• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Lock down Windows 7 Pro

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
1

10XTriplet

Disabled
Joined
Aug 20, 2012
Is there a way to lock down Windows 7 Pro to be only allowed to run a few programs?

If so, how?
 
While hafa posted some great links, I think that may be more than you're looking to do. If that's the case, I submit my reply for your perusal.

7 Pro has a GREAT...GREAT tool for security policies.
Press Windows+R (run)
Type "secpol.msc" to open the Local Security Policy snap-in.

From here, you can control the effective permissions system wide.
Now, to simply block some software except what you want them to run, do the following.

Open secpol.msc
Right click on "Software Restriction Policies"
Click "New Software Restriction Policies"
(optional) In the right hand pane, double-click the "Enforcement" object. From here, you can specify who the policy applies to. (I would make it apply to non-admin users... just in case)
Double click the Additional Rules
Right click and pick the application rule you want to add (more below on differences)
Give them either basic user (recommended) or unrestricted (if you want them to have admin rights when running) access to each program.
Now, go to Security Levels and make the "Disallowed" the default policy.
No programs will run except what you specifically defined.

Now, regarding the application rules, you have four options:

Certificate: Just what it sounds like. Don't use this option.
Hash: This is the best option. It will take a snapshot of the .exe hash and allow only that specific program to run. Name/Location do not matter.
Network Zone: I've not used this and have a minimal understanding. This is for web-based applications/installs. As long as your hash rules are set, there is no need to worry about this.
Path: This works on basic users. If you list c:\ solitaire.exe as a blocked application, I can simply rename it to c:\the.exe and run it. Hash prevents this workaround.
 
Aspect404 said:
While hafa posted some great links, I think that may be more than you're looking to do. If that's the case, I submit my reply for your perusal.

7 Pro has a GREAT...GREAT tool for security policies.
Press Windows+R (run)
Type "secpol.msc" to open the Local Security Policy snap-in.

From here, you can control the effective permissions system wide.
Now, to simply block some software except what you want them to run, do the following.

Open secpol.msc
Right click on "Software Restriction Policies"
Click "New Software Restriction Policies"
(optional) In the right hand pane, double-click the "Enforcement" object. From here, you can specify who the policy applies to. (I would make it apply to non-admin users... just in case)
Double click the Additional Rules
Right click and pick the application rule you want to add (more below on differences)
Give them either basic user (recommended) or unrestricted (if you want them to have admin rights when running) access to each program.
Now, go to Security Levels and make the "Disallowed" the default policy.
No programs will run except what you specifically defined.

Now, regarding the application rules, you have four options:

Certificate: Just what it sounds like. Don't use this option.
Hash: This is the best option. It will take a snapshot of the .exe hash and allow only that specific program to run. Name/Location do not matter.
Network Zone: I've not used this and have a minimal understanding. This is for web-based applications/installs. As long as your hash rules are set, there is no need to worry about this.
Path: This works on basic users. If you list c:\ solitaire.exe as a blocked application, I can simply rename it to c:\the.exe and run it. Hash prevents this workaround.
Click to expand...


DUDE!? This is EXACTLY what I was looking for! I will report back!
 
No go... I can't find "New Software Restriction Policies". Was worth a shot, thanks.
 
When you right-click Software Restriction Policies, you don't have the New Software Restrictions Policy option available from the context menu?
 

Attachments

  • 2012-12-05_091355.jpg
    2012-12-05_091355.jpg
    74 KB · Views: 294
You don't see that option because they already exist :)
(By default, 7 Pro will not create them, hence my step above)

Skip to the next part of the walkthrough above.
 
Sorry, I will. Been swamped on other projects.. I will however attempt to do this sometime today..
 
You must log in or register to reply here.

Similar threads

Kenrou
Microsoft Will Offer Extended Support For Windows 10 IF YOU PAY
2
Replies
26
Views
744
Woomack
W
RollingThunder
Hypothetical Printer Question
Replies
4
Views
311
MisterEd
MisterEd
dfonda
Down 25mill for a bit
Replies
13
Views
274
dfonda
dfonda
ptm
Windows 11 how to delete windows recovery partition 980 pro
Replies
3
Views
896
don256us
don256us
Pepi93
Stop Windows 11 from downloading and installing non Microsoft updates?
Replies
4
Views
463
Pepi93
Pepi93
Back