Announcement

Collapse
No announcement yet.

Blocking specific software already installed

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Blocking specific software already installed

    Hi there,

    Is there a way to restrict a user to launch a specific program like firefox in group policy?

    Please advice. Thanks
    Mind is like a parachute, it only works when it's open!

  • #2
    Re: Blocking specific software already installed

    Yes, there is. In your GPO navigate to User Configuration|Administrative Templates|System and enable the policy setting "Don't run specified Windows applications" and add firefox to the list. You need to add it as the executable name, so if the executable is firefox.exe, then that's what you add.

    Comment


    • #3
      Re: Blocking specific software already installed

      Originally posted by joeqwerty View Post
      Yes, there is. In your GPO navigate to User Configuration|Administrative Templates|System and enable the policy setting "Don't run specified Windows applications" and add firefox to the list. You need to add it as the executable name, so if the executable is firefox.exe, then that's what you add.
      Good find, I didn't know about that one. One teensy caveat from the GPO's explanation:
      This setting only prevents users from running programs that are started by the Windows Explorer process. It does not prevent users from running programs, such as Task Manager, that are started by the system process or by other processes. Also, if you permit users to gain access to the command prompt, Cmd.exe, this setting does not prevent them from starting programs in the command window that they are not permitted to start by using Windows Explorer. Note: To create a list of disallowed applications, click Show, click Add, and then enter the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
      So you'll need to block CMD and task manager too. If you can't do that for whatever reason, maybe software restriction polices would work better? I just tried to find if SRPs block software even if it's launched via CMD or task manager but came up empty.
      Wesley David
      LinkedIn | Careers 2.0
      -------------------------------
      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
      Vendor Neutral Certifications: CWNA
      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

      Comment


      • #4
        Re: Blocking specific software already installed

        I thought about SRP's also, but thought it might be too complicated for the task at hand, what with having to set the default Security Level, then setting up the Allow and Deny list, etc.

        SRP's will block software based on path, hash, internet zone, or certificate so it would catch the program no matter how it's invoked.

        Comment


        • #5
          Re: Blocking specific software already installed

          Hi there,

          Here's what i did, i created a policy name restrictFirefox and then applied that specific policy to a testing OU. I then tried gpupdate /force on that desktop, still the user is able to launch firefox.

          I read some discussions regarding this topic before coming here to seek for assistance. From there they said because firefox is not a Windows application, so there's no way we can block firefox with group policy. The only way to block it is to add an complicated .adm file to GPO, which i don't want to try. Do you think i've done it wrongly?

          Looking forward to your inputs. Thanks...
          Mind is like a parachute, it only works when it's open!

          Comment


          • #6
            Re: Blocking specific software already installed

            That's not true, the GPO setting can block non-Windows programs. Did you move the user account to the testing OU? GPO's only apply to objects "in their path". If the user account is not in the testing OU, the GPO settings will not be applied. What other GPO's are applied to the user account? Are there any GPO's that are enforced that might be over-riding your test GPO? Are you using any security filtering on the GPO?

            Comment


            • #7
              Re: Blocking specific software already installed

              Yes, the user is in the testing OU. Other GP i enforced to this OU is to restrict user from adding and deleting printer. In addition, i did not use any security filtering on that OU as well, it's just that the policy won't block the user to use firefox
              Mind is like a parachute, it only works when it's open!

              Comment


              • #8
                Re: Blocking specific software already installed

                Well I've never tried to block Firefox but I have blocked other non-Windows programs with this setting. Here are a couple more suggestions:

                1. Run gpresults against the user and computer to see what GPO's and settings show as being applied.

                2. Confirm that you're blocking Firefox by the correct executable name.

                If you don't get anywhere with this you could always use a file restriction in your GPO to remove permissions to the main Firefox executable. This is a less preferable solution but it should work.

                Comment


                • #9
                  Re: Blocking specific software already installed

                  Hi there,

                  I am sure that i typed in the correct executable name, but it just won't block firefox.

                  Btw, i am new to group policy, could you guide me to use file restriction in GPO to block firefox? if the executable resides at c:\program files\mozilla firefox\firefox.exe

                  With Thanks...
                  Mind is like a parachute, it only works when it's open!

                  Comment


                  • #10
                    Re: Blocking specific software already installed

                    A software restriction policy would be your best bet IMO.
                    Create a Hash rule as per this: http://support.microsoft.com/kb/324036
                    Also remember that if Firefox is to be upgraded you'll need to recreate the Hash rule. Also check the Notes on the article.

                    Ta
                    Caesar's cipher - 3

                    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                    SFX JNRS FC U6 MNGR

                    Comment


                    • #11
                      Re: Blocking specific software already installed

                      Alternatively, a path rule might be good. Especially if users 1) Do not have the permissions to move files out of the path location, and 2) Aren't savvy enough to know to try moving the executable. Check out this big, crunchy TechNet article about the concept of software restriction polices.
                      Wesley David
                      LinkedIn | Careers 2.0
                      -------------------------------
                      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                      Vendor Neutral Certifications: CWNA
                      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                      Comment


                      • #12
                        Re: Blocking specific software already installed

                        Hi there, It now works! Thanks for the resource. Instead of creating a New Hash Rule..., i created a New Path Rule... to prevent the testing user from launching firefox. Thank you very much...
                        Mind is like a parachute, it only works when it's open!

                        Comment

                        Working...
                        X