Controlling application access via Windows Group Policies, pt. 2
Part 1 showed the initial steps on how to either block access to or allow only certian applications to be ran on a Windows 2000 or higher computer using Group Policies. These policies could be defeated if the user used the command prompt, unless that was also blocked, or if they renamed the executable. These steps will show how to block user attempts to change the file names by blocking their access to program files already on the computer.
All steps are performed in the GP editor -> User Configuration -> Administrative Template
Blocking the ability to browse C:
- In the left pane, click on Start Menu
- In the right pane, double-click on Remove Run menu from Start Menu and set it to Enabled.
- This will remove the Run command from the Start Menu, Task Manager, prevent the user from typeing path names (UNC and local directory) into the Explorer address bar and block the use of the Windows key + R (Windows keyboards).
- Double-click on Remove access to the context menus for the taskbar and set it to Enabled.
- If this is not set, users will be able to defeat all other blocks by right-clicking the Start button and choosing Explore All Users or Open All Users.
- In the left pane, expand Windows Components and click on Windows Explorer.
- In the right pane, double-click Hide these specified drives in My Computer and set it to Enabled.
- Click the drop down menu next to Pick one of the following combinations and choose Restrict C drive only.
- Double-click Remove Windows Explorer’s default context menu and set it to Enabled.
- If users are allowed to right-click on the Desktop and create a shortcut, they can create a shortcut to the C: drive (or any directory within). This will give them access to browse the C: drive.
Steps 3 & 6 (disabling right-clicks) may seem too far but there are very few times that a user needs the ability to alter the properties of a file or create a desktop shortcut. If a shortcut is needed, the IT staff could place it on the desktop, or a shared directory, for the user manually or set a login script that creates the shortcut every time the system is booted. At my current employer, a window is opened during login (via logon script) that has several shortcuts to common programs so users don’t have to create desktop shortcuts. The shortcuts are also available via a custom Start menu.
What has this accomplished?
- Drive C: is now no longer shown in My Computer or Windows Explorer.
- The Run command is now removed so users cannot type in C:, or any other directories, in order to browse C: through the Run command, Task Manger or Windows Explorer.
- Note: Users will still be able to access their own C:\Documents and Settings folder (where My Documents is located).
- If the user opens their My Documents folder and clicks the button to go up a directory, they are taken directly to the Desktop directory and cannot go further (i.e. to the root of C:).
- Users will not be able to use the Search function to search the C: drive.
- Users will not be able to right-click on icons, the Start button, the Desktop or in Windows Explorer which would allow them to browse C: or create shortcuts to the C: drive (or any directory/file within).
Other drives can be blocked via the Hide these specified drives in My Computer if you want to prevent users from accessing other drives (i.e. floppy, CD-ROM, etc.).
27.Jun.05 
Active Directory, Tech Tip
You can leave a response, or trackback from your own site.
7 Responses to “Controlling application access via Windows Group Policies, pt. 2”
Leave a Reply
- wyckedone.net
F/OSS
Free Antivirus
Free Firewall
Free Utilities
Links
Tech Articles
Tech Boards
This site runs on
This is when you insert your bootable CD and hit the restart button.
In that case, I’m changing the boot sequence and setting a BIOS password.
This still doesn’t prevent a user from accessing a drive from the open file dialog and typing “C:” for the filename and pressing enter. Also with both Microsoft Office, and WordPad, you can execute an application. Couple this with the capabilites to create scripts, and it maybe possible to get a command prompt.
I just tried it using IE (File -> Open) and in Windows Explorer. When I type “C:” and hit Enter, it gives me the error that the resource is unavailable. When I tried it in Microsoft Word, it didn’t do anything.
Can you give the steps you used to still browse C: after setting the GP’s?
Well, what I’m refering to is when you go into Wordpad, and click Insert->Object, choose “Create from file”, and click browse. Once here, if you type c:\, you’ll get a drop-down menu, from here you can type another folder and get the list of files for it, or you can choose a file. If you a choose a file, an Icon will appear in wordpad that can be executed.
Also, unless you disable command prompt script processing, they can also create their own batch files to do what they need.
The same applies true with Wordpad’s Insert Hyperlink icon. In any case, you may want to do a GPO on the Internet Explorer and Office templates to remove such features.
Thanks for the information. Part 1 covered disabling the command prompt but that can only be used if the login scripts are vbscript. If logon scripts are written as batch files, they will fail to run with that GP enabled.
You could also just allow specific applications (that would block Wordpad) but, as you pointed out, Word allows you to do a hyperlink so that is one way to get around it.
Looks like I have some more homework to do.
ok, i’m at school riht now and ive slowly been figureing out ways to get around our netowrk block (novell). i found out a lil while ago that i could go to open a document in word and could search the c drive, but my question is now, that leaves the command prompt to be able to be used, how can i access it by bypassing the blocks?
(note- dont think of it as illegal, think of it as helping a bored senior)