Using GPO to prevent access to desktop application

Using GPO to prevent access to desktop application

Introduction

Security breaches via unauthorized application access are a growing concern for system administrators. The challenge of mitigating such vulnerabilities, while ensuring that essential applications remain accessible, is intensified by the ever-evolving technological landscape. This article provides a comprehensive guide on employing Group Policy Objects (GPOs) effectively to restrict access, offering a secure and well-regulated operational environment.


Prerequisites

Before delving into the specific methods, it's crucial for system administrators to ensure that they have the necessary prerequisites in place:

  1. Operating System: Ensure you are running on supported Windows versions for the desired GPO features.

  1. Administrative Privileges: You must have the necessary administrative rights to create and manage GPOs.

  1. Group Policy Management Console (GPMC): Installed and accessible, as it’s the primary tool for managing GPOs.

  1. Knowledge of Windows Directory Structure: Essential for specifying file paths or names in certain restriction methods.

 

Method 1: GPO Creation to Disable Specific Applications

A GPO can be employed to disallow access to specified applications on Windows. To do that, follow these steps:

  1. Open the Group Policy Management tool on the domain controller.

  1. Create a new GPO and name it.

  1. Edit the GPO: User Configuration > Administrative Templates > System.

  1. Enable "Don't run specified Windows applications", specifying the application name.

  1. Link the GPO to the desired Organizational Unit.

  1. In the Group Policy Management Console tree, click Change Control in the forest and domain where you aim to manage GPOs.

  1. On the Contents tab, click the Controlled tab to display the controlled GPOs.

  1. Right-click the GPO to be deployed and then click Deploy.

  1. Wait for GPO replication across domain controllers.

 

Method 2: GPO to Control User Access to Exploit Protection Settings

Preventing users from modifying Exploit protection settings is elaborated in the second draft. Follow these steps:

  1. Ensure Windows 10, version 1709, or later is installed.

  1. Open the Group Policy Management Console and select the GPO to configure.

  1. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Security > App and Browser Protection.

  1. Enable “Prevent users from modifying settings” or “Hide the App and browser protection area” as needed.

  1. Follow steps 6-9 from Method 1 to deploy the updated GPO.

 

Method 3: Advanced GPO for Blocking Software

While basic GPO implementations serve generic purposes, specialized needs require more advanced strategies. The method below provides an intricate approach to sophisticated software restriction using GPO.


Before getting into the methods, let us visit the security levels available in Group Policy for software restriction:

  1. Unrestricted:
    1. Allows software to run without any restrictions.
    2. Users can execute any executable files, including scripts, installer packages, and DLLs.
  2. Basic User:
    1. Software can only run with the permissions of a regular user.
    2. Restricts 'Run as Administrator' privilege, ensuring software doesn't gain elevated access.
  3. Disallowed:
    1. Blocks the specified software or files from running.
    2. Prevents execution regardless of the user's permissions or role.
Each security level serves a unique purpose and can be applied based on the specific needs and security requirements of your organizational environment.

Method 3.1: Blocking Software by File Name

Blocking software by file name is a more straightforward approach and is relatively easy to implement. However, it is essential to comprehend its limitations and applicability.


Step-by-Step Implementation:  

  1. Access the Registry Editor:

    • Open the Run dialogue (Windows + R), type “regedit” and press Enter.

  1. Navigate to the Specific Path:

    • Head to USER CONFIGURATION > POLICIES > ADMINISTRATIVE TEMPLATES > SYSTEM.

  1. Enable the Policy:

    • Double-click on “DON’T RUN SPECIFIED WINDOWS APPLICATIONS” and select “Enabled”.

  1. Specify the File Names:

    • Click the “Show” button and enter the names of the executable files to block.

  1. Apply the Changes:

    • Click “OK” to apply the changes.


Side note:

The format of the name to be entered when blocking executable files through Group Policy involves just the filename and its extension. For instance, if you want to block access to the Windows Calculator application, you would enter “calc.exe”. Here, “calc” is the filename and “.exe” is the extension, indicating that it's an executable file.

