Announcement

Collapse
No announcement yet.

How to block portable apps with AD policy?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to block portable apps with AD policy?

    Hi Everyone.

    I was wondering, how can I make a policy in a way that it blocks a portable application, lets say, Ares or any P2P program or any program that is not allowed in my organization. I know it can be done trough hashes or paths, as a matter of fact I have done it with locally installed apps in machines of the domain, but you cannot control so many versions or paths when it comes to portable applications.

    My question is, can it be done, in that scenario?

    Thanks in advance!
    Last edited by jmena; 13th October 2008, 17:10.

  • #2
    Re: How to block portable apps with AD policy?

    not sure it is possible through Group Policy

    Comment


    • #3
      Re: How to block portable apps with AD policy?

      Have you considered creating an explicit deny in Active Directory of all applications except those that you approve? I think it could be done through hashes, but that would quickly become a management nightmare. If P2P is your main concern, you might have a better time managing this problem via firewall rules at the gateway or on each individual node's built-in firewall.
      Wesley David
      LinkedIn | Careers 2.0
      -------------------------------
      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
      Vendor Neutral Certifications: CWNA
      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

      Comment


      • #4
        Re: How to block portable apps with AD policy?

        The next version of Forefront will have functionality similar to what Protection Manager by SysInternals had.

        That way, you can whitelist what can be used and block everything else.
        For now, since your problem seems to be mostly p2p, manage it at the firewall level.
        VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

        Comment


        • #5
          Re: How to block portable apps with AD policy?

          Thanks for your answers!

          Well, the problem is not mainly P2P programs, its about all the applications that may be not allowed in my organization, for example, as an internal (enterprise) policy only microsoft outlook, express, 2003 or 2007, are allowed, and not others as incredimail. And, I would like those applications to never have even the chance of running, because if they run, lets say Ares, my perimetral firewall will block and drop any traffic of the application to the outside, but nevertheless the application will continue sending traffic and trying to connect, and I dont want that useless traffic in my network.

          But, your comments have gave me and idea: I could make, via AD policy, some predifined rules in the firewall section of the computers, so that it deny locally in the computers, those specific applications. Dont know how effective this could be, I will try and will let you know my results.

          If anyone have other ideas, please post.

          Thanks.

          Comment


          • #6
            Re: How to block portable apps with AD policy?

            First of all if the users are simple users they aren't allowed to install any software.
            Second, You can use software restriction where you deny all software excluding the ones you specify.

            It will give you a lot of work and I would suggest that you set this up in a Test environment before deploying this in production.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: How to block portable apps with AD policy?

              Originally posted by Dumber View Post
              First of all if the users are simple users they aren't allowed to install any software.
              Second, You can use software restriction where you deny all software excluding the ones you specify.

              It will give you a lot of work and I would suggest that you set this up in a Test environment before deploying this in production.
              I know, thats my AD scenario, only admins are allowed to install, but, portable aplications will run even if they are not installed, thats the problem. The deny-allow policy seems fine and I will try that option too (The problem with that is that the software allowed is ever changing...will see)

              Thanks, I will try your suggestion too.

              Comment


              • #8
                Re: How to block portable apps with AD policy?

                Certainly at our company, we have a very strict IT usage policy in place - some offences get you fired, some get you a warning and then fired if it happens again. In addition, machines do not have CD-ROM drives, USB storage is disabled, the email server and proxy servers do not accept executables for non-admins, and with the exception of certain specified users we automatically remove executables from user home directories on a regular basis. In a sense we're fortunate that our users aren't overly clued up with computers.

                While a technical solution offers better control, it's never going to be perfect and I would strongly recommend that you have a company policy to back it up.
                Gareth Howells

                BSc (Hons), MBCS, MCP, MCDST, ICCE

                Any advice is given in good faith and without warranty.

                Please give reputation points if somebody has helped you.

                "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                Comment

                Working...
                X