Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to prevent user from installing DropBox

Posted on 2016-01-29
34
Medium Priority
?
3,190 Views
Last Modified: 2016-02-01
How can I stop a user downloading and installing DropBox? They download the installer, run it, it asks for admin credentials, they cancel and it then it says it can install without admin credentials. They click OK and it installs.
Win 7 Pro on a server 2012 R2 domain.
0
Comment
Question by:akb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 7
  • 6
  • +3
34 Comments
 
LVL 71

Expert Comment

by:Qlemo
ID: 41439094
You can block the DropBox IPs - cumbersome, since there are probably a lot of them.
You can block execution of the installer or the DropBox app itself by setting up a group policy. Never dd that myself, though.
0
 
LVL 13

Author Comment

by:akb
ID: 41439096
Some users are allowed to use DropBox so I can't block it altogether.
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 41439101
GPOs can be set up very specific by asigning to OUs, or defining LDAP filler expressions.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 13

Author Comment

by:akb
ID: 41439110
I'm hoping to find a specific solution to stop the user from installing Dropbox.
0
 
LVL 1

Assisted Solution

by:Lewis
Lewis earned 400 total points
ID: 41439113
Depending on what anti virus you use and how indepth its settings are.

You could define blocked applications for certain / only groups that can use the exe.

Another option would be to block dropbox website so that they can't download the .exe but should still be able to use the gui.

To add to this that shouldn't happen when clicking cancel on the uac asking for user and password, Sounds like the user has local admin privileges or higher privileges then normal. ill recommend reviewing your groups to see if there's a security group in the wrong set of users etc.

Hope this helps,
Kind Regards,
Lewis.
0
 
LVL 13

Author Comment

by:akb
ID: 41439121
User has no admin rights. I have tested this and Dropbox actually asks if you want to install it without admin rights.
0
 
LVL 1

Expert Comment

by:Lewis
ID: 41439126
Can you possibly provide some screen shots for us to see?

I have done some quick research on enforcing UAC on application installs see below a few links which might help you.

http://www.urtech.ca/2012/02/solved-how-to-set-user-access-control-uac-to-the-default-level-via-group-policy/comment-page-1/

https://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx

Kind Regards,
Lewis
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41439153
As Qlemo hints, you'd be able to block setup by blacklisting. Applocker and software restriction policies can both be used. Much effort to block every new setup but you can block their digital signature.
0
 
LVL 13

Author Comment

by:akb
ID: 41439161
How do I do that?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41439307
With applocker or software restriction policies. If dropbox is signing their setup, of course. Tutorials are found quickly.
0
 
LVL 80

Expert Comment

by:arnold
ID: 41439930
That is the difficulty when some can and some can not.
software restriction as was pointed out is the only way to do a user by user but managing that will become difficult.
The GPO restricting access would need to use WMI filter to exclude a person or a member of a group from having the GPO applying...
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41440067
Where do you see a difficulty, if I may ask?
0
 
LVL 80

Expert Comment

by:arnold
ID: 41440084
Comparatively, to no access to Dropbox.
Some do and some don't means additional consider has to be in place whether the GPO applies to all with a wmi filter that excludes some. Or have restriction applies only to members of a group. The issue deals based on the choice of exclusionary rule, user needing access will request and will need to be placed in the exclude from software restricting GPO or a user observed using Dropbox and added to the restriction....


Basically, a criteria of who/how one gets access to drop box....
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41440133
Applying a restriction only to members of a certain group is no difficulty. Admins do that all the time.
0
 
LVL 80

Expert Comment

by:arnold
ID: 41440246
McKnife, I guess I am not putting my thought through clearly.
The decision has to be to apply a Restrictive GPO that denies everyone access to dropbox application and the GPO contains a WMI exclusionary filter that would exclude a member of a specific group from having the GPO apply to them.
A user that needs access will then have to ask for access the issue is then auditing of this group to make sure a user that needed and was granted access to this application in the past still needs this access.

It is complicated compared to an outright policy denying this application from running.