Example:  

  • Correct Format: calc.exe

  • Incorrect Format: C:\Windows\System32\calc.exe (paths are not used in this method)

Remember:  

  1. No Path Information: Avoid entering the full path of the application; the GPO is designed to block the executable regardless of its location in the system.

  1. Include File Extension: Always include the file extension (commonly .exe for executable files) to specify the file type accurately.

 

Limitations and Considerations:  

  • User-Specific: This method applies restrictions at the user level, not the system level. Each user profile has its individual settings.

  • Filename Only: Only filenames can be specified, not paths or hashes. This limitation can lead to inadvertent blocking of other applications with the same filename.

  • File Explorer Dependency: The policy only prevents users from running programs initiated by File Explorer. It doesn’t restrict programs started by system processes or external sources.

 

Method 3.2: Blocking Software by Path, Hash, or Certificate

This advanced technique offers a granular control level, allowing administrators to block software based on the file’s path, its hash, or the associated certificate. It provides more precision and flexibility in managing application restrictions.


3.2.1 Blocking by Path:

  1. Open Group Policy Management Editor:

    • Access via administrative tools or by running “gpmc.msc”.

  1. Navigate to Security Settings:

    • Go to POLICIES > WINDOWS SETTINGS > SECURITY SETTINGS > SOFTWARE RESTRICTION POLICIES.

  1. Create New Path Rule:

    • Right-click “Additional Rules” and choose “New Path Rule…”.

    • Enter the path or file name, and set the security level to “Disallowed”.

  1. Apply and Verify:

    • Ensure the rule is active and test it on a client machine to confirm the restriction.


3.2.2 Blocking by Hash:

  1. Access Software Restriction Policies:

    • Same navigation as blocking by path.

  1. Create New Hash Rule:

    • Right-click “Additional Rules” and select “New Hash Rule…”.

    • Browse and select the executable file; the system will automatically compute the file’s hash.

  1. Set Security Level and Apply:

    • Choose “Disallowed” as the security level to block the specific file hash.


3.3.3 Blocking by Certificate:

  1. Access Software Restriction Policies:

    • Same initial steps as the previous methods.

  1. Create New Certificate Rule:

    • Right-click “Additional Rules” and opt for “New Certificate Rule…”.

    • Browse and select the certificate file associated with the software to be restricted.

  1. Apply the Restriction:

    • Set the security level to “Disallowed” and apply the rule.


Noteworthy Considerations:

  • Performance Implications: Especially for the certificate rule, performance impacts can arise. Thorough testing is essential before broad implementation.

  • Updates and Patches: For hash rules, any updates to the software will change the file’s hash, requiring the rule to be updated.

  • Policy Inheritance: Ensure to consider policy inheritance and conflicts to avoid undesired results or overrides.


In conclusion, these advanced methods, though offering enhanced control, necessitate a comprehensive understanding and careful implementation to avoid unintended consequences. Always initiate these processes in a testing environment before live application, and maintain updated records of applied restrictions for management and review.

 


    • Related Articles

    • How to create Desktop Shortcuts on Domain Computers via GPO

      Introduction Organizations sometimes may want to add certain shortcuts to all or some of the computers in their domain. For example, there might be a set of applications that all employees in an organization would need to use. The organization may ...

    • Using Group Policy to Change Desktop Background Wallpaper

      Setting Common Desktop Background Wallpapers using GPO In large organizations, a common desktop background wallpaper is often deployed on all the computers. These are also known as corporate wallpapers and are used for various purposes. It helps ...

    • How to Control USB Access on select Devices using GPO

      Enabling and Disabling USB access using Active Directory Group Policy Removable storage devices such as USB drives have gained widespread use and become an indispensable way for the storage of data. However, they also pose a threat to the security of ...

    • How to Force USB Encryption on Removable Devices using GPO

      As data breaches become increasingly common, ensuring that sensitive data is encrypted is paramount, especially on removable USB devices. Group Policy Objects (GPO) in Windows allows administrators to enforce such security measures across a network. ...

    • How to copy files or folders to all computers using GPO

      Introduction There are several scenarios for when you would need to copy one or multiple files to select computers or all computers in a domain of an Active Directory (AD) network. For example, there might be a shared folder that everyone in the ...