Follow this blog:: RSS; Email Alert

TR Dojo

Video: Lock down Windows 7 to run only specified applications

September 20, 2010, 7:46 AM PDT

Takeaway: Bill Detwiler shows you how to use the Local Group Policy Editor to make Windows 7 run only the applications you approve.

September 20, 2010, 7:48 AM PDT | Length:00:04:54

View Transcript

If you support Windows machines located in kiosks, libraries, community centers or other public places, it’s probably a good idea to specify which applications users can run and which they can’t. During this week’s episode of TR Dojo, I show you how to use the Local Group Policy Editor to make Windows 7 run only the applications you approve.

Do you use Group Policy, AppLocker, or a third-party utility to block users from running unapproved applications?

Warning: What to do if things go wrong

Using the Local Group Policy Editor incorrectly can have serious, negative consequences. For example, if you enable the Run Only Specified Windows Applications policy, and then fail to specify mmc.exe (Microsoft Management Console), regedit.exe (Registry Editor), or cmd.exe (the command line shell) as allowed applications, you may have a very difficult disabling the policy or modifying the list of allowed applications.

If you need to disable this policy but have locked yourself out of the mmc or regedit, you can use the REG command to delete the registry value that corresponds to the Run Only Specified Windows Applications policy. Deleting the entry will remove the restriction, and let you run gpedit.msc (the Group Policy snap-in for the MMC). You can then disable the policy through the Local Group Policy Editor.

The value you need to delete is:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun

You can use the following REG command to delete the value:

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ /v RestrictRun

You’ll need to open the Command Prompt window using Run as Administrator to execute the command. Also, if you enabled the Run Only Specified Windows Applications policy and didn’t specify any allowed applications, cmd.exe will not run, and you won’t be able to use REG command. In this case, you’ll need to either edit the registry remotely or from an external boot environment. If you did specify at least one allowed application, you can copy and rename the cmd.exe file, using the allowed application’s filename. You can then run the renamed copy of cmd.exe.

Text transcript of the video

For those who prefer text to video, you can click the Transcript link that appears below the video player window or check out Jack Wallen’s article, “How do I allow Windows 7 users to run only specific applications?”
You can also sign up to receive the latest TR Dojo lessons through one or more of the following methods:

Follow Bill Detwiler on Twitter
Subscribe to the TR Dojo newsletter (delivered Tuesdays and Fridays)
Subscribe to the TR Dojo RSS feed
Sign up for customizable TR Dojo e-mail alerts
Access TR Dojo from your mobile device

Get IT Tips, news, and reviews delivered directly to your inbox by subscribing to TechRepublic’s free newsletters.

About Bill Detwiler

Bill Detwiler is Head Technology Editor of TechRepublic. Previously, he worked as a Support Tech and IT Manager in the social research and energy industries.

Transcript

Bill Detwiler: If you support Windows machines located in kiosks, libraries, community centers or other public places, it's probably a good idea to specify which applications users can run and which they can't.

I'm Bill Detwiler, and during this episode of TR Dojo, I'll show you how to configure Windows 7 to run only the applications you approve.

Locking down public machines to prevent users from running unauthorized applications not only improves system security, but can also cut down on the time you spend reimaging their hard drives.

Now you could purchase a third-party desktop management system that offers this capability. But can just as easily use the Group Policy Editor, which is built into all Windows 7 versions -- except Home.

Using Group Policy, you can limit the users to executing applications based on name. So for example, you could allow the user to run Firefox by allowing the execution of the file named Firefox.exe.

While effective, this method isn't foolproof. If a user knows how you're blocking an application, and they had the necessary permissions to rename application files, they could simply rename the application they want to run to Firefox.exe. But for the most part, the method I'll describe here is at least a good roadblock for preventing users from running unauthorized applications.

Also, if you're running Windows 7 Ultimate or Enterprise you should really use Applocker, which is a new feature in Windows 7 and Windows Server 2008 R2 designed to manage application access. Unfortunately, Applocker isn't supported on Windows 7 Professional, so the following tip may be just what you're looking for.

Lastly, while I'm using Windows 7 in this video, the tip will also work on Windows XP and Vista, provided your using a version that has the Group Policy Editor -- i.e. not Windows Home.

To open the Group Policy Editor, click Start and then enter the command gpedit.msc.

Using the tree view in the left-hand pane, navigate to:

User Configuration | Administrative Templates | System

Now, make sure you click the System entry, as this will reveal the available settings in the right pane. Scroll down until you see the entry for Run Only Specified Windows Applications.

Double-click it to open its preferences window. Make sure that Enabled is checked. Once you've done that, the Show button will become available.

When you click Show, a small window will appear. Here you can enter the name of each allowed application. You'll enter the name of the executable file (including the extension) for each file on a separate line.

Once you have completed your list of allowed applications, click the OK button and then click OK on the remaining windows to dismiss them.

Now, when a user attempts to launch an application that is not on the allowed list, they will receive a warning message.

This method of blocking applications isn't a perfect system, and for tech savvy users it's fairly easy to get around and it won't block applications that are system processes. But for basic purposes, it will stop the average users from applications you don't want them to.

For more teachings on your path to becoming an IT Ninja, visit trdojo.techrepublic.com, or you can follow me on Twitter at twitter.com/billdetwiler.

Thanks for visiting the TR Dojo.

Server room nightmare challenge

Four IBM laptop designs that never panned out

Comments

Add Your Opinion

Join the conversation!

Follow via:: RSS; Email Alert

See All Comments

Staff Picks
Top Rated
Most Recent
My Contacts

No messages found

0 Votes

+ -

third-party win 7 lockdown utility

artabrahamson Updated - 6th Jan 2012

We use a third-party utility called Inteset Secure Lockdown. It's perfect for running our kiosk type media app. It's cheap and works on Win 7 Premium too.

View in thread

0 Votes

+ -

RE: Video: Lock down Windows 7 to run only specified applications

hesam-kh 5th Oct 2010

great help
thank you

View in thread

0 Votes

+ -

RE: Video: Lock down Windows 7 to run only specified applications

NickKettles 24th Sep 2010

Both app locker and group policy have their weaknesses - Those users granted admin credentials can circumvent AppLocker allowing all applications to run and opening up the enterprise to serious security risks. Users running with standard user rights still need a solution to allow apps requiring admin rights to run/install without having the admin user name and passwords. see here http://bit.ly/aZYowf

View in thread

Once logged in, adding contacts is simple. Just mouse over any member's photo or click any member's name then click the "Follow" button. You can easily manage your contacts within your account contacts page.

See all comments