Click here to get back home

Deny install on c:\ drive
 HomeNewsGroups | Search | About
Login Password
Register Now! Lost Password?
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Deny install on c:\ drive Sam 12-10-2005
Get Chitika Premium
Posted by Leandro Amore on December 12, 2005, 6:18 pm
Please log in for more thread options
 i use the software restriction policies with kiosks were i only allow the
necesary application by hash or path and dissalow al the rest. It a bit
difficult to maintain if you do many installations or if you use lot's of
apps.
But it works for me.

>> if you want to deny installation why don't you use Software Policies.??
>
> If only it were that simple . . . or, if it is would you clue us in ??
>
> Part of the issue is that there are many installers one would have to
> disallow with software policy, and there are installs that are only copy
> to disk (without installers, reg entries, component registrations, etc.)
>
> --
> Roger Abell
> Microsoft MVP (Windows Server : Security)
>
>>> As Dave referred to the users ability to save files will be a function
>>> of where they have the permission to write to folders which would be in
>>> their user profile, parts of the all users profile [shared folder], and
>>> also to subfolders of the root/drive folder that they create which can
>>> be changed if you look at the advanced permissions of the root/drive
>>> folder for users. By default regular users can not write to the program
>>> files folder or \windows folder structure with the exception of
>>> windows\temp folder where they have special permissions to write files
>>> and subfolders. Regular users will not be able to install most
>>> applications but not all though for XP Pro computers you can use
>>> Software Restriction Policies to really lockdown a computer with mostly
>>> path and hash rules as explained in the link below. --- Steve
>>>
>>> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
>>>
>>>> Is it possible to deny a group to save any data and install any
>>>> programs on c:\ (system drive) ?
>>>>
>>>> Thank you,
>>>> Sam
>>>>
>>>
>>>
>>
>>
>
>



Posted by Roger Abell [MVP] on December 13, 2005, 3:33 am
Please log in for more thread options
 Sure, and in that scenario, though tedious if standalone or apps
change often, software restriction is a good solution.

For the poster however, where we must assume these are
general use machines, just ones on which user installation of
software is to be prevented, I am not so sure software restriction
policies hold the answer. If those machines are tightly configured,
to be allowed use of a well defined set of apps, things are different
and although software restriction policies could not prevent all
installs, it could make what gets installed useless.


>i use the software restriction policies with kiosks were i only allow the
>necesary application by hash or path and dissalow al the rest. It a bit
>difficult to maintain if you do many installations or if you use lot's of
>apps.
> But it works for me.
>
>>> if you want to deny installation why don't you use Software Policies.??
>>
>> If only it were that simple . . . or, if it is would you clue us in ??
>>
>> Part of the issue is that there are many installers one would have to
>> disallow with software policy, and there are installs that are only copy
>> to disk (without installers, reg entries, component registrations, etc.)
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Server : Security)
>>
>>>> As Dave referred to the users ability to save files will be a function
>>>> of where they have the permission to write to folders which would be in
>>>> their user profile, parts of the all users profile [shared folder], and
>>>> also to subfolders of the root/drive folder that they create which can
>>>> be changed if you look at the advanced permissions of the root/drive
>>>> folder for users. By default regular users can not write to the program
>>>> files folder or \windows folder structure with the exception of
>>>> windows\temp folder where they have special permissions to write files
>>>> and subfolders. Regular users will not be able to install most
>>>> applications but not all though for XP Pro computers you can use
>>>> Software Restriction Policies to really lockdown a computer with mostly
>>>> path and hash rules as explained in the link below. --- Steve
>>>>
>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
>>>>
>>>>> Is it possible to deny a group to save any data and install any
>>>>> programs on c:\ (system drive) ?
>>>>>
>>>>> Thank you,
>>>>> Sam
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>



Similar ThreadsPosted
c:\ drive permissions June 23, 2005, 5:10 pm
Shared drive VS Security September 19, 2005, 4:22 pm
hide administrative drive November 1, 2005, 11:00 pm
Can't run 16 bit app from network drive in W2003 SP1 January 30, 2006, 5:09 pm
Drive Access Restriction April 20, 2006, 12:33 am
Drive access to particular user December 3, 2006, 7:54 am
CDROM Drive access denied October 31, 2005, 10:40 am
Not able to view secondary hard drive January 11, 2006, 9:53 am
Secrity applications that run on USB flash drive April 29, 2006, 11:06 am
Mapping drive on XP to server - what authentication is used? January 10, 2008, 3:11 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap