Thanks Bob! Dave
From: Free, Bob [mailto:[email protected]] Sent: Wednesday, July 08, 2009 1:38 PM To: NT System Admin Issues Subject: RE: GPO to block chrome.exe David- After I made that comment yesterday about google not necessarily giving end users the final say because they had offered some administrative tools for enterprises to control the toolbar in the past, and seeing Bonnies's comment about blocking the installer I got curious and went to look if those tools were still available and if they had offered anything else for all the apps that have appeared since I used the toobar template for our GPO 3 or more years ago so I googled google :). Turns out they still have the original Enterprise kit for toolbar and do have some later stuff for the newer apps. Toolbar Enterprise Guide http://desktop.google.com/enterprise/adminguide.html (can't verify the url but that's what our websense is blocking so I think it still good) Installer/Updater http://www.google.com/support/installer/bin/answer.py?hl=en&answer=146164 "Google provides an Administrative Template that defines policies for Google Update/Google Installer. You can apply Google Update policies by loading the Administrative Template into the Group Policy Editor of your choice." IIRC- One thing that could be done with the toolbar was to block the CLSID of the installer itself, we implemented that with the GPO and some rules in websense and the security guys were happy with the solution. There may have been one other element to the solution as it was quite some time and my recollection is fuzzy ago but the end result was that the toolbar was blocked to their satisfaction. I don't know how comprehensive the newer one is but I did see chrome mentioned in a cursory glance. C:\DATA\GPO\ADM>findstr /I chrome * GoogleUpdate.adm: CATEGORY !!Cat_GoogleChrome GoogleUpdate.adm: EXPLAIN !!Explain_InstallGoogleChrome GoogleUpdate.adm: EXPLAIN !!Explain_AutoUpdateGoogleChrome GoogleUpdate.adm: END CATEGORY ; Google Chrome GoogleUpdate.adm:Cat_GoogleChrome=Google Chrome GoogleUpdate.adm:; Google Chrome GoogleUpdate.adm:Explain_InstallGoogleChrome=Specifies whether Google Chrome can be installed using Google Update/Google Installer.\ /snip From: David Lum [mailto:[email protected]] Sent: Wednesday, July 08, 2009 11:46 AM To: NT System Admin Issues Subject: RE: GPO to block chrome.exe Yeah, I was afraid that all that was the case. Servers are not R2, no roaming profiles, so I am largely out of luck unless I want to do more work than is really worthwhile at the moment. From: Miller Bonnie L. [mailto:[email protected]] Sent: Wednesday, July 08, 2009 11:14 AM To: NT System Admin Issues Subject: RE: GPO to block chrome.exe If you are talking about a software restriction policy value that you've added, it will only block the ability to run chrome.exe out of that location you've specified-it does not filter out the actual file from existing on the system. The hash block is also going to only work on that specific version, and you could run into versioning issues as upgrades are released. WS03 R2 or higher has File server resource manager (part of the R2 quota tools), which can be used to add file screens, but that won't work on a local workstation (it's possible they've added something with Vista and up that I'm not aware of-probably worth searching). If these are roaming profiles, FSRM file screens could prevent it saving back to the server, but we've had all sorts of grief with that type of setup-you're better off blocking the installation application or locking down rights to install in the first place. If that's not an option, you might be looking for something third party. -Bonnie From: David Lum [mailto:[email protected]] Sent: Tuesday, July 07, 2009 10:53 AM To: NT System Admin Issues Subject: GPO to block chrome.exe I have a GPO with a path value blocking %userprofile%\Local Settings\Application Data\Google\Chrome\Application\chrome.exe, but it doesn't seem to be working. Running the modeling wizard I see the GPO is applied to the correct system. I also see chrome.exe seems to exist in all sorts of "Local Settings\Temp\chrome_nnnn" locations, what's up w/ that? I also have a hash value block of the .EXE (well, one version of them) in the same GPO. I need to block the app (please don't get me started at blocking the install on the first place...one step at a time here). Ideas? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
