Leadership optimize

Video: Lock down Windows 7 to run only specified applications

Bill Detwiler shows you how to use the Local Group Policy Editor to make Windows 7 run only the applications you approve.

If you support Windows machines located in kiosks, libraries, community centers or other public places, it's probably a good idea to specify which applications users can run and which they can't. During this week's episode of TR Dojo, I show you how to use the Local Group Policy Editor to make Windows 7 run only the applications you approve.

Warning: What to do if things go wrong

Using the Local Group Policy Editor incorrectly can have serious, negative consequences. For example, if you enable the Run Only Specified Windows Applications policy, and then fail to specify mmc.exe (Microsoft Management Console), regedit.exe (Registry Editor), or cmd.exe (the command line shell) as allowed applications, you may have a very difficult disabling the policy or modifying the list of allowed applications.

If you need to disable this policy but have locked yourself out of the mmc or regedit, you can use the REG command to delete the registry value that corresponds to the Run Only Specified Windows Applications policy. Deleting the entry will remove the restriction, and let you run gpedit.msc (the Group Policy snap-in for the MMC). You can then disable the policy through the Local Group Policy Editor.

The value you need to delete is:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun

You can use the following REG command to delete the value:

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ /v RestrictRun

You'll need to open the Command Prompt window using Run as Administrator to execute the command. Also, if you enabled the Run Only Specified Windows Applications policy and didn't specify any allowed applications, cmd.exe will not run, and you won't be able to use REG command. In this case, you'll need to either edit the registry remotely or from an external boot environment. If you did specify at least one allowed application, you can copy and rename the cmd.exe file, using the allowed application's filename. You can then run the renamed copy of cmd.exe.

Text transcript of the video

For those who prefer text to video, you can click the Transcript link that appears below the video player window or check out Jack Wallen's article, "How do I allow Windows 7 users to run only specific applications?"

You can also sign up to receive the latest TR Dojo lessons through one or more of the following methods:

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

6 comments
artabrahamson
artabrahamson

We use a third-party utility called Inteset Secure Lockdown. It's perfect for running our kiosk type media app. It's cheap and works on Win 7 Premium too.

NickKettles
NickKettles

Both app locker and group policy have their weaknesses - Those users granted admin credentials can circumvent AppLocker allowing all applications to run and opening up the enterprise to serious security risks. Users running with standard user rights still need a solution to allow apps requiring admin rights to run/install without having the admin user name and passwords. see here http://bit.ly/aZYowf

Bill Detwiler
Bill Detwiler

If you support Windows machines located in kiosks, libraries, community centers or other public places, it's probably a good idea to specify which applications users can run and which they can't. During this week's episode of TR Dojo, I show you how to use the Local Group Policy Editor to make Windows 7 run only the applications you approve. Do you use use Group Policy, AppLocker, or a third-party utility to block users from running unapproved applications? Take the poll in the above post and let me know. Original post and poll: http://blogs.techrepublic.com.com/itdojo/?p=2065

tbmay
tbmay

...I found them to be more trouble than they were worth. My co-workers and boss at a school district that once employed me agreed. It was during that employment, dealing with high school miscreants, we learned just how good hard-drive protection is. We made a few minor policy adjustments after that discovery for specific purposes but by and large we put that never ending battle to rest.

bowlingbrad
bowlingbrad

The new version of MS SteadyState isn't too bad either for XP Pro.