Controlling application access via Windows Group Policies, pt. 2

Part 1 showed the initial steps on how to either block access to or allow only certian applications to be ran on a Windows 2000 or higher computer using Group Policies. These policies could be defeated if the user used the command prompt, unless that was also blocked, or if they renamed the executable. These steps will show how to block user attempts to change the file names by blocking their access to program files already on the computer.

All steps are performed in the GP editor -> User Configuration -> Administrative Template

Blocking the ability to browse C:

1. In the left pane, click on Start Menu
2. In the right pane, double-click on Remove Run menu from Start Menu and set it to Enabled.
   • This will remove the Run command from the Start Menu, Task Manager, prevent the user from typeing path names (UNC and local directory) into the Explorer address bar and block the use of the Windows key + R (Windows keyboards).
3. Double-click on Remove access to the context menus for the taskbar and set it to Enabled.
   • If this is not set, users will be able to defeat all other blocks by right-clicking the Start button and choosing Explore All Users or Open All Users.
4. In the left pane, expand Windows Components and click on Windows Explorer.
5. In the right pane, double-click Hide these specified drives in My Computer and set it to Enabled.
   • Click the drop down menu next to Pick one of the following combinations and choose Restrict C drive only.
6. Double-click Remove Windows Explorer’s default context menu and set it to Enabled.
   • If users are allowed to right-click on the Desktop and create a shortcut, they can create a shortcut to the C: drive (or any directory within). This will give them access to browse the C: drive.

Steps 3 & 6 (disabling right-clicks) may seem too far but there are very few times that a user needs the ability to alter the properties of a file or create a desktop shortcut. If a shortcut is needed, the IT staff could place it on the desktop, or a shared directory, for the user manually or set a login script that creates the shortcut every time the system is booted. At my current employer, a window is opened during login (via logon script) that has several shortcuts to common programs so users don’t have to create desktop shortcuts. The shortcuts are also available via a custom Start menu.

What has this accomplished?

1. Drive C: is now no longer shown in My Computer or Windows Explorer.
2. The Run command is now removed so users cannot type in C:, or any other directories, in order to browse C: through the Run command, Task Manger or Windows Explorer.
   • Note: Users will still be able to access their own C:\Documents and Settings folder (where My Documents is located).
   • If the user opens their My Documents folder and clicks the button to go up a directory, they are taken directly to the Desktop directory and cannot go further (i.e. to the root of C:).
3. Users will not be able to use the Search function to search the C: drive.
4. Users will not be able to right-click on icons, the Start button, the Desktop or in Windows Explorer which would allow them to browse C: or create shortcuts to the C: drive (or any directory/file within).

Other drives can be blocked via the Hide these specified drives in My Computer if you want to prevent users from accessing other drives (i.e. floppy, CD-ROM, etc.).

Every moment in planning saves 3 or 4 in execution. -Crawford Greenwalt

27.Jun.05 Active Directory, Tech Tip Comments (7)

Controlling application access via Windows Group Policies, pt. 1

These steps show how to set a group policy to either block specific applications or only allow specific applications to run. The policies only apply to applications launched through the Windows Explorer process (i.e. a shortcut, double-clicking an executable file, etc.). Setting either of these policies to Enabled will not block launch access to system processes, like the Task Manager, or programs launched from the command prompt.

The following points must be true:

• The computer(s) must be running Windows 2000 or higher.
• You have admin rights to the domain or local machine.

Blocking specific applications
This example will block access to solitaire (sol.exe).

1. Open the Group Policy editor for the domain or for local machine (gpedit.msc).
   1. Expand Administrative Templates under User Configuration.
   2. Click on System
2. In the left pane, double-click on Don’t run specified Windows applications.
3. Click Enabled and then click the button labeled Show… (next to List of disallowed applications).
4. In the Show Contents windows, click the button labeled Add.
5. Type the executable name you want to block. For this example, the executable is sol.exe.
   • The full path is not required.
6. Click OK (or press Enter) to close the Add Item window and then click OK to close the Show Contents window.
7. Click the Apply button on the Don’t run specified Windows applications window to set the policy and the click OK close the window.

If you are trying this on your local machine, try to run solitaire from either the shortcut in the Start Menu or by going to Start -> Run and typeing sol.exe (click OK or press Enter). You should receive a warning informing you that the operation was cancelled due to restrictions set by the administrator.

Allowing only specific applications
If there are only a relatively small number of programs users should be allowed to use (i.e. Office apps, etc.), it may be easier to only allow access to those applications instead of trying to block applications. This example will allow only Microsoft Word to be launched.

1. Open the Group Policy editor for the domain or for a single PC (gpedit.msc).
   1. Expand Administrative Templates under User Configuration.
   2. Click on System
2. In the left pane, double-click on Run only allowed Windows applications.
3. Click Enabled and then click the button labeled Show… (next to List of allowed applications).
4. In the Show Contents windows, click the button labeled Add.
5. Type the executable name you want to allow. For this example, the executable is winword.exe
   • The full path is not required.
6. Click OK (or press Enter) to close the Add Item window and then click OK to close the Show Contents window.
7. Click the Apply button on the Run only allowed Windows applications window to set the policy and the click OK close the window.

Blocking access to the command prompt
As stated at the beginning of the article, neither of these policies will block access to an application if it is launched from the command prompt. If you blocked access to solitaire, open up the command prompt (cmd.exe) and type in sol.exe (and press Enter). Solitaire will run instead of being blocked. You can easily block access to the command prompt by setting the policy Prevent access to the command prompt (located in the same place as the Don’t run specified Windows applications and Run only allowed Windows applications policy) to Enabled.

Note: Preventing access to the command prompt will not allow batch files to run. Do not enable this setting if you use batch files for logon, logoff, startup or shutdown scripts. Also, do not enable this setting if the users use Terminal Services.

Any one of these policies takes effect immediately if you are doing this via the local computer GP editor. If you are on a domain, you will either have to wait for the policy to replicate or go to the command line and run:

• Windows 2000 domain:
  secedit /refreshpolicy user_policy /enforce
• Windows 2003 domain:
  gpupdate /target:user /force
  • You do not need to use the /logoff or /boot switches because these policies do not require a system logoff/reboot.

Part 2 will deal with the ability of users to rename executables in order to get around this block.

Tell me and I’ll forget; show me and I may remember; involve me and I’ll understand. - Chinese Proverb

24.Jun.05 Active Directory, Tech Tip Comments (11)