Windows NT has the RestrictRun registry key
where you can list the programs that NT Explorer will allow to be run. I
have never used it because it is easily cirumvented by running the restricted
commands from the command shell. It has some value in a kiosk environment or
where the users are naive. It also has the drawback that it is a registry hack
(with all that is implied in registry hacks).
The same registry solution would work in Windows 2000 but the Windows 2000
Server Resource Kit includes an Application Security utility, AppSec.exe, which restricts the access of users to a
predefined set of applications. Much easier to use and more comprehensive.
AppSec increases security by preventing the user from running an executable file
even through the command line, or from within another application. The
Application Security tool provides a simple GUI interface for adding and
removing permitted applications to the list. You enter fully qualified names.
AppSec uses the full path name and only the named
executable in the designated location can be run. This prevents users from
running other versions of the same executable file from alternate locations.
Makes it harder to get around AppSec .
AppSec has a niffty capability which makes it
interesting even if you aren't interested in restricting applications. It has a
tracking feature, which allows administrators to track the executable files
required for a permitted set of actions merely by performing those actions as a
user would. This feature enables the administrator to discover applications
which are being invoked from other applications (for example, Word invoked by
Microsoft Outlook for editing of mail).
Less than wonderful features:
- AppSec settings apply to the computer; there is no per user configuration.
- AppSec Tool can only be used to restrict 32-bit applications.
When AppSec is enabled, users are restricted from running any 16-bit
applications. To allow users to run all 16-bit applications, the administrator
can add ntvdm.exe to the authorized list of applications.
- AppSec restriction is named based.
It is unsophisticated.
It does not compare CRCs. This leaves the possibility of malicious users
introducing Trojans by replacing legitimate programs. Be careful of NTFS
permissions to prevent this.
- AppSec restricts only executable files, not DLLs.
The Application Security Utility has obvious value in kiosk environments on
workstations. Microsoft documentation focuses on applying restrictions in a
Terminal Services Application Server deployment. See the Windows 2000 Server
Resource Kit for more documentation. To install the Application Security
- Install the Resource Kit.
- Open a command window and run Instappsec.exe .