Solved

Deny user in domain from install any program or VPN application.

Posted on 2014-12-28
12
223 Views
Last Modified: 2014-12-30
Hello,

Please I have domain controller with windows server 2008R2 and all user join this domain all user have windows 7 OS. How I can deny them from install any application. All user have user authority and that deny them from install some application but they still they can install another application which do not need administration authority like VPN application (ultrasurf, hotshpot shield...etc),google chrome or any tool bar

I want to deny them from install anything (application, tool bar..etc)

Regards
0
Comment
Question by:maryam_adnan
  • 7
  • 4
12 Comments
 
LVL 90

Accepted Solution

by:
John Hurst earned 333 total points
ID: 40521233
Users should be Standard Users and never administrators. That is common and correct practice and will solve your problem neatly. Also keep UAC turned on High (Standard Users cannot change this)

If you need granular install capability, you need Power Broker.

http://www.beyondtrust.com/PowerBroker-Desktops-Windows-Edition.aspx?section=PowerBroker-Desktops-Windows-Edition
0
 

Author Comment

by:maryam_adnan
ID: 40521237
Hello,
Please use standard user do not solve the problem. Because there are many application can install without need administrator privilege like (ultrasurf, hotshpot shield..etc ). In addition, tool bar.

I need to done this from server

Regards
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 333 total points
ID: 40521245
You can go into Group Policy Editor (gpedit.msc) and start limiting access to Control Panel and Programs and Features. Look through the settings before changing anything.

Windows-8-Group-Policy-Editor
There are add-ins which are preferences and not installs and so cannot be prevented. But rogue add-ins usually install and Standard User / UAC will prevent these.
0
 

Author Comment

by:maryam_adnan
ID: 40521251
Hello,

Thank you for your reply. Prevent in control panel will not prevent user from add (VPN application). I try to use mandatory profile. I prohibited all control panel but this not solve problem. they still able to install hotshpot shield and other program like that.

Any Idea will help me

Regards
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40521254
VPN must be Microsoft VPN, because NONE of my clients can install NCP IPsec. It cannot happen.

So what programs are allowed that are problems?

The only thing I see is the occasional toolbar for IE, and while I do not like them, they are harmless for the most part.

You make it sound like anything and everything can be installed and that is not true in my client machines.
0
 

Author Comment

by:maryam_adnan
ID: 40521256
Hello,

Thank you for your reply. No, . Actually I want to deny application like ultrasurf, hotshpot shield. the other application is denied by Group Policy

Regards
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 90

Expert Comment

by:John Hurst
ID: 40521264
Some people use DNS Redirector to block all the proxy / anonymizer websites / VPN .

DNS Redirector is at http://dnsredirector.com/

You may need to use something like this.

You also need a Company Policy that precludes the use of these things and enforces disciplinary measures on people caught.

My clients do not have time for theses things and I do not see them.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40521271
I have done some more looking and really you need to block the sites it uses for setting up data transmissions.
0
 

Author Comment

by:maryam_adnan
ID: 40521294
Hello,
I check this website https://forums.opendns.com/comments.php?DiscussionID=17357 for openDNS and it show that open DNS also can not block hotspot.

Please any other way can help to accomplish this job

Regards
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40521649
Apparently the only way you can stop this is by blocking the IP addresses used by Hotspot Shield. It is apparently a simple program (which is why it installs) and uses web VPN services.

You DO need a Company Policy that expressly forbids its use and provides disciplinary action if the product is found.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 167 total points
ID: 40522912
What you want is to have complete control of what code is running. This can be done using applocker GPOs.
Applocker GPOs can whitelist executables and scripts that you acknowledge - the rest will not run.

Applocker is available in win7 ultimate or enterprise. If you run win7 pro, you will have to use software restriction policies which were the predecessor of applocker but work comparable.

Applocker http://technet.microsoft.com/en-us/library/dd723678(v=ws.10).aspx
Software restriction policies http://technet.microsoft.com/en-us/library/bb457006.aspx
Those links feature descriptions and further how-tos.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40523490
@maryam_adnan - Thank you and I was happy to help. Hotspot Shield is a natty problem.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Managing 24/7 IT Operations is a hands-on job and indeed a difficult one. Over the years I have found some simple tips and techniques to increase the efficiency of the overall operations. The core concept has always been on continuous improvement; a…
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now