I need a better way of preventing users from installing software than simply setting permissions to folders. We are running Win2000.
This question posed on 21 August 2002
To prevent the installation of software is not an easy thing. In Windows 2000 and XP, an ordinary user cannot install software that runs as a service or has components that do so. However, much software consists of executables and libraries, or is downloadable as Java scripts or applets, or VB scripts. If a user has hard drive space where they can write files, it is impossible to prevent them from ever installing some form of software.
However, that said, there are things you can do to make it harder to 'run' unauthorized software. Some of that is permission setting on registry keys and folders. Sorry, but that's a key protective action. You can also use group policy to list only the applications that can run (I know, that's a toughie). You can use Terminal Server in application mode and associate software with user groups and specifically identify which software runs when they log on. You can use group policy to prevent them from running certain system features, and thus prevent them from say, installing drivers, accessing command lines, adding items to the start menu, adding shortcuts to the desktop, etc. You then must ensure that apps they need to run are listed on their start menu. Another possibility is allowing only 'signed' applications to run (use group policy), but then you must ensure that all applications you wish to run are properly signed.
What I am saying here is that you can restrict users and lock them down pretty well with group policy. You must also do things such as stop autorun, and perhaps block use of CD-ROM drives and floppy drives. You will need to spend some time configuring Internet Explorer to prevent the running of scripts that may install programs and use of Java and ActiveX.
This is beginning to sound like a lot of work yes? However, once done, it can be applied network wide using group policy.
Test your work before deploying.
Editor's Note: You can sign up to have free security administration tips delivered to your inbox every Tuesday morning.