Another option could be to use a login/logout script for members of a group that will on login and logout would uninstall dropbox if it is installed......

one could also push computer GPO with software restriction if only a certain set of systems have access to drop box....
0
 
LVL 40

Expert Comment

by:Vadim Rapp
ID: 41440411
If Dropbox is a desktop application, you can configure software restriction in the group policy:
https://technet.microsoft.com/en-us/library/hh831534.aspx

More generally, it's a good idea to block downloading any executables and MSI. Software should be installed only from trusted locations on your LAN, even better from "install a program from the network" in Control Panel / Programs and Features.
0
 
LVL 13

Author Comment

by:akb
ID: 41440504
I have tried setting various policies on the PC but DropBox still installs. It doesn't install in the Program Files folder, it installs under the user's profile. DropBox offers the user the option of installing without admin rights if it can't install the regular way. It seems DropBox somehow circumvent the usual safeguards at the user's option.
I have resolved the immediate problem by leaving DropBox installed and then removing the user's access to the folder it installed in. I restarted the PC and DropBox doesn't run and I get no errors. I tried to re-install DropBox and it gave me errors and wouldn't re-install.
I am interested in blocking the downloading of any executables and MSI, but I guess that is the topic of a different question.
0
 
LVL 80

Expert Comment

by:arnold
ID: 41440542
The restriction is to prevent the dropbox.exe or the appropriate executeable from running.
Blocking of download of any exe or msi can be done via the router/firewall/proxy or imposing the restriction in IE.

But you always run into the issue of those who do install, that they will install either by bringing the installer on a USB stick, or installing another browser by the same method.

Given that install of local directory is ..
you can add a restriction that user can not run exes from the locations such as %localappdata%\*.exe %localappdata%\dropbox

etc.
this way only sunctioned systems that have dropbox installed in the programs will allow users loging into them access to drop box.

Search for GPO to deal with ransomware which you can adapt the GPO examples to include locations where dropbox installs in the local user profile .......
0
 
LVL 40

Expert Comment

by:Vadim Rapp
ID: 41440561
...last but not least, some problems can be more effectively solved by administrative measures, rather than by IT. Have HR make announcement, then maybe catch someone, and in no time they will be reporting each other to you.
0
 
LVL 13

Author Comment

by:akb
ID: 41440569
The company already has policies in place but I keep on catching them out. If it were my business I'd sack the offenders!
0
 
LVL 40

Expert Comment

by:Vadim Rapp
ID: 41441809
If they continue, then perhaps it signifies a legitimate business need they have, that is not satisfied by what you offered them?  Maybe that solution even would be the same Dropbox, but using corporate account under your control? from dropbox own webpage: "You use Dropbox. Why doesn’t your company? Upgrade to Dropbox Business and get the solution that employees love, with the controls that IT admins need." Seems like your situation exactly.
0
 
LVL 13

Author Comment

by:akb
ID: 41441811
No, the offending employee is using it for personal use.
0
 
LVL 56

Accepted Solution

by:
McKnife earned 800 total points
ID: 41442012
Ok, anyone feel like solving this? Yes? Ok, then why not just do it?
I gave you the easiest possible solution: extract the digital certificate of the dropbox installer and create a software restriction policy or applocker certificate rule that denies execution of things signed with the dropbox certificate. I tested it just now - it works. So if you need any help with it, just say.
1 download the installer, right click it - properties, go to the digital signature tab, for each of the 2 certs do
2 extract the certificate in base64 encoding
3 setup a software restriction policy certificate rule with these two certificates and set them to be not allowed for all but administrators or for all, just as you like.
Since this can be deployed company wide, you have a solution in minutes - what are you waiting for? With applocker, you can even deploy to certain user groups within the policy - just what you are looking for. With SRP, we cannot do that, but we can use security filtering on that GPO to just apply to a domain security group with certain computers in it.
0
 
LVL 13

Author Comment

by:akb
ID: 41442030
What?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41442055
Hi akb.
I read your request for attention and I am pretty baffled.
See, my point is: this is an easy task and I outlined its solution. Your feedback was "How do I do that?" and I told you to look for tutorials for yourself because they are found on the net, easily. No further feedback came, instead, other directions were tried. So I came back and offered you the steps it takes.

