Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Setting up Group Policy in Windows 7 to restrict installs


  • Please log in to reply
11 replies to this topic

#1
JoanieG

JoanieG
  • Member
  • 5 posts
  • Joined 20-July 10
  • OS:Windows 7 x64
  • Country: Country Flag
Hi everyone. I have a small business and am replacing the laptops used by my sales team and had read that Group Policy could be used to restrict them from installing software (As I have had a big problem with this in the past). I really don't want to screw this up either so I have some concerns about that too.

For example, will they be able to install updates to existing software that is installed when I give them the laptop? How about Windows Updates and such? Norton AntiVirus definitions?

Would this be able to be setup so that software installs cannot create a new path in Program Files or something, so that installs to existing paths would be ok? Someone had mentioned this but I havn't found a walk through or anything as to how to do this and am not 100% that this would work either.

I'm really open to ideas and suggestion. I can't use Standard accounts, as some of our software requires an Administrative account for some reason.

Thanks again for your help. :)


How to remove advertisement from MSFN

#2
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,252 posts
  • Joined 09-September 01
  • OS:Windows 8.1 x64
  • Country: Country Flag
One way to restrict software is to not allow them to be administrators on the machine. Without admin rights, most software packages will fail to install (without admin approval via the UAC dialog or installation via group policy or SCCM or some other software installation method) as the user really only has write access to most folders in their profile and most locations in their HKCU registry hive. Another is to use the Applocker feature of group or local policy to lock down which applications, scripts, etc. are allowed to be run by specific users or groups. There's a more in-depth overview of it here, as well as a checklist in-depth walkthrough of it here.
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!

#3
JoanieG

JoanieG
  • Member
  • 5 posts
  • Joined 20-July 10
  • OS:Windows 7 x64
  • Country: Country Flag
Thank you very much for your response and help. I looked at App Locker and that sounds really great, but it says that it is only in Windows 7 Enterprise and Windows 7 Ultimate and I have Windows 7 Professional, which should have all business features in my opinion. I checked myself and couldn't find it in Windows 7...

I have to have the users be Administrators to allow some of the software to run as well, and they would still be able to install software. I really don't want them to be able to install their own things, like Yahoo Messenger, or photo management software, or other personal things like that. It's really a shame about App Locker, it seems like it would be really perfect. :(

#4
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,907 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

Thank you very much for your response and help. I looked at App Locker and that sounds really great, but it says that it is only in Windows 7 Enterprise and Windows 7 Ultimate and I have Windows 7 Professional, which should have all business features in my opinion. I checked myself and couldn't find it in Windows 7...



Are you sure? I have Windows 7 Pro and can see AppLocker. Here is how to get to it:
1. Control Panel
2. Administrative Tools
3. Local Security Policy
4. Application Control Policies
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#5
JoanieG

JoanieG
  • Member
  • 5 posts
  • Joined 20-July 10
  • OS:Windows 7 x64
  • Country: Country Flag


Thank you very much for your response and help. I looked at App Locker and that sounds really great, but it says that it is only in Windows 7 Enterprise and Windows 7 Ultimate and I have Windows 7 Professional, which should have all business features in my opinion. I checked myself and couldn't find it in Windows 7...



Are you sure? I have Windows 7 Pro and can see AppLocker. Here is how to get to it:
1. Control Panel
2. Administrative Tools
3. Local Security Policy
4. Application Control Policies


Thank you very much. I did find it by using your instructions but when I click on "Which editions of Windows support AppLocker" it says:

"AppLocker is available in all editions of Windows Server 2008 R2 and in Windows 7 Ultimate and Windows 7 Enterprise. Windows 7 Professional can be used to create AppLocker rules. However, AppLocker rules cannot be enforced on computers running Windows 7 Professional. Organizations should use AppLocker for all computers that support it."

So it doesn't look like that is an option here. Which I find a little ridiculous to be honest since I am using the Professional version of the OS...

I don't understand why this has to be as hard as it is. In business it should be much easier to lock down employee computers... Am I wrong in thinking that? lol

Thanks Again.
Joanie G.

