Group policy loophole

[redwhip]

Hi,

I recently discovered a fantastic GPO setting called run only allowed windows applications.
It allows you to create a list of apps which you know are OK for users to run.

However a very honest user pointed out to me that there doesn't seem to be any way of stopping a user from renaming a disallowed exe file to something that they know is on the allowed list and running/ installing the program.


I want to stop people from getting into the WINNT directory on a Terminal Server and copying admin tools such as mmc.exe.

I've looked at one of the reskit tools appsec.exe but it won't let you filter by groups .

Any ideas

Regards

Skink

 

[Jq4Yahweh]

You can use the GP to prevent users from accessing the local drives, then use the same GP to prevent a Right Click. You won't find the option to disable right click. However once you go through the user settings and restrict drag and drop, remove properties from my computer and my documents etc. you will find that the right click option is no longer availble.

 

[redwhip]

Thanks but I don't think that is going to stop users from being able to rename programs that they shouldn't be able to run as you can change the name by double clicking slowly on the icon.

 

[bazzert]

You need to set read/execute only for these files for domain users and allow admins full rights.

 

[Binkie]

Would you consider using a third party tool to help assist in locking down unauthorized application use? If in the event the application is renamed SysLock can detect this, and still stop execution of the application.

Please contact me if I can provide you with any addition information about SysLock.

Good luck!
Carrie3010@yahoo.com