevent users from starting only the software they need to use?
0
Comment
Question by:SvenIA
  • 3
  • 2
  • 2
7 Comments
 
LVL 61

Accepted Solution

by:
btan earned 450 total points
Comment Utility
SRP is old and for your case is Applocker which is for appl whitelisting and it  manage policies for Packaged apps and Packaged app installers. AppLocker rules can be applied to specific users or groups. However, a rule can only apply to one user or one group. You can also create AppLocker rules to apply to all users (the Everyone group) and then apply that GPO to a specific computer group. Hence using principle of least privilege scheme, create role based group and assign the rule to the user within that group.

For example, you could have one rule that allows the Finance group to run winword.exe, and you could also have a second rule that allows the HR group to run winword.exe.

Do note only an administrator change AppLocker policies - This prevents any standard user that is logged on to a computer from modifying the AppLocker rules to access or add an application. On a computer that is joined to a domain, the computer's administrator can create AppLocker rules that could be merged with a domain-level rules as stated in the domain GPO. but we need to be wary
(A) AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer
(B) AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example, Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (*.bat) run within the context of the Windows Command Host (cmd.exe)

There are a variety of methods, and the best one will depend on your administrative practices.
(1) set the enforcement mode on the relevant rule collection to Audit only so AppLocker will not block any application for the present time. change the enforcement mode to Enforce rules when you are ready.
(2) create an organizational unit (OU) that has a separate set of rules but does not block the users from running a particular application. Move the user to this OU temporarily while they install the update or application. Then, move them back to the OU where the original rule enforcement occurs.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
additionally, can create the Power User Group by Restricted Groups option and even try tweaking folder
permissions for the power users group so that they have only the possible permissions to fit their roles. there are other device restriction etc to drill in gpo if need to..but thinking back...people grant accounts membership
in Power Users is to enable them to install software, with the ability to define shares being next most frequent.

So restricting the type of appls and exploring applocker may be good start with them to further restrict permission if necessary...

http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 50 total points
Comment Utility
There are no power users any more... folks, this ended with vista already. The group is there, yes, but it has no effect being in there, anymore, it's just for compatibility with old tools that check group membership.

Applocker is not available if you run win 7 or 8 in pro edition. What editions do you have?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 61

Expert Comment

by:btan
Comment Utility
just to share Applocker FAQ cna be handy
http://technet.microsoft.com/en-us/library/ee619725(v=ws.10).aspx#BKBK_WhichOSeditions

In Windows Server 2008 R2 and Windows 7 - AppLocker rules can be enforced on computers running Windows 7 Ultimate, Windows 7 Enterprise, or any edition of Windows Server 2008 R2 except Windows Web Server 2008 R2 and Windows Server 2008 R2 Foundation.
In Windows Server 2012 and Windows 8 - AppLocker is supported on all Windows beta evaluation versions except the Server Core installation option.

From forum, the decision was made in Windows Vista to remove these elevated permissions in order to promote more secure deployments of the operating system. If you want to allow someone to perform the configuration tasks (e.g. install applications, printers, drivers and amend the network configuration) but not make them an Administrator, then it is tough as those need admin rights. You can explore having the user a member of the Network Configuration Operators group but they cannot fulfil those as shared - targeted tuning may be best if you need granularity and security. http://technet.microsoft.com/en-us/library/cc754921(v=ws.10).aspx

Good to note the reason why we need to create standard user account is to protect computer by preventing users from making changes that effect everyone who uses the computer. Some use case to consider include but still if you intent engineers (and in your case - all users) access to install Applications they require on an Ad Hoc Basis, without having to go via the IT Desk, that can be tough and need to balance out... Pardon for going round but the emphasis is to balance use and security:

- Installing a Package with Elevated Privileges for a Non-Admin http://msdn.microsoft.com/en-us/library/aa369519(v=vs.85).aspx
- Allow non-admin to install software/printer http://social.technet.microsoft.com/Forums/windowsserver/en-US/eb4eda89-d4df-48d0-802c-b3974f0dcb06/allow-nonadmin-to-install-softwareprinter?forum=winserverDS

least privilege principle is the basis and applocker is worth exploring but do test with app tm as well
0
 
LVL 7

Author Comment

by:SvenIA
Comment Utility
@McKnife

Thanks for the comment. We use Windows 8.1 Enterprise.

@btan

I've looked into AppLocker. It's exactly what i need! Maybe one more question you can answer for me?

Beside the default rules, is everything blocked by default? Or do i have to deny and allow everything with specific rules?
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 50 total points
Comment Utility
This will not be the only applocker question that will arise, please read the technet documentation. To answer this one: you can set it that way. By default, certain OS paths are allowed, the rest is restricted.
0
 
LVL 7

Author Closing Comment

by:SvenIA
Comment Utility
Thanks for the very helpfull information!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now