At Browserling I just solved an interesting Windows sysadmin problem of how to allow Windows users to run just a few programs and nothing else. Since anyone can use Browserling for free, I had to find a way to restrict them from downloading and running viruses and trojans. So I took time to investigate and found a very elegant solution. No one had really documented this so this blog post will be very handy for people who can't figure it out themselves.

The solution is to configure the Software Restriction Policy (SRP) in the user's Group Policy Object (GPO) and disallow the user to run everything except the programs that are necessary to login and the programs you want the user to use.

The hardest part was figuring out all the programs that the user absolutely must be allowed to run for him/her to login the system:

  • C:\Windows\explorer.exe
  • C:\Windows\System32\csrss.exe
  • C:\Windows\System32\dwm.exe
  • C:\Windows\System32\rdclip.exe
  • C:\Windows\System32\taskhost.exe
  • C:\Windows\System32\TSTheme.exe
  • C:\Windows\System32\userinit.exe

If you don't have these in the SRP, then the user will never be able to login. So make sure they are in the SRP's "Additional Rules" and their security level is "Unrestricted."

After you add these, the user will be able to login but he wont be able to run anything! He'll just see desktop and that's it. If you want to allow the user to run, let's say, Paint, then add C:\Windows\System32\paint.exe the Unrestricted Access list.

Here is a precise list of steps to take to disallow running programs. Run them from Administrator account:

  1. Open up the Microsoft Management Console (Start -> Run -> mmc):
  2. Select File -> Add/Remove Snap-in.
  3. Select Group Policy Object.
  4. Click Add.
  5. Click Browse, select the user you want to configure the GPO for.
  6. Click Finish, and OK. Now you'll see the tree view with "<username> Policy."
  7. Navigate to User Configuration -> Windows Settings -> Security Settings -> Software Restriction Policies.
  8. Right click on Software Restriction Policies and click New Software Restriction Policies.
  9. Two new items will appear the tree. Click the Security Levels.
  10. Double click the Disallowed security level and click "Set as Default."
  11. Go to the other item, the Additional Rules.
  12. Delete the crap that Windows adds there by default (%HKEY_LOCAL_MACHINE... something).
  13. Add the rules that I documented in the beginning of the article. They are absolutely necessary for the user to login into the machine (either via desktop or remote desktop).
  14. Add full paths to programs that you want to allow the user to run (such as C:\windows\system32\paint.exe, ... etc.). Make sure the users can't overwrite the programs with their own, otherwise they might be able to execute their own programs.
  15. Save the GPO.
  16. Done.

I hope this was helpful and see you next time!