Prevent users from installing firefox?

[Batman5177]

I could send a company-wide email, but new employees wouldn't get this notice unless I send this email out every week! I'm sure upper management, including everyone else, wouldnt like being threatened all the time.

Our user accounts have already been limited, no one has local admin access. Programs such as Google Desktop fail to install, but only Firefox doesn't require an admin account to install.

 

[mechBgon]

Originally posted by: Batman5177
I guess I was editing my post as you were replying to it! Thanks for being so quick on it though!

Here's what I added:

In your example of UT2004Demo folder, the user has unrestricted access. Will they be able to save and run executeables in that folder? If they put Firefoxsetup.exe in that folder and installed it in there also, would Firefox run?

If the user has write access to a folder that is also in the SRP Unrestricted list, then they could run Firefoxsetup.exe. If they install FF to that same location, then they could run the browser after setup.

Do your workstations have abnormal folders like the C:\UT2004Demo folder in my example? If so, make sure the Users group has no higher than Read & Execute permissions to them, so they cannot put new files into the folder. Or else don't make a Path Rule that sets them to Unrestricted. Maintain the Catch-22 situation.

You can also create a disallowed Hash Rule that targets a particular version of FF by its hash. It wouldn't be allowed to run, no matter what they named it, or where it was located. That's easily done and you could create a Hash Rule for each unwanted version. But hopefully it doesn't become necessary.

Bigger picture: document this stuff for HR.

If you happen to have VirusScan Enterprise 8.0i, I also know some tricks there. For Win2000 systems especially, that don't have SRP, VSE8.0i can do something similar via a behavior-blocking rule.

 

[Batman5177]

We do have a few workstations that have "abnormal" folders. One example is payroll software, which requires the user to have read and write access to that folder. For those computers I have removed local admin rights for the users, and added read and write access to just that specific folder. The payroll software actually requires that the user have read and write access to the C:\Windows directory.

My understanding of Hash Rules is that I would have to restrict every new version of Firefox that comes out, as well as all community builds. I don't know if this would work out.

 

[mechBgon]

Originally posted by: Batman5177
We do have a few workstations that have "abnormal" folders. One example is payroll software, which requires the user to have read and write access to that folder. For those computers I have removed local admin rights for the users, and added read and write access to just that specific folder. The payroll software actually requires that the user have read and write access to the C:\Windows directory.

Another software that often results in an abnormal folder is UPS WorldShip. If you've only got a few workstations with oddball folders, you can always create a blanket domain-wide policy that sets them to Unrestricted. The people who don't already have those folders won't be able to create them, and hopefully your accounting people are not uber-geeks who will try to install FireFox into them

My understanding of Hash Rules is that I would have to restrict every new version of Firefox that comes out, as well as all community builds. I don't know if this would work out.

It would be a war of attrition, but if your "problem employees" don't have Write permissions to folders that are in the SRP's Unrestricted list, then you shouldn't even have to fight that war. Start with the basic SRP, add the rules needed for oddball programs like the accounting software, and that should be a good opening move. Plus, as my SRP page mentions, it boosts security in many ways.

Where I worked before, we had a couple employees fall for the advertisements for SpywareCleaner, stating that "your computer may be infected by spyware, download & run our free scanner." They downloaded it, it ran, it claimed that OMG UR 'PUTER IS TEH INFECTED (falsely, of course) and made me look bad. It was a wake-up call; regular employees should not be able to execute stuff that the Admin didn't put on the system. Because it could easily have been something much worse than just a scamware "scanner."

 

[Markbnj]

It was a wake-up call; regular employees should not be able to execute stuff that the Admin didn't put on the system.

The position that 99% of corporations take these days. I think the OP should separate these two issues, because mucking them up together just makes it harder to cope with. On the one hand the application doesn't work with FF. Block it at the entry page. On the other people are installing stuff that shouldn't be on their systems. Deal with that separately with applicable tools and techniques. A perfect solution to one doesn't obviate the need to deal with the other anyway.

 

[alfons_aaberg]

Funny how this question turned into a war wether or not to allow FF. In our Company we Deploy software to users through our Microsoft SCCM. We allow the use of Google Chrome, FireFox, Safari and IE. Some systems are users told to use FF others IE.

We in the IT department would really like to stop FF and Chrome from being installed in Appdata, because there is actully a downside from the correct version installed in C:\Program Files\. The Appdata versions tend to grow bigger and bigger, after a long time the machine gets really slow. Worse case ive seen is a FF after 6 month slow the machine so much that the mouse lagged when moving it each 3 second..

It seems what i can find that the only way to prevent this is to make GPO that prevents .exe files with specific names from being created/runned. I found this link:
http://www.windowsitpro.com/article/installation2/how-to-stop-users-from-installing-google-chrome-100418

If anyone has any feedback on the FF issue it would be nice.

Users here get the SCCM version 5 minutes after this ask for it, but many think its against IT policy to install these programs, so they try without asking and we then get a pissed off user 6 month later with a slow computer and basicly its their own fault...

 

[Fardringle]

This discussion is almost six years old. You're not likely to get a lot of feedback from the people that were originally involved. Still, a proper software restriction policy will do what you are asking.