Allow one Windows user to only execute 2 applications
I'm using Windows 8 Pro. I'm trying to create a very limited Windows account. The account will only have:
Remote Desktop Access
Shell replaced by our own in-house application
Access to the one FTP client (currently
FileZilla
) that our in-house application will launch for them (sends log-in info on command line)
I do not want them to be able to run any other applications. I've disabled task manager and replaced the shell, so the only way they can currently run other applications is from inside FileZilla
, since it allows you to "open" an EXE (runs it) or other files that open other apps.
I tried Group Policy Editor, and from what I can tell all that does is not allow an admin user to run apps.. but has no effect on non-admin users. I've seen HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\DisallowRun
, but I need a white-list, not black, and also I think that only works for processes that Explorer starts, not other apps like FileZilla
.
I'd like the blacklist to use the full path of the EXE also, not just the name. Since users will have FTP ability, and ability to rename files (nothing in the system or program files folders though, since this is a limited account).
I also tried going to the root of the C drive and adding a "Deny execute/traverse
" permission at the file system level, but I get tons of errors about access denied on lots of folders like c:\windows
and even stuff under c:\users
. I then started to go to each sub-folder and add that permission, but it was taking forever and I was still getting lots of access denied errors (I was doing this from an admin account).
Update -- with the accepted answer, plus the info I found here, I got what I needed.
Start the MMC (Microsoft Management Console). Type mmc into the Start menu search box or command prompt window or you may use the “Run…” feature.
Select File andchoose Add/Remove Snap-in… from the drop-down menu.
The Add or Remove Snap-ins dialog box will appear. On the left-hand pane, highlight Group Policy Object Editor and click Add >;.
The Select Group Policy Object dialog box will now appear. Click the Browse… button. Switch to the Users tab and select Non-Administrators in the list. Click OK.
The Group Policy Object should now display, “Local ComputerNon-Administrators.” Click Finish.
Once I was able to set policies for the one user, using the above steps, I just had to go to "Admin Templates->System->Run only specified Windows applications". I had already tried that, but was missing the part about how to edit policies for only one user, not "admin users only" (which seems like a weird default to me).
Solution 1:
To further eleaborate on what everyone else has said, the "correct" way to do this is through GPO. You may want to look at the package "Group Policy Common Scenarios Using GPMC", it is a set of group policy scripts to lock down workstations for various situations. I believe you are looking for the AppStation script.
The GPMC is not used anymore but the scripts are still really good templates for starting points for doing this.
AppStation
The AppStation scenario is used when you require highly restricted configurations with only a few applications. Use this scenario in “vertical” applications such as marketing, claims and loan processing, and customer-service scenarios.
The AppStation scenario has the following characteristics:
- Allows minimal customization by the user.
- Allows users to access a small number of applications appropriate to their job role.
- Does not allow users to add or remove applications.
- Supports free-seating.
- Provides a simplified desktop and Start menu.
- Users have restricted write access to the local computer and can only write data to their user profile and to redirected folders.
- Is highly secure.
TaskStation
Use the TaskStation scenario when you need the computer dedicated to running a single application, such as on a manufacturing floor, as an entry terminal for orders, or in a call center.
The TaskStation scenario is similar to the AppStation scenario, with the following changes:
- It has only one application installed, which automatically starts when the user logs on.
- No desktop or Start menu is present.
Kiosk
Use this scenario in a public area, such as in an airport where passengers check in and view their flight information. Because the computer is normally unattended, it needs to be highly secure.
The Kiosk scenario has the following characteristics:
- Is a public workstation.
- Runs only one application.
- Uses only one user account and automatically logs on. The system automatically resets to a default state at the start of each session.
- Runs unattended.
- Is highly secure.
- Is simple to operate, with no logon procedure.
- Does not allow users to make changes to the default user or system settings.
- Does not save data to the disk.
- Is always on (the user cannot log off or shut down the computer).
A workstation that uses the Kiosk scenario is similar to a TaskStation, but users are anonymous in that they all share a single user account that automatically logs on at computer startup. This is achieved by modifying the Kiosk machine in a manner described later in this document. No customizations can be made and no user state is preserved.
Although user sessions are usually anonymous, the user can log on to an application-specific account, such as to a Web-based application through Internet Explorer (assuming Internet Explorer is the “kiosk application” launched at startup).
The dedicated application could be a Line of Business (LOB) application, an application hosted in Internet Explorer, or another application, such as one available in Microsoft Office. The default application should not be Windows Explorer or any other shell-like application. Windows Explorer allows more access to the computer than is appropriate for a Kiosk computer. Be sure the command prompt is disabled and Windows Explorer cannot be accessed from any application you use for this purpose.
Applications used for kiosk scenarios should be carefully checked to ensure they do not contain “back doors” that allow users to circumvent system policies. For example, they should not allow users access to applications that access the file system. Ideally, you should only use applications that comply with “The Application Specification for Windows 2000”, are Certified for Windows, and that check for Group Policy settings before giving users access to prohibited features. Older applications will not normally be Group Policy-aware, so try to disable any features that allow users to bypass administrative policy.
The registry entries Run and RunOnce are disabled in the Kiosk scenario through associated policy settings.
Solution 2:
The best way to do this would be through a GPO software restriction policy as Zoredache commented, but if you don't have a domain, the local GPO editor won't be as powerful nor as much use to you.
The easiest (albeit not perfect) way of accomplishing this would be to do the following:
- Install third party applications (like Filezilla and your proprietary program) into a folder at the root of
C:/
, such asC:/Apps
. Give your user permissions to this folder. - Deny access to your user to the
C:/Program Files
andC:\Program Files (x86)
folders. - Remove all folders and shortcuts in the Start Menu and only leave entries for your approved applications or remove the Start Menu entirely and use only desktop icons.