I participate in many questions and often I see this: if the asker faces a difficulty to follow a proposal, he just drops it and stops giving feedback on it, silently. This was, what I saw here.
If you find a sentence of mine "what are you waiting for" provoking or even somewhat aggressive - sorry, no. It was meant to motivate you to go and try it, pretty bluntly, indeed. But not aggressive, sorry if that could be mistaken, sorry for the wrong tone.
0
 
LVL 40

Expert Comment

by:Vadim Rapp
ID: 41442078
Given that "what are you waiting for?" is the core question of the pop hit "Love me like you do", it's proven that it's not aggressive at all :-) McKnife certainly has offered a solution, and a very detailed one,  which he has personally tested it and verified that it woks. One needs quite a determination to avoid a solution to take that as an offense.
0
 
LVL 13

Author Comment

by:akb
ID: 41442485
Telling me to look for tutorials for myself is not helpful. I spent much time googling for solutions unsuccessfully. That is why I posted the question here.
Maybe it is a cultural thing but I was offended by the tone of your post.
"Ok, anyone feel like solving this? Yes? Ok, then why not just do it?"
 "what are you waiting for?"
Maybe if you had offered me the detailed solution earlier then I could had tried it.
I accept that you did not mean offence and will try your solution - thanks for your assistance.
0
 
LVL 80

Assisted Solution

by:arnold
arnold earned 400 total points
ID: 41442522
AKB, it is unfortunate that you took the comments as offensive/offending.
The difficulty in your situation is that even if you install dropbox on every computer, I do not believe there is a configuration through which you can enforce/impose a limitation on a user from signing into dropbox with their person ID either as the sole account, or as a secondary account.
Others pointed to the enforcement through Company Policy that has teeth......
or prevent any access to dropbox.

I think the direction of the question deals with whether after your attempts you made any adjustments that apply to this sole user with either using GPO blocking the running of dropbox in the %localdata%\dropbox.....etc.

or specifically deny this user the right to run any dropbox application.......
0
 
LVL 40

Expert Comment

by:Vadim Rapp
ID: 41442653
...besides, in order to use dropbox one does not even need their applet, it's only a matter of convenience. In the next minute after you finally block the application. the offending user will simply open web browser and will do the same.

http://mspmentor.net/blog/three-ways-block-dropbox-workplace discusses several ways to block dropbox by the firewall, including listing their servers.

Dropbox is only a tool. Besides dropbox, there's also mediafire and X other similar file-hosting websites, there's ftp, and there's simply sending the attachment to yourself by email, especially by using personal webmail in the same browser.
0
 
LVL 13

Author Comment

by:akb
ID: 41442662
That is true. The only way a business can hope to prevent employees stealing their data is with policies which some employees will choose to ignore.
The big problem my client is having with dropbox is that the employee loads a couple of gigabytes of private photo's on his PC and then dropbox automatically uploads them to the internet. Internet speed is 10MB down and 1MB up - the fastest available here at the moment. This kills the internet for everyone else in the office.
They call me in to work out what the problem is and when the employee sees I'm in the building he exits his dropbox. Total waste of time for me and money for my client.
As I said previously, I have resolved the immediate problem by leaving DropBox installed and then removing the user's access to the folder it installed in using security setting in windows explorer.
0
 
LVL 40

Assisted Solution

by:Vadim Rapp
Vadim Rapp earned 400 total points
ID: 41442681
1. I would look at the  limiting upload speed for this user at the firewall. Should be possible.

disclaimer: the next 3 ways are quite evil and may appear as unprofessional.

2. Can write a script that would quietly run in the background, and auto-resized every jpeg larger than 200KB to 1KB, or even replaced it with equally-named empty file. Since those are private photos, complaint is unlikely.

3. exiting dropbox when you show up - if this is about evidence, there are numerous solutions like this: https://screenshotmonitor.com/

4. Another creative way is finding among the gigabytes of private photos 1-2 that approach porn.

That said, if client's management is already aware of the gigabytes of private photos and about slowing down everyone, and can't do anything, then maybe you simply wash your hands. You have informed them, and if they can't collect themselves to act accordingly, then, most likely, this internet slowdown is far from being their biggest problem.
0
 
LVL 13

Author Comment

by:akb
ID: 41442691
Thanks Vadim Rapp. I like the way you think. I will explore the possibilities.
0
 
LVL 13

Author Closing Comment

by:akb
ID: 41444440
Thanks for all your assistance with this.
Again, I apologise for misinterpreting comments which, in hind site, were obviously not malicious.
I am going down the GPO route, and having problems, but that is the topic of another question.
Thanks again.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41444446
No need to apologize, I obviously chose a wrong tone.
Frustration on my side is high sometimes with all the questions I participate in and that little feedback my comments sometimes get.
And I really welcome your "Maybe it is a cultural thing" - because it often is. I know many german forums, where helpers are really, really impatient up to rudeness with the people they were trying to help in the first place :| Sorry again.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The top devops trends for 2017 are focused on improved deployment frequency, decreased lead time for change and decreased MTTR.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question