TR Dojo: Lock down Windows 7 to run only specified applications
September 20, 2010, 7:48am PDT | Length: 00:04:54
Bill Detwiler shows you how to use the Local Group Policy Editor to make Windows 7 run only the applications you approve. Once you’ve watched this TR Dojo video, you can find a link to the original TechRepublic article and print the tip from our TR Dojo Blog.
Bill Detwiler: If you support Windows machines located in kiosks, libraries, community centers or other public places, it's probably a good idea to specify which applications users can run and which they can't.
I'm Bill Detwiler, and during this episode of TR Dojo, I'll show you how to configure Windows 7 to run only the applications you approve.
Locking down public machines to prevent users from running unauthorized applications not only improves system security, but can also cut down on the time you spend reimaging their hard drives.
Now you could purchase a third-party desktop management system that offers this capability. But can just as easily use the Group Policy Editor, which is built into all Windows 7 versions -- except Home.
Using Group Policy, you can limit the users to executing applications based on name. So for example, you could allow the user to run Firefox by allowing the execution of the file named Firefox.exe.
While effective, this method isn't foolproof. If a user knows how you're blocking an application, and they had the necessary permissions to rename application files, they could simply rename the application they want to run to Firefox.exe. But for the most part, the method I'll describe here is at least a good roadblock for preventing users from running unauthorized applications.
Also, if you're running Windows 7 Ultimate or Enterprise you should really use Applocker, which is a new feature in Windows 7 and Windows Server 2008 R2 designed to manage application access. Unfortunately, Applocker isn't supported on Windows 7 Professional, so the following tip may be just what you're looking for.
Lastly, while I'm using Windows 7 in this video, the tip will also work on Windows XP and Vista, provided your using a version that has the Group Policy Editor -- i.e. not Windows Home.
To open the Group Policy Editor, click Start and then enter the command gpedit.msc.
Using the tree view in the left-hand pane, navigate to:
User Configuration | Administrative Templates | System
Now, make sure you click the System entry, as this will reveal the available settings in the right pane. Scroll down until you see the entry for Run Only Specified Windows Applications.
Double-click it to open its preferences window. Make sure that Enabled is checked. Once you've done that, the Show button will become available.
When you click Show, a small window will appear. Here you can enter the name of each allowed application. You'll enter the name of the executable file (including the extension) for each file on a separate line.
Once you have completed your list of allowed applications, click the OK button and then click OK on the remaining windows to dismiss them.
Now, when a user attempts to launch an application that is not on the allowed list, they will receive a warning message.
This method of blocking applications isn't a perfect system, and for tech savvy users it's fairly easy to get around and it won't block applications that are system processes. But for basic purposes, it will stop the average users from applications you don't want them to.
For more teachings on your path to becoming an IT Ninja, visit trdojo.techrepublic.com, or you can follow me on Twitter at twitter.com/billdetwiler.
Thanks for visiting the TR Dojo.