Hack 30 Restrict Applications Available to Users

figs/moderate.gif figs/hack30.gif

Prevent your users from running potentially dangerous applications.

Keeping users from running certain applications isn't so important when you're an administrator using your own workstation. But when you're dealing with regular users in an enterprise network environment, you don't want your users running any nefarious programs. Such programs include those that can break their operating system installation, introduce security holes to their system, or even attack other machines on your network.

There are a couple ways to restrict the applications available to your users. First you can modify the ACLs for a particular program so that users cannot execute it. For example, suppose you have a sniffer installed on a user's machine for network diagnostic purposes. Access to this program is fine for an administrator, but probably is not appropriate for a normal user. You can prevent normal users from running the program by removing execution permissions for the Users group. To do this, locate the program's executable file and right-click it. Now click the Properties menu item, and you should see a dialog box like the one shown in Figure 2-9.

Figure 2-9. Properties dialog for ethereal.exe, the Ethernet sniffer

Now click on the Security tab and select the Users group from the list at the top of the dialog. You should now see something similar to Figure 2-10.

Figure 2-10. The Security tab of the ethereal.exe Properties dialog

Now click the Deny checkbox that applies to the Read & Execute permission. After clicking the Apply button, anyone that is a member of the Users group will not be able to run the program. Alternatively, you could also modify the ACL for the directory that the program resides in and disallow read access. This approach could be useful if you want to keep all of your administrative tools under a single folder and restrict access to all of them at once.

If you are running a terminal-server version of Windows, there is another alternative to using ACLs. If you have the Microsoft Windows 2000 resource kit installed, you can use the AppSec program to disallow program access with just a few clicks. To use AppSec, locate its directory and start the program. After the program loads, you will be presented with a list of programs. If the program that you want to disallow from your terminal-service users is on the list, simply click the Disabled radio button. For instance, if you wanted to disable cmd.exe, you would see something similar to Figure 2-11.

Figure 2-11. Restricting cmd.exe

If the application you want to restrict is not on the list, you can click the Add button and browse for the application. After you have made your choices, click Exit. Before these changes can fully take effect, all users will have to log off of the terminal server.