Group Policy Management Solutions
Rapidly Deploy Customizable User Workspaces without Group Policy limitation.
Simplify Desktop assists in overcoming the limitations of group policies and scripting.
Download a FREE trial today!
It is possible to prevent specific applications from running by using group policies. However, it's very difficult to establish and properly maintain. Some believe that providing access to a single application provides some measure of security. Sadly, it does not. Even if you’ve set up the Terminal Server to display a single application, to shut down the connection when that application is closed, you must still secure the server.
Any reasonably astute user will quickly learn that Ctrl-Alt-End will launch Windows Security in their session. Ironically enough, Windows Security offers a huge back door to the system as it leads directly to the Task Manager and thus to the Run execution.
Devious Application Access and Usage
Group policies do not prevent a user from launching an application by other means. Microsoft recommends restricting user drive access to drives A-D. When enabled, this policy will keep users out of these drives. However, if there are any shared folders on these restricted drives, the user will be able to see, connect to, and open files on them. In addition, you can simply install applications by emailing an executable to yourself and running it. You could disallow all but a few applications, but this requires knowing ahead of time exactly what applications users need--and making sure that they don’t change the name of an application to a permitted one. These policies are available mainly for user configuration, not server configuration. If you’d like one application set available within a private office and another application set for terminals located in a hallway open to the public, group policies offer no way of making that happen.
Software Restriction Policies (SRP)
What about the Software Restriction Policies (SRPs) available in Win2K3 Server and Windows XP? At first, SRPs appear to be identical to Simplify Lockdown: they prevent applications from running if those applications are on a black or white list. By creating rules for users and computers, you can prevent unwanted applications from executing--even viruses. So long as an application’s location does not change (for path rules) or its hash signature does not change (for hash rules), it will be prevented from launching from any part of Windows.
Although SRPs are an improvement over previous group policy versions, they still have their failings. Like the group policies before them, these policies apply only to either the Terminal Servers themselves or the people logging on to them--you can’t restrict applications within a terminal session based on what terminal someone’s using to connect to the server. SRPs also do not remove disallowed icons from a user’s desktop, they will only display an error message if a user tries to run it, which will only confuse and frustrate the user.
Server Lock Down
The group policies controlling application execution for Windows 2000 Server are numerous and can be found in different locations. You can’t just enable User Configuration/Administrative Templates/System/Run Only Allowed Windows Applications. That setting leaves the machine wide open to any application not launched from Explorer. To lock down a Terminal Server using group policies, you must enable and configure 32 user and computer settings. It is possible, but is time consuming and opens the door to many potential mistakes.
triCerat's Group Policy Management Solution
Simplify Lockdown allows you to effectively control and secure user environments in order to prevent downtime and lost productivity. Lockdown enhances security by making it easy to provide end users with access to only the specific application icons and executables they require to do their jobs. Its innovative granting technology eliminates the need for policy edits and scripting. Using white and black lists, Simplify Lockdown closes backdoors and prevents unauthorized executables from running in Terminal Server sessions.
Control application access with desktop / server lockdown software, and improve your security while extending your environment. It's all too easy to wind up with a group policy solution that doesn’t really fit your protection needs.
Visit our contact form to request more information about our management software from a triCerat representative.