I also agree 100% that it is best to run users as standard users. It will probably prevent them from installing about 90% of the programs out there. Just keep in mind that this will not prevent the user from installing programs that installs itself in file directories and registry sections that the user has write access to (home directory, etc).
As an aside, some virus writers are getting smarter about bypassing standard user restrictions . I recently had a user that got infected by one of those nasty fake antivirus viruses. The user was running as a standard user on a Vista machine (and no this user was not running as a faux standard user with the option of elevating at a click of a button. This was a true standard user account where the user could not elevate themselves). The virus installed itself in the users directory and had access to everything on the local machine that the user had access to. That being said, since the user was not running as a local admin, it limited the damage the virus could make to the local system and made it a lot easier to isolate and remove the virus so I still whole heartily recommend running users under a standard user account. If down the road you upgrade to SBS 2008/Windows 7, you may want to give App Locker a look. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Bugbear Sent: Sunday, April 04, 2010 5:25 PM To: PaulDotCom Security Weekly Mailing List; [email protected] Subject: Re: [Pauldotcom] Blocking Unwanted programing from installing Agree 100% On 4/4/10, Butturini, Russell <[email protected]> wrote: > In 2003 environments you can set group policy to disable the windows > installer on workstations. However this won't knock out third party > installation packagers. The best thing to do is strip local admin > rights from the users and prevent them from writing files to key > directories (program files, system32, etc.) > > ----- Original Message ----- > From: Sherwyn <[email protected]> > To: Butturini, Russell; '[email protected]' > <[email protected]> > Sent: Sun Apr 04 12:15:19 2010 > Subject: Re: [Pauldotcom] Blocking Unwanted programing from installing > > The are running 2003. > > Thanks. > Infolookup > www.infolookup.blogspot.com > www.twitter.com/infolookup > > > -----Original Message----- > From: "Butturini, Russell" <[email protected]> > Date: Sun, 4 Apr 2010 10:57:15 > To: '[email protected]'<[email protected]>; > '[email protected]'<[email protected]> > Subject: Re: [Pauldotcom] Blocking Unwanted programing from installing > > What version of SBS are you dealing with? 2003 or 2008? You have some > more capabilities in 2008 than 2003 for this sort of thing, > > ----- Original Message ----- > From: [email protected] > <[email protected]> > To: PaulDotCom Security Weekly Mailing List > <[email protected]> > Sent: Sat Apr 03 20:34:27 2010 > Subject: [Pauldotcom] Blocking Unwanted programing from installing > > Hello PDC Guru's, > > I am task with locking down a Microsoft SBS environment. The goal is > to allow all currently installed application to be able to run but > stop the installation of any new application (limewire, AOL messenger etc). > > I am aware that I can use a Run only list or software restriction > "path rule", but since both of these can be very time consuming if the > users has lots of application installed. > > Is there anyway to just allow all currently installed aops run access > but block installation of new apps for a set of users? > > Thank you in advance. > > Infolookup > www.infolookup.blogspot.com > www.twitter.com/infolookup > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > ********************************************************************** > ******** This email contains confidential and proprietary information > and is not to be used or disclosed to anyone other than the named > recipient of this email, and is to be used only for the intended > purpose of this communication. > ********************************************************************** > ******** > > ********************************************************************** > ******** This email contains confidential and proprietary information > and is not to be used or disclosed to anyone other than the named > recipient of this email, and is to be used only for the intended > purpose of this communication. > ********************************************************************** > ******** _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Sent from my mobile device _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
