That's just something that's inherent to Windows. Users who aren't members of the local administrators group aren't allowed to write to those directories.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Sherwyn Sent: Sunday, April 04, 2010 8:19 PM To: Bugbear; PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Blocking Unwanted programing from installing The users are none admin users. The odd thing is if one of those users log into a Windows 7 box the are blocked from installing application, but are allowed too on a windows XP machine. I can look into using GPO to block windows installer but in terms of stopping them from writing to key folders are you referring to NTFS permission or is this done via GPO? Thanks. Infolookup www.infolookup.blogspot.com www.twitter.com/infolookup -----Original Message----- From: Bugbear <[email protected]> Date: Sun, 4 Apr 2010 17:24:36 To: PaulDotCom Security Weekly Mailing List<[email protected]>; [email protected]<[email protected]> Subject: Re: [Pauldotcom] Blocking Unwanted programing from installing Agree 100% On 4/4/10, Butturini, Russell <[email protected]> wrote: > In 2003 environments you can set group policy to disable the windows > installer on workstations. However this won't knock out third party > installation packagers. The best thing to do is strip local admin rights > from the users and prevent them from writing files to key directories > (program files, system32, etc.) > > ----- Original Message ----- > From: Sherwyn <[email protected]> > To: Butturini, Russell; '[email protected]' > <[email protected]> > Sent: Sun Apr 04 12:15:19 2010 > Subject: Re: [Pauldotcom] Blocking Unwanted programing from installing > > The are running 2003. > > Thanks. > Infolookup > www.infolookup.blogspot.com > www.twitter.com/infolookup > > > -----Original Message----- > From: "Butturini, Russell" <[email protected]> > Date: Sun, 4 Apr 2010 10:57:15 > To: '[email protected]'<[email protected]>; > '[email protected]'<[email protected]> > Subject: Re: [Pauldotcom] Blocking Unwanted programing from installing > > What version of SBS are you dealing with? 2003 or 2008? You have some more > capabilities in 2008 than 2003 for this sort of thing, > > ----- Original Message ----- > From: [email protected] > <[email protected]> > To: PaulDotCom Security Weekly Mailing List <[email protected]> > Sent: Sat Apr 03 20:34:27 2010 > Subject: [Pauldotcom] Blocking Unwanted programing from installing > > Hello PDC Guru's, > > I am task with locking down a Microsoft SBS environment. The goal is to > allow all currently installed application to be able to run but stop the > installation of any new application (limewire, AOL messenger etc). > > I am aware that I can use a Run only list or software restriction "path > rule", but since both of these can be very time consuming if the users has > lots of application installed. > > Is there anyway to just allow all currently installed aops run access but > block installation of new apps for a set of users? > > Thank you in advance. > > Infolookup > www.infolookup.blogspot.com > www.twitter.com/infolookup > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > ****************************************************************************** > This email contains confidential and proprietary information and is not to > be used or disclosed to anyone other than the named recipient of this email, > and is to be used only for the intended purpose of this communication. > ****************************************************************************** > > ****************************************************************************** > This email contains confidential and proprietary information and is not to > be used or disclosed to anyone other than the named recipient of this email, > and is to be used only for the intended purpose of this communication. > ****************************************************************************** > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Sent from my mobile device _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com ****************************************************************************** This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than the named recipient of this email, and is to be used only for the intended purpose of this communication. ****************************************************************************** _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
