Access Denied: Restricting the Programs Users Can Run

We want to lock down some publicly accessible workstations. Our main objective is to totally control which programs users can run. Is Application Security (Appsec) sufficient for this need?

Appsec is a Microsoft Windows 2000 Server Resource Kit tool that's also available free from Microsoft at Appsec lets you specify executables that you permit nonadministrators to run. If a user tries to run an unspecified program, Appsec prevents it. However, users can circumvent Appsec by copying the desired executable to a folder to which they have change access and renaming the file to the name of a program they're allowed to run. Furthermore, Appsec doesn't control DLLs or scripts.

The best way I know of to control software use is through Windows Server 2003's and Windows XP's software-restriction policies, which you'll find in any Group Policy Object's (GPO's) Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies folder. In addition to controlling executables, software-restriction policies can control execution of scripts, DLLs, and Microsoft Word macros. The policies also give you more ways to specify allowed or prohibited software than just the filename. For example, you can create hash rules for each allowed software file, and Windows will let the user execute only programs that match the hash. This capability nicely addresses the problem of renamed executables and prevents Windows from executing programs that some type of malicious software (malware) has altered. For detailed information about using software-restriction policies, see

One Appsec feature might help you with your initial setup of software restriction policies. You can easily make software-restriction policies too strict and inadvertently prevent users from running legitimate programs. Appsec's tracking feature can help you ensure that users can run all the software they need. The tracking feature tracks each program that runs as you perform a series of actions. You can use the tracking feature as you perform a legitimate user task (e.g., sending an email message from Microsoft Outlook), then use Appsec to see exactly which executables were used. For example, if you send email through Outlook, you'll probably see that in addition to Outlook, you used Word, which is the editor that Outlook uses by default. You can then ensure that you allow access to all programs that the user needs to perform the action.

As I mentioned earlier, however, Appsec won't show you each DLL or script used. If you need broader tracking capabilities, you can use Windows file auditing. Enable file auditing for Read and Execute on your entire drive immediately before you perform the task you want to audit, then turn off auditing. Your event log will show every file that was opened for Read or Execute access.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.