Follow me on Twitter for my latest adventures!
Restricting what programs a user can run on Windows via Group Policy Objects
At Browserling I just solved an interesting Windows sysadmin problem of how to allow Windows users to run just a few programs and nothing else. Since anyone can use Browserling for free, I had to find a way to restrict them from downloading and running viruses and trojans. So I took time to investigate and found a very elegant solution. No one had really documented this so this blog post will be very handy for people who can't figure it out themselves.
The solution is to configure the Software Restriction Policy (SRP) in the user's Group Policy Object (GPO) and disallow the user to run everything except the programs that are necessary to login and the programs you want the user to use.
The hardest part was figuring out all the programs that the user absolutely must be allowed to run for him/her to login the system:
- C:\Windows\explorer.exe
- C:\Windows\System32\csrss.exe
- C:\Windows\System32\dwm.exe
- C:\Windows\System32\rdclip.exe
- C:\Windows\System32\taskhost.exe
- C:\Windows\System32\TSTheme.exe
- C:\Windows\System32\userinit.exe
If you don't have these in the SRP, then the user will never be able to login. So make sure they are in the SRP's "Additional Rules" and their security level is "Unrestricted."
After you add these, the user will be able to login but he wont be able to run anything! He'll just see desktop and that's it. If you want to allow the user to run, let's say, Paint, then add C:\Windows\System32\paint.exe the Unrestricted Access list.
Here is a precise list of steps to take to disallow running programs. Run them from Administrator account:
1. Open up the Microsoft Management Console (Start -> Run -> mmc):
2. Select File -> Add/Remove Snap-in.
3. Select Group Policy Object.
4. Click Add.
5. Click Browse, select the user you want to configure the GPO for.
6. Click Finish, and OK. Now you'll see the tree view with "<username> Policy."
7. Navigate to User Configuration -> Windows Settings -> Security Settings -> Software Restriction Policies.
8. Right click on Software Restriction Policies and click New Software Restriction Policies.
9. Two new items will appear the tree. Click the Security Levels.
10. Double click the Disallowed security level and click "Set as Default."
11. Go to the other item, the Additional Rules.
12. Delete the crap that Windows adds there by default (%HKEY_LOCAL_MACHINE\... something).
13. Add the rules that I documented in the beginning of the article. They are absolutely necessary for the user to login into the machine (either via desktop or remote desktop).
14. Add full paths to programs that you wish to allow the user to run (such as C:\windows\system32\paint.exe, ... etc.). Make sure the users can't overwrite the programs with their own, otherwise they might be able to execute their own programs.
15. Save the GPO.
16. Done!
Thanks to lewellyn for helping out with all this!
Ps. As I like to joke, the new title of this blog soon will be "Peteris Krumins's blog on Windows Administration" as I have spent so much time during past month messing with Windows. ;)
Facebook
Plurk
more
GitHub
LinkedIn
FriendFeed
Google Plus
Amazon wish list
Comments
Weird that there isn't a default rule for this thing, handy to have a list somewhere to look at!
You sneaky cat.
Hello, in some dark past I was a Windows 2000/2003 administrator. I remember playing with these security restrictions... and breaking them.
At that time you had several options on how to 'restrict' usage of programs with that GPO setting. The 'path rule' (which is easily cracked by copying exe's to an allowed path), the 'internet rule' (which didn't work), the 'hash rule'(doable) or the 'certificate rule' (which required playing with 'authenticode' command line tools, and was pretty cumbersome to maintain).
Which rule did you use ? Or does it work different now (I have not seen the GPO interface in years.)
I am using the 'path rule' but it's not crackable in my case. Public users on my system are not allowed to overwrite the installed software.
Hi there,
This does very little for you, e.g. an attacker can still download a copy of command prompt, rename it "iexplore.exe", and find a way to run it.
Windows offers a more robust facility, which is whitelisting executables by MD5sum, but setting that up is a painstaking process.
Not really, I have full paths to executables, such as 'C:\Program Files\Internet Explorer\iexplore.exe', and the public users are not allowed to overwrite these programs.
You need http://www.solidcore.com/
I don't understand why he would need solidcore ? what is that commercial enterprise bs ?
Three quick notes:
1. rdclip.exe and TSTheme.exe are probably only required since you're using Terminal Services. Admins running domains which do not make use of TS may be able to leave these two disabled.
2. An alternative to using GPOs is Trust-No-Exe.
3. See also Protecting Windows RemoteApp Servers
Actually, there's a far more thorough yet evil solution, but since your scenario is so specific, I think it will be more secure:
http://support.microsoft.com/kb/197571
http://blogs.msdn.com/b/oldnewthing/archive/2007/12/13/6648400.aspx
Yes, you can write a DLL that gets loaded into *every process on startup*. Normally this "feature" of Windows is disabled and insane, but you could use it to TerminateProcess anything that isn't in the whitelist of allowed processes.
Great post! Not much of a Windows Sys Admin but when I do I'll be sure to add this to my toolbox!
I screwed up my only admin account on win 7 after adding and removing Snap-in when I restarted my laptop. I cant access any other program now. How can I recover? please help
I've faced this problem too,
i think there was a post from mark russinovich about some defects of gpo
Does this still work? http://blogs.technet.com/b/markrussinovich/archive/2005/12/12/circumventing-group-policy-as-a-limited-user.aspx
Great Really graet.
I made it like this
1- default unresticted
2-in the additional Rule I add path for specific .exe prog and make it disallow.
Note: I use 2008 R2 and not join it to domain it's work:)
yaaaaaaaaaaaaaaaay
Hello. I have windows 7 running. Anyone know how I can configure the GPO so that only certain files show up on the "All Programs list"..meaning only the programs that I allow for the users to use show up on the all programs list on the start menu..
Leave a new comment