question

EmCatimbang-8232 avatar image
0 Votes"
EmCatimbang-8232 asked EmCatimbang-8232 commented

Creating Group Policy to prevent users to run programs installed outside the normal installation folder like C:\Program

How to begin with?

I have tried with a GPO with the following Computer and User Configuration settings:
Application Whitelist> Policies> Windows Settings> Security Settings> Software Restriction Policies/Additional Rules

Set C:\TEST with Disallowed Security Level

This is to test if a program installed in C:\TEST drive will be blocked.
I get this from gpresult /r

COMPUTER SETTINGS


The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Application Whitelist
Filtering: Denied (Security)

USER SETTINGS


Applied Group Policy Objects
-----------------------------
Default Domain Policy
MapDrives
AllPrinters
Office Macros
Application Whitelist

But still I can run a program installed in C:\TEST.

What am I missing?
Looking for a solution to block a program installed on other drives or location.

Thank you

windows-active-directorywindows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered EmCatimbang-8232 commented

Hi EmCatimbang-8232,

If you want to block programs from running on your system/network, you can easily create a Group Policy Object (GPO) to make that happen.

This is the traditional way of blocking software and it has limited performance as we explain below:

1) Launch REGEDIT
2) Expand USER CONFIGURATION > POLICIES > ADMINISTRATIVE TEMPLATES > SYSTEM
3) Double click on DON’T TUN SPECIFIED WINDOWS APPLICATIONS
4) Click ENABLE
5) Click the SHOW button
6) Type in the file name you want to block

This method should allow you to achieve what you're looking for. However, the problems with this method are:

This method only works per user and not per machine.
You can only use filenames, no paths, hashes or certificates. Think about what that means for UPDATE.EXE which you likely have 20 of for 20 different programs on your computer… not good.
This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer.




--If the reply is helpful, please Upvote and Accept as answer--

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @LimitlessTechnology-2700 ,

Thank you for the response, yes I reckon that is how we usually do it.
My question is, what if a user already installed a program outside the usual install location (C:\Programs Files, C:\Program files (x86), C:\Windows ...)
Like if a user created a personal folder in C:\ where he installed the program. Is there anyway, I can disallow programs outside the usual install location?
or I can only block programs through specific path and filenames (.exe)?

Appreciate your help.

0 Votes 0 ·