There are times and instances where you, as the administrator of a network or group of machines, only want the users to be able to run certain applications. Kiosk machines, library machines, educational machines, community machines - there are plenty of reasons for doing this and a few methods for achieving it. One of those methods is built into Microsoft Windows 7 (with the exception of Windows 7 Home) with the Group Policy Editor. This tool is powerful and offers numerous features including the ability to limit a user’s ability to run applications.
Using this method a network administrator can limit the users to executing applications based on name. So if you allow the execution of the name Firefox.exe, that means a user can execute an application named Firefox.exe. This will not stop a user from re-naming ApplicationX.exe to Firefox.exe and running that. So this method does presume users will not either know instinctively, or be willing to figure out, how to get around this basic access control.
Prior to undertaking this process it might be wise to backup the folder C:\WINDOWS\system32 in case this configuration goes south. Should that happen, you can then restore the backup and you will be back to where you started. This backup method isn’t fool proof, but it sure beats winding up with a system that can not start any applications.
So, with that said, this How do I document will walk you through the process of enabling users to only execute specific applications using the built-in Group Policy Editor of Windows 7.
This blog post is also available in the PDF format in a TechRepublic Download.
Step 1
The first thing you must do is open up the Group Policy Editor. You won’t find a menu entry for this tool. Instead you start the tool by clicking the Start menu and then entering the command gpedit.msc. When this tool opens up you will find yourself looking at a dual-paned window that looks deceptively simple to use (Figure A).
Figure A
There are quite a few settings that can be tweaked in this tool. I wouldn’t advise toying with any of these settings unless you know what you are doing.
Step 2
The next step is to navigate to the correct location of the configuration option we want to change. This is to be found in the following path:
User Configuration | Administrative Templates | System
When you navigate to that path you will want to click on the System entry to reveal the available settings in the right pane (Figure B).
Figure B
Scroll down in the right pane until you see the entry for Run only specified Windows applications.
Step 3
Double click on the entry for “Run only specified Windows applications” to open up the preferences for this setting. When this is opened (Figure C) you will need to first make sure Enabled is checked. Once you have done that the Show button will become available.
Figure C
You can add comments in this window in order to keep track of when this was set up and why. Documentation and tracking is always important for when things are brought up and questioned.
Step 4
The next step is to click the Show button which will open up a small window where you can enter the allowed applications (Figure D). In this window you will add, one per line, the executable file name (including extension) for each of the applications you want the users to be allowed to execute.
Figure D
Make sure you are thorough in your listing so your users are able to start all necessary applications for work, otherwise you’ll be revisiting this window to add more mission-critical applications.
Once you have completed your list of allowed applications click the OK button and then click OK on the remaining windows to dismiss them. Once these windows are gone, you have completed this task.
After this is set up, when a user attempts to launch an application that is not on the allowed list, they will receive a warning that states “The operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.”
Final thoughts
It’s not a perfect system, and on a system with savvy users it’s fairly easy to get around. But for basic purposes it will stop most of the average users from launching anything not on an allowed list. Also note that this method does not disable any applications that are system processes. So you won’t stop everyone using this method - but you will stop plenty of users from launching applications you don’t want them to launch.
No comments:
Post a Comment