Restrict users from launching executables


We have a Windows Server 2012 domain, with Windows 7 and Windows 8.1 cliënt computers. After adding the user to the local Power Users Group, they have obviously have more priviliges on their computers. They also can run every executable. Our security specialist says that this is a risk. For example malware could be installed in the background.

In my search to solve this issue, i came accross 'Software Restriction Policies'. Is this the only way to prevent users from starting only the software they need to use?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
SRP is old and for your case is Applocker which is for appl whitelisting and it  manage policies for Packaged apps and Packaged app installers. AppLocker rules can be applied to specific users or groups. However, a rule can only apply to one user or one group. You can also create AppLocker rules to apply to all users (the Everyone group) and then apply that GPO to a specific computer group. Hence using principle of least privilege scheme, create role based group and assign the rule to the user within that group.

For example, you could have one rule that allows the Finance group to run winword.exe, and you could also have a second rule that allows the HR group to run winword.exe.

Do note only an administrator change AppLocker policies - This prevents any standard user that is logged on to a computer from modifying the AppLocker rules to access or add an application. On a computer that is joined to a domain, the computer's administrator can create AppLocker rules that could be merged with a domain-level rules as stated in the domain GPO. but we need to be wary
(A) AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer
(B) AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example, Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (*.bat) run within the context of the Windows Command Host (cmd.exe)

There are a variety of methods, and the best one will depend on your administrative practices.
(1) set the enforcement mode on the relevant rule collection to Audit only so AppLocker will not block any application for the present time. change the enforcement mode to Enforce rules when you are ready.
(2) create an organizational unit (OU) that has a separate set of rules but does not block the users from running a particular application. Move the user to this OU temporarily while they install the update or application. Then, move them back to the OU where the original rule enforcement occurs.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
additionally, can create the Power User Group by Restricted Groups option and even try tweaking folder
permissions for the power users group so that they have only the possible permissions to fit their roles. there are other device restriction etc to drill in gpo if need to..but thinking back...people grant accounts membership
in Power Users is to enable them to install software, with the ability to define shares being next most frequent.

So restricting the type of appls and exploring applocker may be good start with them to further restrict permission if necessary...
There are no power users any more... folks, this ended with vista already. The group is there, yes, but it has no effect being in there, anymore, it's just for compatibility with old tools that check group membership.

Applocker is not available if you run win 7 or 8 in pro edition. What editions do you have?
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

btanExec ConsultantCommented:
just to share Applocker FAQ cna be handy

In Windows Server 2008 R2 and Windows 7 - AppLocker rules can be enforced on computers running Windows 7 Ultimate, Windows 7 Enterprise, or any edition of Windows Server 2008 R2 except Windows Web Server 2008 R2 and Windows Server 2008 R2 Foundation.
In Windows Server 2012 and Windows 8 - AppLocker is supported on all Windows beta evaluation versions except the Server Core installation option.

From forum, the decision was made in Windows Vista to remove these elevated permissions in order to promote more secure deployments of the operating system. If you want to allow someone to perform the configuration tasks (e.g. install applications, printers, drivers and amend the network configuration) but not make them an Administrator, then it is tough as those need admin rights. You can explore having the user a member of the Network Configuration Operators group but they cannot fulfil those as shared - targeted tuning may be best if you need granularity and security.

Good to note the reason why we need to create standard user account is to protect computer by preventing users from making changes that effect everyone who uses the computer. Some use case to consider include but still if you intent engineers (and in your case - all users) access to install Applications they require on an Ad Hoc Basis, without having to go via the IT Desk, that can be tough and need to balance out... Pardon for going round but the emphasis is to balance use and security:

- Installing a Package with Elevated Privileges for a Non-Admin
- Allow non-admin to install software/printer

least privilege principle is the basis and applocker is worth exploring but do test with app tm as well
SvenIAAuthor Commented:

Thanks for the comment. We use Windows 8.1 Enterprise.


I've looked into AppLocker. It's exactly what i need! Maybe one more question you can answer for me?

Beside the default rules, is everything blocked by default? Or do i have to deny and allow everything with specific rules?
This will not be the only applocker question that will arise, please read the technet documentation. To answer this one: you can set it that way. By default, certain OS paths are allowed, the rest is restricted.
SvenIAAuthor Commented:
Thanks for the very helpfull information!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.