As part our security policy our organization needs to prevent installation of unauthorized softwares ex. chat clients such yahoo or msn or any other client. Also such as surfstart that enable bypassing the proxy. Is there a way to do it?

Aafaq Manzoor wrote:
> As part our security policy our organization needs to prevent
> installation of unauthorized softwares ex. chat clients such yahoo or
> msn or any other client. Also such as surfstart that enable bypassing
> the proxy. Is there a way to do it?

Well as you are posting to a Windows 2000 newsgroup, I'm going to suggest
using group policies to lock down the workstations and restrict user rights
in order to prevent them from installing software.
--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.

We have tried using group policies but smart users still bypass it. For example, we configure proxy setting in browser through group policy then users install a software called startsurf.exe which allows them to bypass proxy. To further complicate the issue if we put the startsurf.exe in denied list in group policies then they rename it and run. They also store it in there mailboxes or rename it on home folders and also change the extension. Our current group policy setting has allow all the applications and deny the applications in list. If we change the policy to deny all and allow the listed application it may prevent them running unauthorized applications but I am sure it can be renamed to to allowed application and run again. What could be the foolproof method of preventing installtion and detection of unauthorized applications/softwares

Thanks
Aafa

----- Robert Moir wrote: ----

Aafaq Manzoor wrote
> As part our security policy our organization needs to preven
> installation of unauthorized softwares ex. chat clients such yahoo o
> msn or any other client. Also such as surfstart that enable bypassin
> the proxy. Is there a way to do it

Well as you are posting to a Windows 2000 newsgroup, I'm going to sugges
using group policies to lock down the workstations and restrict user right
in order to prevent them from installing software
--
--
Rob Moir, Microsoft MVP for servers & securit
Website - http://www.robertmoir.co.u
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.htm

Kazaa - Software update services for your Viruses and Spyware

"=?Utf-8?B?QWFmYXEgTWFuem9vcg==?="
said

>
> We have tried using group policies but smart users still bypass it. For
> example, we configure proxy setting in browser through group policy
> then users install a software called startsurf.exe which allows them to
> bypass proxy. To further complicate the issue if we put the
> startsurf.exe in denied list in group policies then they rename it and
> run. They also store it in there mailboxes or rename it on home folders
> and also change the extension. Our current group policy setting has
> allow all the applications and deny the applications in list. If we
> change the policy to deny all and allow the listed application it may
> prevent them running unauthorized applications but I am sure it can be
> renamed to to allowed application and run again. What could be the
> foolproof method of preventing installtion and detection of
> unauthorized applications/softwares?
>

Why is your firewall allowing clients to make outbound connections? If you
have a proxy server configured, your firewall should be setup to only allow
outbound connections from the proxy servers IP address. All other traffic
should be blocked.
Doing it this way means that they can run whatever they want on their PC but
it will never be able to talk to the outside world.

--
Andy

Restricting the access on firewall may completely stop access to even to legitimate and production related site also. Startsurf was a example to demstrate what is can be possible bigger issue is compliance to the policy having no unauthorrized softwares on machines. That is why it is rather more important to prevent the installation then breaking the functionality of it. Any thoughts

Thanks
Aafaq

"=?Utf-8?B?QWFmYXEgTWFuem9vcg==?="
said

> Restricting the access on firewall may completely stop access to even
> to legitimate and production related site also.

How so? If all clients have their browser configured to use the proxy
server (preferably through a group policy) and only the proxy can access
the internet on port 80 then users can browse the intenet via the proxy. If
they require direct access through the firewall for other applications you
only open the ports that the application in question requires.
Other applications that require a direct connection (MSN Messenger etc.)
would be blocked. If they use another application to bypass the proxy, they
would be blocked.
If they leave things alone it will work just fine.

> Startsurf was a example
> to demstrate what is can be possible bigger issue is compliance to the
> policy having no unauthorrized softwares on machines.

If you were using Windows Server 2003 with Windows XP clients you could
prevent them from running the applications even if they renamed them, but
with Windows 2000 that is not an option without using third party products.

You could start by ensuring that users are not local administrators on
their PC's and add msiexec.exe to the deny list. This would stop any
applications that use the Windows installer from being installed (I think -
I haven't tried this).
If the users only need to run a limited number of applications you could
create a default policy of deny all, then just add the applications you
want to allow them to run.

It sounds to me like this is more of a people management problem than a
technical problem. Do you have an official internet access or computer use
policy it your work? Does it cover situations such as this and, if so, have
you notified the users managers of the breach of policy?

> That is why it is
> rather more important to prevent the installation then breaking the
> functionality of it.

A correctly setup proxy/firewall combination will ensure your security
without reducing legitimate functionality.

--
Andy.

Lastly, which third pary softwares are available

Thanks a lot Andrew for your detalied respose. made things very clear

Thanks
Aafaq

"=?Utf-8?B?QWFmYXE=?=" said

> Lastly, which third pary softwares are available?
>

Having a closer look at this, AppSec which is part of the Windows 2000
resource kit may help out. You can define application names *and paths* that
are allowed to run. Simply install your allowed applications, then grant the
user only read and execute permissions to files in that directory. That way
they cannot overwrite authorised apps with applications of their own.

http://www.microsoft.com/windows2000/techinfo/reskit/tools/hotfixes/appsec-
o.asp

Andy.