If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Domain Users are able to install applications.
I have a network where the newly deplouyed Workstations were tested such that
Domain Users were unable to install anything. However it has recently happened that one of the so said users installed GE (Google earth). I found this to be very concerning as this should not have been possible. approximately 6+ months ago, I personally tested the ability to install GE as a user and it was not possible. They also seemed to be able to install "MySpaceIM". My initial thought was how was the user able to enter the keys under "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Un install". I think this maybe launching the application under "SYSTEM" credentials. All other local accounts are disabled and users are not members of anything other than local users group. What else are people able to run under the "SYSTEM" account? How can I prevent the users from installing? |
Ads |
#2
|
|||
|
|||
Domain Users are able to install applications.
Actually, there is no specific code within Windows that determines "Limited
users cannot install software" A Limited User is only able to write to the HKCU registry section, and to disk folders with in his/her own profile, plus a few in All Users. This has the effect that most setup programs won't work, as they need to write to "Program Files" and to the HKLM registry. However, it is perfectly possible to write an installer that works within these limitations. One possible fix is to bar the execution of programs from within the user's profile. This has the added benefit of preventing downloaded programs being run. BeyondLogic's TrustNoExe does this and is very effective, though not suitable for every situation. Worth a look anyway. If the user has access to network shares, then of course they may also be able to save downloaded programs there, and run them. "Wobzo" wrote: I have a network where the newly deplouyed Workstations were tested such that Domain Users were unable to install anything. However it has recently happened that one of the so said users installed GE (Google earth). I found this to be very concerning as this should not have been possible. approximately 6+ months ago, I personally tested the ability to install GE as a user and it was not possible. They also seemed to be able to install "MySpaceIM". My initial thought was how was the user able to enter the keys under "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Un install". I think this maybe launching the application under "SYSTEM" credentials. All other local accounts are disabled and users are not members of anything other than local users group. What else are people able to run under the "SYSTEM" account? How can I prevent the users from installing? |
#3
|
|||
|
|||
Domain Users are able to install applications.
Oh, and an addtional point, have you checked what groups the users are
members-of on the domain-controller's console? If they are members of Domain Admins, for example, then you have a security-hole you could drive a truck through. This may not be apparent if you're looking at the local goups. |
#4
|
|||
|
|||
Domain Users are able to install applications.
Wobzo wrote:
I have a network where the newly deplouyed Workstations were tested such that Domain Users were unable to install anything. However it has recently happened that one of the so said users installed GE (Google earth). I found this to be very concerning as this should not have been possible. approximately 6+ months ago, I personally tested the ability to install GE as a user and it was not possible. They also seemed to be able to install "MySpaceIM". My initial thought was how was the user able to enter the keys under "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Un install". I think this maybe launching the application under "SYSTEM" credentials. All other local accounts are disabled and users are not members of anything other than local users group. What else are people able to run under the "SYSTEM" account? How can I prevent the users from installing? To add to the other reply - You can't prevent limited users from installing software entirely, merely based on their local group membership. As you've just seen, a lot of apps don't require special permissions to install ...they don't write to the restricted areas of the registry & file system. You should look into group policy options to lock down your desktops if this is a real concern at your company - software restriction can work well although it can also be dangerous (play with this in a lab before deploying). Try posting in microsoft.publicwindows.group_policy for more help. |
Thread Tools | |
Display Modes | |
|
|