Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Restrict users from launching executables

Posted on 2014-09-18
Medium Priority
Last Modified: 2014-09-19

We have a Windows Server 2012 domain, with Windows 7 and Windows 8.1 cliënt computers. After adding the user to the local Power Users Group, they have obviously have more priviliges on their computers. They also can run every executable. Our security specialist says that this is a risk. For example malware could be installed in the background.

In my search to solve this issue, i came accross 'Software Restriction Policies'. Is this the only way to prevent users from starting only the software they need to use?
Question by:SvenIA
  • 3
  • 2
  • 2
LVL 65

Accepted Solution

btan earned 1800 total points
ID: 40330412
SRP is old and for your case is Applocker which is for appl whitelisting and it  manage policies for Packaged apps and Packaged app installers. AppLocker rules can be applied to specific users or groups. However, a rule can only apply to one user or one group. You can also create AppLocker rules to apply to all users (the Everyone group) and then apply that GPO to a specific computer group. Hence using principle of least privilege scheme, create role based group and assign the rule to the user within that group.

For example, you could have one rule that allows the Finance group to run winword.exe, and you could also have a second rule that allows the HR group to run winword.exe.

Do note only an administrator change AppLocker policies - This prevents any standard user that is logged on to a computer from modifying the AppLocker rules to access or add an application. On a computer that is joined to a domain, the computer's administrator can create AppLocker rules that could be merged with a domain-level rules as stated in the domain GPO. but we need to be wary
(A) AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer
(B) AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example, Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (*.bat) run within the context of the Windows Command Host (cmd.exe)

There are a variety of methods, and the best one will depend on your administrative practices.
(1) set the enforcement mode on the relevant rule collection to Audit only so AppLocker will not block any application for the present time. change the enforcement mode to Enforce rules when you are ready.
(2) create an organizational unit (OU) that has a separate set of rules but does not block the users from running a particular application. Move the user to this OU temporarily while they install the update or application. Then, move them back to the OU where the original rule enforcement occurs.
LVL 65

Expert Comment

ID: 40330447
additionally, can create the Power User Group by Restricted Groups option and even try tweaking folder
permissions for the power users group so that they have only the possible permissions to fit their roles. there are other device restriction etc to drill in gpo if need to..but thinking back...people grant accounts membership
in Power Users is to enable them to install software, with the ability to define shares being next most frequent.

So restricting the type of appls and exploring applocker may be good start with them to further restrict permission if necessary...

LVL 58

Assisted Solution

McKnife earned 200 total points
ID: 40331574
There are no power users any more... folks, this ended with vista already. The group is there, yes, but it has no effect being in there, anymore, it's just for compatibility with old tools that check group membership.

Applocker is not available if you run win 7 or 8 in pro edition. What editions do you have?
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

LVL 65

Expert Comment

ID: 40331784
just to share Applocker FAQ cna be handy

In Windows Server 2008 R2 and Windows 7 - AppLocker rules can be enforced on computers running Windows 7 Ultimate, Windows 7 Enterprise, or any edition of Windows Server 2008 R2 except Windows Web Server 2008 R2 and Windows Server 2008 R2 Foundation.
In Windows Server 2012 and Windows 8 - AppLocker is supported on all Windows beta evaluation versions except the Server Core installation option.

From forum, the decision was made in Windows Vista to remove these elevated permissions in order to promote more secure deployments of the operating system. If you want to allow someone to perform the configuration tasks (e.g. install applications, printers, drivers and amend the network configuration) but not make them an Administrator, then it is tough as those need admin rights. You can explore having the user a member of the Network Configuration Operators group but they cannot fulfil those as shared - targeted tuning may be best if you need granularity and security. http://technet.microsoft.com/en-us/library/cc754921(v=ws.10).aspx

Good to note the reason why we need to create standard user account is to protect computer by preventing users from making changes that effect everyone who uses the computer. Some use case to consider include but still if you intent engineers (and in your case - all users) access to install Applications they require on an Ad Hoc Basis, without having to go via the IT Desk, that can be tough and need to balance out... Pardon for going round but the emphasis is to balance use and security:

- Installing a Package with Elevated Privileges for a Non-Admin http://msdn.microsoft.com/en-us/library/aa369519(v=vs.85).aspx
- Allow non-admin to install software/printer http://social.technet.microsoft.com/Forums/windowsserver/en-US/eb4eda89-d4df-48d0-802c-b3974f0dcb06/allow-nonadmin-to-install-softwareprinter?forum=winserverDS

least privilege principle is the basis and applocker is worth exploring but do test with app tm as well

Author Comment

ID: 40332164

Thanks for the comment. We use Windows 8.1 Enterprise.


I've looked into AppLocker. It's exactly what i need! Maybe one more question you can answer for me?

Beside the default rules, is everything blocked by default? Or do i have to deny and allow everything with specific rules?
LVL 58

Assisted Solution

McKnife earned 200 total points
ID: 40332178
This will not be the only applocker question that will arise, please read the technet documentation. To answer this one: you can set it that way. By default, certain OS paths are allowed, the rest is restricted.

Author Closing Comment

ID: 40332181
Thanks for the very helpfull information!

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question