#6
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,252 posts
  • Joined 09-September 01
  • OS:Windows 8.1 x64
  • Country: Country Flag

I don't understand why this has to be as hard as it is. In business it should be much easier to lock down employee computers... Am I wrong in thinking that? lol

It never is - it's really the holy grail of enterprise computing, and it's very difficult to do effectively. Also, while the edition is termed professional, it's meant for home office/small businesses who don't have volume licensing, and who would be less likely to be locking down Windows that way. Applocker+Group Policy is considered an enterprise feature, which comes with the Enterprise version of the OS meant for medium to large enterprises (and Ultimate, of course). It stinks, but that's how the editions are hashed out.
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!

#7
JoanieG

JoanieG
  • Member
  • 5 posts
  • Joined 20-July 10
  • OS:Windows 7 x64
  • Country: Country Flag


I don't understand why this has to be as hard as it is. In business it should be much easier to lock down employee computers... Am I wrong in thinking that? lol

It never is - it's really the holy grail of enterprise computing, and it's very difficult to do effectively. Also, while the edition is termed professional, it's meant for home office/small businesses who don't have volume licensing, and who would be less likely to be locking down Windows that way. Applocker+Group Policy is considered an enterprise feature, which comes with the Enterprise version of the OS meant for medium to large enterprises (and Ultimate, of course). It stinks, but that's how the editions are hashed out.


I see. That's really very confusing that they would call it that then. :( So, how can I do this then? Is it still possible? I have Group Policy but I don't know if that works in Professional or if that doesn't work either. Is there another way to do this? I'm sorry that my question is so complex. :(

Thanks Again,
Joanie G

#8
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,252 posts
  • Joined 09-September 01
  • OS:Windows 8.1 x64
  • Country: Country Flag
Group policy works, but you won't be using applocker. You'll be limited to what UAC/LUA affords running as a non-admin user. The user will be able to install user-installable apps (like google chrome, or firefox), unless you use something 3rd party to restrict installations (or resort to software restriction policies in group policy, which is a heck of a lot more complicated... but easier to circumvent by smarter users... go figure).
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!

#9
JoanieG

JoanieG
  • Member
  • 5 posts
  • Joined 20-July 10
  • OS:Windows 7 x64
  • Country: Country Flag

Group policy works, but you won't be using applocker. You'll be limited to what UAC/LUA affords running as a non-admin user. The user will be able to install user-installable apps (like google chrome, or firefox), unless you use something 3rd party to restrict installations (or resort to software restriction policies in group policy, which is a heck of a lot more complicated... but easier to circumvent by smarter users... go figure).


Oh I see. :( Well, I really do appreciate all of the help and everything with this. Do you happen to know of a tutorial or something that would show me how to set up software restriction policies in group policy? Can this be setup with the current directories in Program Files being approved directories too so that they can't install things that would create a new directory? If I need to install a new program in the future, can I disable this then install the software and reenable it?

Thanks again for all of your help. I'm sorry that I don't have App Locker and that I keep asking questions. I'm sure you're getting tired of hearing from me. I really do appreciate all of the help though. :)

Thank you again,
Joanie G.

#10
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,907 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

Thanks again for all of your help. I'm sorry that I don't have App Locker and that I keep asking questions. I'm sure you're getting tired of hearing from me. I really do appreciate all of the help though. :)


Its not a problem. At least now you know about it and when you have the opportunity to use it in the future, you will have a head start.
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#11
mdonovin

mdonovin
  • Member
  • 1 posts
  • Joined 05-August 10
  • OS:Windows 7 x64
  • Country: Country Flag


Thanks again for all of your help. I'm sorry that I don't have App Locker and that I keep asking questions. I'm sure you're getting tired of hearing from me. I really do appreciate all of the help though. :)


Its not a problem. At least now you know about it and when you have the opportunity to use it in the future, you will have a head start.


Hi,

I am having the same issue as this thread describes so I figured I'd reopen it or whatever since it's the same issue. But does anyone know of a tutorial or walkthrough for restricting people from installing software just using Group Policy and not AppLocker? What would the ramifications of this be? I'm assuming things like Windows Update, or software updates would still work as the software was already previously installed?

This thread actually made me think about that, and that would be kind of bad.

Thanks :)

#12
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,252 posts
  • Joined 09-September 01
  • OS:Windows 8.1 x64
  • Country: Country Flag
When in doubt, look it up on Technet.
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users