Skip navigation

Group Policy and Corporate Policy

Recently on a popular mailing list devoted to security on Microsoft platforms, a member explained that he had configured Group Policy to prevent people from installing unapproved software on their systems. He wrote that he wasn't content with Group Policy Objects (GPOs), because they only block the installation of software packaged in Windows Installer (.msi) files, which means that executables could still run and install programs.

In response, another list member suggested that administrators could adjust ACLs on areas of the registry (such as the HKEY_LOCAL_MACHINE\SOFTWARE subkey or HKEY_CURRENT_USER\Software subkey) and on directories (such as the Program Files directory) to restrict regular user accounts from having write access, which would prevent the installation of software. These actions could work but might break some applications that need to write to those areas of the registry and file system.

Another list member suggested that administrators could configure restrictions that prevent programs such as setup.exe and install.exe from running. This might work too, but some users will realize they can simply rename typical installation programs and the programs will run just fine.

Obviously, a combination of tactics is required. Completely restricting people from installing software on their systems, whether you use controls built into the OS or add-on controls from third parties, is challenging. The further you programmatically restrict activity on a system, the greater chance you have of breaking some application that users need.

As I read the message thread, it became clearer how much administrators struggle to outmaneuver the people who use the computers on their networks. It seems to me that there is an additional, less stressful way to address this particular problem. Companies can establish written guidelines that explain exactly what employees are allowed and not allowed to do with company computers and make employees liable for any misuse of company computers to deter employees from acting outside the guidelines.

If someone installs software on a computer without permission, somewhere along the line, an administrator will probably have to uninstall that software or rebuild the system to ensure some desired level of system integrity. This work costs the company money and is basically a waste of company time. So why not consider a corporate policy that lets you charge the negligent employee for the time and labor needed to restore a system to its original configuration? Of course, you could also add even stronger deterrents to your policies if your situation warrants them.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.