Blocking Unwanted programing from installing

[j2mccluggage at adelphia.net (Jody & Jennifer McCluggage)]

I also agree 100% that it is best to run users as standard users.  It will
probably prevent them from installing about 90% of the programs out there.
Just keep in mind that this will not prevent the user from installing
programs that installs itself in file directories and registry sections that
the user has write access to (home directory, etc).

As an aside, some virus writers are getting smarter about bypassing standard
user restrictions . I recently had a user that got infected by one of those
nasty fake antivirus viruses.  The user was running as a standard user on a
Vista machine (and no this user was not running as a faux standard user with
the option of elevating at a click of a button.  This was a true standard
user account where the user could not elevate themselves).  The virus
installed itself in the users directory and had access to everything on the
local machine that the user had access to.  That being said, since the user
was not running as a local admin, it limited the damage the virus could make
to the local system and made it a lot easier to isolate and remove the virus
so I still  whole heartily recommend running users under a standard user
account.

If  down the road you upgrade to SBS 2008/Windows 7, you may want to give
App Locker a look.


-----Original Message-----
From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Bugbear
Sent: Sunday, April 04, 2010 5:25 PM
To: PaulDotCom Security Weekly Mailing List; infolookup at gmail.com
Subject: Re: [Pauldotcom] Blocking Unwanted programing from installing

Agree 100%

On 4/4/10, Butturini, Russell <Russell.Butturini at healthways.com> wrote:
> In 2003 environments you can set group policy to disable the windows 
> installer on workstations.  However this won't knock out third party 
> installation packagers.  The best thing to do is strip local admin 
> rights from the users and prevent them from writing files to key 
> directories (program files, system32, etc.)
>
> ----- Original Message -----
> From: Sherwyn <infolookup at gmail.com>
> To: Butturini, Russell; 'pauldotcom at mail.pauldotcom.com'
> <pauldotcom at mail.pauldotcom.com>
> Sent: Sun Apr 04 12:15:19 2010
> Subject: Re: [Pauldotcom] Blocking Unwanted programing from installing
>
> The are running 2003.
>
> Thanks.
> Infolookup
> www.infolookup.blogspot.com
> www.twitter.com/infolookup
>
>
> -----Original Message-----
> From: "Butturini, Russell" <Russell.Butturini at Healthways.com>
> Date: Sun, 4 Apr 2010 10:57:15
> To: 'infolookup at gmail.com'<infolookup at gmail.com>;
> 'pauldotcom at mail.pauldotcom.com'<pauldotcom at mail.pauldotcom.com>
> Subject: Re: [Pauldotcom] Blocking Unwanted programing from installing
>
> What version of SBS are you dealing with? 2003 or 2008? You have some 
> more capabilities in 2008 than 2003 for this sort of thing,
>
> ----- Original Message -----
> From: pauldotcom-bounces at mail.pauldotcom.com
> <pauldotcom-bounces at mail.pauldotcom.com>
> To: PaulDotCom Security Weekly Mailing List 
> <pauldotcom at mail.pauldotcom.com>
> Sent: Sat Apr 03 20:34:27 2010
> Subject: [Pauldotcom] Blocking Unwanted programing from installing
>
> Hello PDC Guru's,
>
> I am task with locking down a Microsoft SBS environment. The goal is 
> to allow all currently installed application to be able to run but 
> stop the installation of any new application (limewire, AOL messenger
etc).
> I am aware that I can use a Run only list or software restriction 
> "path rule", but since both of these can be very time consuming if the 
> users has lots of application installed.
>
> Is there anyway to just allow all currently installed aops run access 
> but block installation of new apps for a set of users?
>
> Thank you in advance.
>
> Infolookup
> www.infolookup.blogspot.com
> www.twitter.com/infolookup
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
>
> **********************************************************************
> ******** This email contains confidential and proprietary information 
> and is not to be used or disclosed to anyone other than the named 
> recipient of this email, and is to be used only for the intended 
> purpose of this communication.
> **********************************************************************
> ********
>
> **********************************************************************
> ******** This email contains confidential and proprietary information 
> and is not to be used or disclosed to anyone other than the named 
> recipient of this email, and is to be used only for the intended 
> purpose of this communication.
> **********************************************************************
> ******** _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

--
Sent from my mobile device
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com