Controlling application access via Windows Group Policies, pt. 2

Part 1 showed the initial steps on how to either block access to or allow only certian applications to be ran on a Windows 2000 or higher computer using Group Policies. These policies could be defeated if the user used the command prompt, unless that was also blocked, or if they renamed the executable. These steps will show how to block user attempts to change the file names by blocking their access to program files already on the computer.

All steps are performed in the GP editor -> User Configuration -> Administrative Template

Blocking the ability to browse C:

Steps 3 & 6 (disabling right-clicks) may seem too far but there are very few times that a user needs the ability to alter the properties of a file or create a desktop shortcut. If a shortcut is needed, the IT staff could place it on the desktop, or a shared directory, for the user manually or set a login script that creates the shortcut every time the system is booted. At my current employer, a window is opened during login (via logon script) that has several shortcuts to common programs so users don’t have to create desktop shortcuts. The shortcuts are also available via a custom Start menu.

What has this accomplished?

Other drives can be blocked via the Hide these specified drives in My Computer if you want to prevent users from accessing other drives (i.e. floppy, CD-ROM, etc.).

27.Jun.05 Active Directory, Tech Tip Comments (7)

Controlling application access via Windows Group Policies, pt. 1

These steps show how to set a group policy to either block specific applications or only allow specific applications to run. The policies only apply to applications launched through the Windows Explorer process (i.e. a shortcut, double-clicking an executable file, etc.). Setting either of these policies to Enabled will not block launch access to system processes, like the Task Manager, or programs launched from the command prompt.

The following points must be true:

Blocking specific applications
This example will block access to solitaire (sol.exe).

If you are trying this on your local machine, try to run solitaire from either the shortcut in the Start Menu or by going to Start -> Run and typeing sol.exe (click OK or press Enter). You should receive a warning informing you that the operation was cancelled due to restrictions set by the administrator.

Allowing only specific applications
If there are only a relatively small number of programs users should be allowed to use (i.e. Office apps, etc.), it may be easier to only allow access to those applications instead of trying to block applications. This example will allow only Microsoft Word to be launched.

Blocking access to the command prompt
As stated at the beginning of the article, neither of these policies will block access to an application if it is launched from the command prompt. If you blocked access to solitaire, open up the command prompt (cmd.exe) and type in sol.exe (and press Enter). Solitaire will run instead of being blocked. You can easily block access to the command prompt by setting the policy Prevent access to the command prompt (located in the same place as the Don’t run specified Windows applications and Run only allowed Windows applications policy) to Enabled.

Note: Preventing access to the command prompt will not allow batch files to run. Do not enable this setting if you use batch files for logon, logoff, startup or shutdown scripts. Also, do not enable this setting if the users use Terminal Services.

Any one of these policies takes effect immediately if you are doing this via the local computer GP editor. If you are on a domain, you will either have to wait for the policy to replicate or go to the command line and run:

Part 2 will deal with the ability of users to rename executables in order to get around this block.

24.Jun.05 Active Directory, Tech Tip Comments (15)