Software restriction on Terminal Servers
So a friend on mine asked me yesterday if it was possible to disable users from running *.exe files from the local user profile on the terminal server?
And my quick response was yes this is possible!
But what options do we have?
Microsoft has numerous options out-of-the-box for locking down the environment through group policy, the first policy that comes into mind is
«Don’t run specified Windows Applications» which allows you to make a list of executables which users are not allowed to run.
It this good enough?
Nah, users can easily change the name of the executable and it would still work, and you would also have to maintain the list of executeables. Then it might be the case of some executables having the same name as other
Then you have Applocker, where you can define file paths, hash of a file name or the publisher of a executable which you don’t want the user to use. An example if you wish to block dropbox for a user.
I could use the file path option what nothing blocks the user from moving it another folder I define. I could for example block the whole C:\ drive but in case the user maps up his/hers local drives im still screwed.
NOTE: Before you start using Applocker you need to start the service Application Identity (It is not automatically started)
If you want to do this on a local computer to try you can open secpol.msc
And from here right click on Executable Rules -> First create the default rules, this will create all the allow rules and then you can start creating the other rules for the endusers.
For the case of Dropbox, I have it installed on my computer and I wish to create a publisher rule for deny that software from running.
Right click on executable and create new rule.
Here you define who and if they are allowed or denied. (I just used everyone here but you should use a more scoped down group like «remote desktop users»)
Click next à
Here I define conditions
I could use a path but as I described earlier a user could move the executable around, but I could use file hash as well (This is useful for non-digital verified publishers)
But for a case such as dropbox which comes around with a update now and then it changes the file hash completely.
So I select publisher à And I find my executable
Funny thing is that Dropbox by default installs in Roaming folder of the user.
So now I have my rule
I could drag the slider upwards so it would stop all executables from just the publisher and not look for product name or file name and version
Be careful so you don’t drag it all the way up to «any publisher» since this will block everyone from using any executable which has a publisher Its executable.
In case you need more flexible security for your users workspace environment I would suggest taking a look on RES or AppSense