How to Prevent Users from Installing Software

In many companies and organizations, employees are found to use unauthorized software games, videos and software installed by the employees. This can reduce the companies’ productivity. Many companies use software restriction policies that restrict the users or employees of the company against installation of such software. Usually, Administrators are allowed to provide these rights and need to know how to prevent users from installing software.

The software restriction policies or privileges can be applied to an individual workstation or to the entire network. You need to login as an administrator to set these restrictions, give rights to the users to view and install certain software, restricting creation of unwanted programs.

How can you restrict software from installing in the system?

You can do two things to prevent the installation of the software. You need to change some settings in the windows group policy. These settings include, disabling or restricting the use of windows installer and use eminent privileges while installing.

Restricting the use of windows installer:

  • Go to start menu, click on search and type “gpedit.msc”; click on the search button. This will open the group policy editor, where you can edit the policies or rules of the group of the systems in network.
  • Go to computer configurations.
  • In computer configurations, click on administrative templates.
  • Select windows components here and then navigate to windows installer components.
  • Double click on disable windows installer in the right side pane. Here, you can change the configuration of the systems and give rights to the users.
  • The admin has to enable this setting, so that he can make changes in the group policies.
  • The “never” option in the disable windows installer indicates that the user can install and upgrade the software.
  • “for non-managed apps only” permits the users to install only those applications which the administrator has allowed them to install.
  • The “always” option disables the windows installer.
  • You can choose any option you wish to according to your requirement and the rules you want to set to the systems in the network.

Granting system permission while installing any software:

  • Follow the steps given above and navigate to the group policy editor.
  • Click on user configurations and in this navigate to administrative templates.
  • In administrative templates, click on windows components.
  • Select windows installer and change its configuration to “always install with elevated privileges”.
  • This setting will allow the user to check for permissions whenever they try to install any software in their system.

If you want to prevent the software from installation in windows XP, you have an additional tool in the windows installer called software restriction policy. This tool allows you to set rules for the systems in the network.

There are four types of rules, which you can set to the systems in network using this tool. These rules are certificate rules, hash rules, internet zone rules and path rules. You need to go into the control panel and change certain preferences there to set these rules. Out of these four rules, the certificate rules and the internet zone rules are somewhat similar.

Before knowing, the process of setting the rules let us know what type of rules will create what kind of filter.

Certificate rules:

  • Certificate rules can be applied to the windows installer packages that have been digitally signed.
  • When this rule is set, the system looks for whether the application is allowed to run on the system or not; it looks for the applications certificate.
  • It cannot be used to restrict .exe and .dll files from running.

Internet zone rules:

  • Internet zone rule can be used to restrict software downloading from the internet. It is similar to the certificate rules.
  • When you set this rule at the time of downloading, the browser looks to see in which zone the software falls and whether it is safe to download it or not.

Hash rules:

  • While creating this rule you need to have a copy of the file that you want to restrict from installation, as you need to create a hash of the file while creating this rule.
  • This rule cannot be violated unless the user doesn’t try to install a new version of the software or modifies the .exe file of the software.
  • This rule is mostly used to block specific application. In this you can easily use the available application, create a hash of the application, and block the software from installation.

Path rules:

  • Path rules can be set to prevent the users from running files from specific locations and restrict running the files from some other locations.
  • If the user moves the file to a different location and runs it, the application runs.
  • You should not restrict too many files from running on the user’s side. This will not allow the operating system from functioning well.

Following the steps given above you can change the setting within the installers and prevent unwanted installation of the software on an individual computer system or group of systems by the users.


Related Content:

  1. How to Protect Software
  2. How to Evaluate Software
  3. How to Prevent Conficker
  4. How to Prevent Hacking
  5. How to Resolve Windows Installer Problem

Leave a Reply