Solved

Restrict users from launching executables

Posted on 2014-09-18
7
684 Views
Last Modified: 2014-09-19
Hi!

We have a Windows Server 2012 domain, with Windows 7 and Windows 8.1 cliënt computers. After adding the user to the local Power Users Group, they have obviously have more priviliges on their computers. They also can run every executable. Our security specialist says that this is a risk. For example malware could be installed in the background.

In my search to solve this issue, i came accross 'Software Restriction Policies'. Is this the only way to prevent users from starting only the software they need to use?
0
Comment
Question by:SvenIA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 63

Accepted Solution

by:
btan earned 450 total points
ID: 40330412
SRP is old and for your case is Applocker which is for appl whitelisting and it  manage policies for Packaged apps and Packaged app installers. AppLocker rules can be applied to specific users or groups. However, a rule can only apply to one user or one group. You can also create AppLocker rules to apply to all users (the Everyone group) and then apply that GPO to a specific computer group. Hence using principle of least privilege scheme, create role based group and assign the rule to the user within that group.

For example, you could have one rule that allows the Finance group to run winword.exe, and you could also have a second rule that allows the HR group to run winword.exe.

Do note only an administrator change AppLocker policies - This prevents any standard user that is logged on to a computer from modifying the AppLocker rules to access or add an application. On a computer that is joined to a domain, the computer's administrator can create AppLocker rules that could be merged with a domain-level rules as stated in the domain GPO. but we need to be wary
(A) AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer
(B) AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example, Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (*.bat) run within the context of the Windows Command Host (cmd.exe)

There are a variety of methods, and the best one will depend on your administrative practices.
(1) set the enforcement mode on the relevant rule collection to Audit only so AppLocker will not block any application for the present time. change the enforcement mode to Enforce rules when you are ready.
(2) create an organizational unit (OU) that has a separate set of rules but does not block the users from running a particular application. Move the user to this OU temporarily while they install the update or application. Then, move them back to the OU where the original rule enforcement occurs.
0
 
LVL 63

Expert Comment

by:btan
ID: 40330447
additionally, can create the Power User Group by Restricted Groups option and even try tweaking folder
permissions for the power users group so that they have only the possible permissions to fit their roles. there are other device restriction etc to drill in gpo if need to..but thinking back...people grant accounts membership
in Power Users is to enable them to install software, with the ability to define shares being next most frequent.

So restricting the type of appls and exploring applocker may be good start with them to further restrict permission if necessary...

http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 50 total points
ID: 40331574
There are no power users any more... folks, this ended with vista already. The group is there, yes, but it has no effect being in there, anymore, it's just for compatibility with old tools that check group membership.

Applocker is not available if you run win 7 or 8 in pro edition. What editions do you have?
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 63

Expert Comment

by:btan
ID: 40331784
just to share Applocker FAQ cna be handy
http://technet.microsoft.com/en-us/library/ee619725(v=ws.10).aspx#BKBK_WhichOSeditions

In Windows Server 2008 R2 and Windows 7 - AppLocker rules can be enforced on computers running Windows 7 Ultimate, Windows 7 Enterprise, or any edition of Windows Server 2008 R2 except Windows Web Server 2008 R2 and Windows Server 2008 R2 Foundation.
In Windows Server 2012 and Windows 8 - AppLocker is supported on all Windows beta evaluation versions except the Server Core installation option.

From forum, the decision was made in Windows Vista to remove these elevated permissions in order to promote more secure deployments of the operating system. If you want to allow someone to perform the configuration tasks (e.g. install applications, printers, drivers and amend the network configuration) but not make them an Administrator, then it is tough as those need admin rights. You can explore having the user a member of the Network Configuration Operators group but they cannot fulfil those as shared - targeted tuning may be best if you need granularity and security. http://technet.microsoft.com/en-us/library/cc754921(v=ws.10).aspx

Good to note the reason why we need to create standard user account is to protect computer by preventing users from making changes that effect everyone who uses the computer. Some use case to consider include but still if you intent engineers (and in your case - all users) access to install Applications they require on an Ad Hoc Basis, without having to go via the IT Desk, that can be tough and need to balance out... Pardon for going round but the emphasis is to balance use and security:

- Installing a Package with Elevated Privileges for a Non-Admin http://msdn.microsoft.com/en-us/library/aa369519(v=vs.85).aspx
- Allow non-admin to install software/printer http://social.technet.microsoft.com/Forums/windowsserver/en-US/eb4eda89-d4df-48d0-802c-b3974f0dcb06/allow-nonadmin-to-install-softwareprinter?forum=winserverDS

least privilege principle is the basis and applocker is worth exploring but do test with app tm as well
0
 
LVL 7

Author Comment

by:SvenIA
ID: 40332164
@McKnife

Thanks for the comment. We use Windows 8.1 Enterprise.

@btan

I've looked into AppLocker. It's exactly what i need! Maybe one more question you can answer for me?

Beside the default rules, is everything blocked by default? Or do i have to deny and allow everything with specific rules?
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 50 total points
ID: 40332178
This will not be the only applocker question that will arise, please read the technet documentation. To answer this one: you can set it that way. By default, certain OS paths are allowed, the rest is restricted.
0
 
LVL 7

Author Closing Comment

by:SvenIA
ID: 40332181
Thanks for the very helpfull information!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question