How to prevent user from installing DropBox

How can I stop a user downloading and installing DropBox? They download the installer, run it, it asks for admin credentials, they cancel and it then it says it can install without admin credentials. They click OK and it installs.
Win 7 Pro on a server 2012 R2 domain.
LVL 13
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
You can block the DropBox IPs - cumbersome, since there are probably a lot of them.
You can block execution of the installer or the DropBox app itself by setting up a group policy. Never dd that myself, though.
akbAuthor Commented:
Some users are allowed to use DropBox so I can't block it altogether.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
GPOs can be set up very specific by asigning to OUs, or defining LDAP filler expressions.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

akbAuthor Commented:
I'm hoping to find a specific solution to stop the user from installing Dropbox.
LewisNetworking Commented:
Depending on what anti virus you use and how indepth its settings are.

You could define blocked applications for certain / only groups that can use the exe.

Another option would be to block dropbox website so that they can't download the .exe but should still be able to use the gui.

To add to this that shouldn't happen when clicking cancel on the uac asking for user and password, Sounds like the user has local admin privileges or higher privileges then normal. ill recommend reviewing your groups to see if there's a security group in the wrong set of users etc.

Hope this helps,
Kind Regards,
akbAuthor Commented:
User has no admin rights. I have tested this and Dropbox actually asks if you want to install it without admin rights.
LewisNetworking Commented:
Can you possibly provide some screen shots for us to see?

I have done some quick research on enforcing UAC on application installs see below a few links which might help you.

Kind Regards,
As Qlemo hints, you'd be able to block setup by blacklisting. Applocker and software restriction policies can both be used. Much effort to block every new setup but you can block their digital signature.
akbAuthor Commented:
How do I do that?
With applocker or software restriction policies. If dropbox is signing their setup, of course. Tutorials are found quickly.
That is the difficulty when some can and some can not.
software restriction as was pointed out is the only way to do a user by user but managing that will become difficult.
The GPO restricting access would need to use WMI filter to exclude a person or a member of a group from having the GPO applying...
Where do you see a difficulty, if I may ask?
Comparatively, to no access to Dropbox.
Some do and some don't means additional consider has to be in place whether the GPO applies to all with a wmi filter that excludes some. Or have restriction applies only to members of a group. The issue deals based on the choice of exclusionary rule, user needing access will request and will need to be placed in the exclude from software restricting GPO or a user observed using Dropbox and added to the restriction....

Basically, a criteria of who/how one gets access to drop box....
Applying a restriction only to members of a certain group is no difficulty. Admins do that all the time.
McKnife, I guess I am not putting my thought through clearly.
The decision has to be to apply a Restrictive GPO that denies everyone access to dropbox application and the GPO contains a WMI exclusionary filter that would exclude a member of a specific group from having the GPO apply to them.
A user that needs access will then have to ask for access the issue is then auditing of this group to make sure a user that needed and was granted access to this application in the past still needs this access.

It is complicated compared to an outright policy denying this application from running.

Another option could be to use a login/logout script for members of a group that will on login and logout would uninstall dropbox if it is installed......

one could also push computer GPO with software restriction if only a certain set of systems have access to drop box....
Vadim RappCommented:
If Dropbox is a desktop application, you can configure software restriction in the group policy:

More generally, it's a good idea to block downloading any executables and MSI. Software should be installed only from trusted locations on your LAN, even better from "install a program from the network" in Control Panel / Programs and Features.
akbAuthor Commented:
I have tried setting various policies on the PC but DropBox still installs. It doesn't install in the Program Files folder, it installs under the user's profile. DropBox offers the user the option of installing without admin rights if it can't install the regular way. It seems DropBox somehow circumvent the usual safeguards at the user's option.
I have resolved the immediate problem by leaving DropBox installed and then removing the user's access to the folder it installed in. I restarted the PC and DropBox doesn't run and I get no errors. I tried to re-install DropBox and it gave me errors and wouldn't re-install.
I am interested in blocking the downloading of any executables and MSI, but I guess that is the topic of a different question.
The restriction is to prevent the dropbox.exe or the appropriate executeable from running.
Blocking of download of any exe or msi can be done via the router/firewall/proxy or imposing the restriction in IE.

But you always run into the issue of those who do install, that they will install either by bringing the installer on a USB stick, or installing another browser by the same method.

Given that install of local directory is ..
you can add a restriction that user can not run exes from the locations such as %localappdata%\*.exe %localappdata%\dropbox

this way only sunctioned systems that have dropbox installed in the programs will allow users loging into them access to drop box.

