?
Solved

Restrict users from launching executables

Posted on 2014-09-18
7
Medium Priority
?
699 Views
Last Modified: 2014-09-19
Hi!

We have a Windows Server 2012 domain, with Windows 7 and Windows 8.1 cliënt computers. After adding the user to the local Power Users Group, they have obviously have more priviliges on their computers. They also can run every executable. Our security specialist says that this is a risk. For example malware could be installed in the background.

In my search to solve this issue, i came accross 'Software Restriction Policies'. Is this the only way to prevent users from starting only the software they need to use?
0
Comment
Question by:SvenIA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 64

Accepted Solution

by:
btan earned 1800 total points
ID: 40330412
SRP is old and for your case is Applocker which is for appl whitelisting and it  manage policies for Packaged apps and Packaged app installers. AppLocker rules can be applied to specific users or groups. However, a rule can only apply to one user or one group. You can also create AppLocker rules to apply to all users (the Everyone group) and then apply that GPO to a specific computer group. Hence using principle of least privilege scheme, create role based group and assign the rule to the user within that group.

For example, you could have one rule that allows the Finance group to run winword.exe, and you could also have a second rule that allows the HR group to run winword.exe.

Do note only an administrator change AppLocker policies - This prevents any standard user that is logged on to a computer from modifying the AppLocker rules to access or add an application. On a computer that is joined to a domain, the computer's administrator can create AppLocker rules that could be merged with a domain-level rules as stated in the domain GPO. but we need to be wary
(A) AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer
(B) AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example, Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (*.bat) run within the context of the Windows Command Host (cmd.exe)

There are a variety of methods, and the best one will depend on your administrative practices.
(1) set the enforcement mode on the relevant rule collection to Audit only so AppLocker will not block any application for the present time. change the enforcement mode to Enforce rules when you are ready.
(2) create an organizational unit (OU) that has a separate set of rules but does not block the users from running a particular application. Move the user to this OU temporarily while they install the update or application. Then, move them back to the OU where the original rule enforcement occurs.
0
 
LVL 64

Expert Comment

by:btan
ID: 40330447
additionally, can create the Power User Group by Restricted Groups option and even try tweaking folder
permissions for the power users group so that they have only the possible permissions to fit their roles. there are other device restriction etc to drill in gpo if need to..but thinking back...people grant accounts membership
in Power Users is to enable them to install software, with the ability to define shares being next most frequent.

So restricting the type of appls and exploring applocker may be good start with them to further restrict permission if necessary...

http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 200 total points
ID: 40331574
There are no power users any more... folks, this ended with vista already. The group is there, yes, but it has no effect being in there, anymore, it's just for compatibility with old tools that check group membership.

Applocker is not available if you run win 7 or 8 in pro edition. What editions do you have?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 64

Expert Comment

by:btan
ID: 40331784
just to share Applocker FAQ cna be handy
http://technet.microsoft.com/en-us/library/ee619725(v=ws.10).aspx#BKBK_WhichOSeditions

In Windows Server 2008 R2 and Windows 7 - AppLocker rules can be enforced on computers running Windows 7 Ultimate, Windows 7 Enterprise, or any edition of Windows Server 2008 R2 except Windows Web Server 2008 R2 and Windows Server 2008 R2 Foundation.
In Windows Server 2012 and Windows 8 - AppLocker is supported on all Windows beta evaluation versions except the Server Core installation option.

From forum, the decision was made in Windows Vista to remove these elevated permissions in order to promote more secure deployments of the operating system. If you want to allow someone to perform the configuration tasks (e.g. install applications, printers, drivers and amend the network configuration) but not make them an Administrator, then it is tough as those need admin rights. You can explore having the user a member of the Network Configuration Operators group but they cannot fulfil those as shared - targeted tuning may be best if you need granularity and security. http://technet.microsoft.com/en-us/library/cc754921(v=ws.10).aspx

Good to note the reason why we need to create standard user account is to protect computer by preventing users from making changes that effect everyone who uses the computer. Some use case to consider include but still if you intent engineers (and in your case - all users) access to install Applications they require on an Ad Hoc Basis, without having to go via the IT Desk, that can be tough and need to balance out... Pardon for going round but the emphasis is to balance use and security:

- Installing a Package with Elevated Privileges for a Non-Admin http://msdn.microsoft.com/en-us/library/aa369519(v=vs.85).aspx
- Allow non-admin to install software/printer http://social.technet.microsoft.com/Forums/windowsserver/en-US/eb4eda89-d4df-48d0-802c-b3974f0dcb06/allow-nonadmin-to-install-softwareprinter?forum=winserverDS

least privilege principle is the basis and applocker is worth exploring but do test with app tm as well
0
 
LVL 7

Author Comment

by:SvenIA
ID: 40332164
@McKnife

Thanks for the comment. We use Windows 8.1 Enterprise.

@btan

I've looked into AppLocker. It's exactly what i need! Maybe one more question you can answer for me?

Beside the default rules, is everything blocked by default? Or do i have to deny and allow everything with specific rules?
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 200 total points
ID: 40332178
This will not be the only applocker question that will arise, please read the technet documentation. To answer this one: you can set it that way. By default, certain OS paths are allowed, the rest is restricted.
0
 
LVL 7

Author Closing Comment

by:SvenIA
ID: 40332181
Thanks for the very helpfull information!
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question