Search for GPO to deal with ransomware which you can adapt the GPO examples to include locations where dropbox installs in the local user profile .......
Vadim RappCommented:
...last but not least, some problems can be more effectively solved by administrative measures, rather than by IT. Have HR make announcement, then maybe catch someone, and in no time they will be reporting each other to you.
akbAuthor Commented:
The company already has policies in place but I keep on catching them out. If it were my business I'd sack the offenders!
Vadim RappCommented:
If they continue, then perhaps it signifies a legitimate business need they have, that is not satisfied by what you offered them?  Maybe that solution even would be the same Dropbox, but using corporate account under your control? from dropbox own webpage: "You use Dropbox. Why doesn’t your company? Upgrade to Dropbox Business and get the solution that employees love, with the controls that IT admins need." Seems like your situation exactly.
akbAuthor Commented:
No, the offending employee is using it for personal use.
Ok, anyone feel like solving this? Yes? Ok, then why not just do it?
I gave you the easiest possible solution: extract the digital certificate of the dropbox installer and create a software restriction policy or applocker certificate rule that denies execution of things signed with the dropbox certificate. I tested it just now - it works. So if you need any help with it, just say.
1 download the installer, right click it - properties, go to the digital signature tab, for each of the 2 certs do
2 extract the certificate in base64 encoding
3 setup a software restriction policy certificate rule with these two certificates and set them to be not allowed for all but administrators or for all, just as you like.
Since this can be deployed company wide, you have a solution in minutes - what are you waiting for? With applocker, you can even deploy to certain user groups within the policy - just what you are looking for. With SRP, we cannot do that, but we can use security filtering on that GPO to just apply to a domain security group with certain computers in it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
akbAuthor Commented:
Hi akb.
I read your request for attention and I am pretty baffled.
See, my point is: this is an easy task and I outlined its solution. Your feedback was "How do I do that?" and I told you to look for tutorials for yourself because they are found on the net, easily. No further feedback came, instead, other directions were tried. So I came back and offered you the steps it takes.

I participate in many questions and often I see this: if the asker faces a difficulty to follow a proposal, he just drops it and stops giving feedback on it, silently. This was, what I saw here.
If you find a sentence of mine "what are you waiting for" provoking or even somewhat aggressive - sorry, no. It was meant to motivate you to go and try it, pretty bluntly, indeed. But not aggressive, sorry if that could be mistaken, sorry for the wrong tone.
Vadim RappCommented:
Given that "what are you waiting for?" is the core question of the pop hit "Love me like you do", it's proven that it's not aggressive at all :-) McKnife certainly has offered a solution, and a very detailed one,  which he has personally tested it and verified that it woks. One needs quite a determination to avoid a solution to take that as an offense.
akbAuthor Commented:
Telling me to look for tutorials for myself is not helpful. I spent much time googling for solutions unsuccessfully. That is why I posted the question here.
Maybe it is a cultural thing but I was offended by the tone of your post.
"Ok, anyone feel like solving this? Yes? Ok, then why not just do it?"
 "what are you waiting for?"
Maybe if you had offered me the detailed solution earlier then I could had tried it.
I accept that you did not mean offence and will try your solution - thanks for your assistance.
AKB, it is unfortunate that you took the comments as offensive/offending.
The difficulty in your situation is that even if you install dropbox on every computer, I do not believe there is a configuration through which you can enforce/impose a limitation on a user from signing into dropbox with their person ID either as the sole account, or as a secondary account.
Others pointed to the enforcement through Company Policy that has teeth......
or prevent any access to dropbox.

I think the direction of the question deals with whether after your attempts you made any adjustments that apply to this sole user with either using GPO blocking the running of dropbox in the %localdata%\dropbox.....etc.

or specifically deny this user the right to run any dropbox application.......
Vadim RappCommented:
...besides, in order to use dropbox one does not even need their applet, it's only a matter of convenience. In the next minute after you finally block the application. the offending user will simply open web browser and will do the same. discusses several ways to block dropbox by the firewall, including listing their servers.

Dropbox is only a tool. Besides dropbox, there's also mediafire and X other similar file-hosting websites, there's ftp, and there's simply sending the attachment to yourself by email, especially by using personal webmail in the same browser.
akbAuthor Commented:
That is true. The only way a business can hope to prevent employees stealing their data is with policies which some employees will choose to ignore.
The big problem my client is having with dropbox is that the employee loads a couple of gigabytes of private photo's on his PC and then dropbox automatically uploads them to the internet. Internet speed is 10MB down and 1MB up - the fastest available here at the moment. This kills the internet for everyone else in the office.
They call me in to work out what the problem is and when the employee sees I'm in the building he exits his dropbox. Total waste of time for me and money for my client.
As I said previously, I have resolved the immediate problem by leaving DropBox installed and then removing the user's access to the folder it installed in using security setting in windows explorer.
Vadim RappCommented:
1. I would look at the  limiting upload speed for this user at the firewall. Should be possible.

disclaimer: the next 3 ways are quite evil and may appear as unprofessional.

2. Can write a script that would quietly run in the background, and auto-resized every jpeg larger than 200KB to 1KB, or even replaced it with equally-named empty file. Since those are private photos, complaint is unlikely.

3. exiting dropbox when you show up - if this is about evidence, there are numerous solutions like this:

4. Another creative way is finding among the gigabytes of private photos 1-2 that approach porn.

That said, if client's management is already aware of the gigabytes of private photos and about slowing down everyone, and can't do anything, then maybe you simply wash your hands. You have informed them, and if they can't collect themselves to act accordingly, then, most likely, this internet slowdown is far from being their biggest problem.
akbAuthor Commented:
Thanks Vadim Rapp. I like the way you think. I will explore the possibilities.
akbAuthor Commented:
Thanks for all your assistance with this.
Again, I apologise for misinterpreting comments which, in hind site, were obviously not malicious.
I am going down the GPO route, and having problems, but that is the topic of another question.
Thanks again.
No need to apologize, I obviously chose a wrong tone.
Frustration on my side is high sometimes with all the questions I participate in and that little feedback my comments sometimes get.
And I really welcome your "Maybe it is a cultural thing" - because it often is. I know many german forums, where helpers are really, really impatient up to rudeness with the people they were trying to help in the first place :| Sorry again.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.