Zoom install for all users or me only – none: –
This question is more of a general one as it doesn’t actually refer to my work environment but rather a friend asked me for advice. My friend has a father who was stung by scammers so he is now looking to lock down his fathers Win 10 pro laptop to stop him installing software other than what he has already installed and preventing popups and the like when he is browsing.
I mentioned he could implement a local group policy to restrict his father from installing any extra software but from my own experience, this isn’t fool proof. As I understand it, even when a policy has been put in place to block an install, a user can still install software if it only applies to their profile and not all users. So essentially I am looking for advice here for how someone running Win 10 Pro could really lock the hell out of a machine and just let a select few apps be run and no further apps installed.
One option I thought about was App Locker which only runs on Enterprise or Education as far as I know, I guess he could purchase a copy of that. Does anyone know how effective applocker is?
He is father wouldnt actively try to breach it but he is extremely gullible to answering phone calls and doing what he is told for instance when tricked on the phone by someone pushing a “deal of a lifetime”, hence got stung for a lot of money recently. So in an essence we need the machine to be fort knox, we would want to block remote access sites like log me in rescue or similar getting into the machine as well. Any advice would be appreciated, its a shame he has to go to these lengths to protect his father but I guess old age catches up to us all.
Swap it out with a Chromebook, especially if all he is doing is reading email and browsing Facebook or similar activities. The most effective solution would be to remove his local administrator rights. Create another user with admin rights. Take his users rights away. Then if he want to install some legit software his son can do it with the admin credentials. But doesn’t the same thing apply if he tries to install an app that applies only to his user profile then it will allow it?
Users at work do not have the ability to install software as we denied it with group policy but every now and again someone still installs something as it applies only to their user profile and is therefore allowed.
Yeah I hear you about the grandma, accept he was scammed for a fair bit of money instead with amazing “investments”. We do this at work and it ensures only an admin can then install software as only admins can modify program files.
Also most malicious software that takes control of your PC needs admin access to be successful not just ran in a users security context. An exception to this would be crypto ware that encrypts files.
But again if ran in a users context without admin rights it could only encrypt files that user had access to. A good antivirus would stop this such as Sophos Central with IntetceptX. I’m going to disagree here, many browser exploits or malicious email links do not need admin rights to run, they use exploits and scripts to execute bypass techniques in already vulnerable systems – and given most home users don’t patch because they dont know how, Microsoft force it for ‘Home’ editions of Windows, since this person has ‘pro’ then the management of patches is on them.
Why else would AppLocker and SRPs need to be put in place in businesses, many companies don’t give users admin rights to help reduce the risk, but this in itself does not negate them clicking a ‘PDF’ link to a fake Office update that executes a piece of code to exploit a vulnerability in something like OLE objects, Flash or Java, to name just a handful of applications. Most of these way’s in are also not detectable by AV or malware scanners as they are neither, it’s only after the fact they are issues and at that point it’s typically too late.
Remove admin rights, whitelist SRP whitelist is key here. As long as you have Pro you can use local policy. You absolutely can install to your profile without admin. Give him a guest account, instead of an admin account. So create another account, and make it a guest account, then lock down his previous account either with a password change, or just create a new admin account for yourself and delete his previous admin account.
I think a few have got carried away here. This is a home scenario, removing admin rights is enough. Set up proper spam and scam functions for the elderly easily available especially in Gmail. Brand Representative for Zoho. You can install Desktop Central that comes free for 25 devices, more like a server-client model.
If you do have a lap, you can install the server here and agent on your father’s machine. Brand Representative for PolicyPak. To block these you need some kind of whitelisting. Video 3: Block other crap and nonsense, like Control Panel, Scripts, and other junk which could be an attack vector:.
If they need Windows 10 for like certain software and stuff then non admin account and a good ad blocker and a real antivirus can help. But if they don’t need to run X software that requires Windows honestly a chromebook would be the best bet. Make sure he doesn’t have admin rights or power user rights, but only local rights. This will keep from install any potential malware onto pc. As far as this topic is concerned, it doesn’t matter. As much as I’m generally loathe to recommend them partly because they’d misrepresented themselves in advertisements as “anti-virus software” and also generally negative reviews with regards to them not keeping up on legitimate software , it sounds like they could benefit from PCMatic or perhaps a similar software developed by someone that keeps better track of legitimate programs which operates based off of a white-list approach i.
Absolutely this. I convinced two my more “vulnerable” family members to buy Mac Mini machines after having done several virus removals – not a single call about malware since! My parents have a similar problem. I’ve removed local admin from their logins and have my own I use to install software. No group policy or other fancy stuff needed.
I’ve setup a backup regimen for them by using Macrium free to an external drive with reminders that they have to plug it in and unplug it after the backup. They’re pretty good about it, and it air-gaps the backup so it doesn’t get trashed if they contract ransomware. I agree with the others that are saying to make his profile a “Standard” account and not an admin account. Then to actually restrict apps that can be installed would be left up to a third party Antivirus.
That I would have to do more research on. I think most people that said simply take away his admin access were right on the money. There’s no need for over the top controls in this case, simple is best -.
DragonsRule is correct , A user logged into a standard account will be allowed to install programs that do not affect other user accounts. This is the simplest way to prevent software installation. You should see the Group Policy Editor box open. Right click Windows Installer and select Edit. Select Enabled in the top pane.
Select OK. Prevent software installation through command line As usual there is a command line method to prevent users from installing software in Windows Right click, select Edit and change the 0 to a 1 to disable Windows Installer. Admittedly it’s Windows 10 Home but my mum has a “child” account. No installs without my admin password. Also works for the other ‘kids’ in the family. We use the same policy at work None of our users have install rights since only us IT guys have local admin rights on all pc’s.
This might sound a bit demeaning but one other option would be to also enable parental controls on the laptop. It gives you certain possibilities to track what the user is doing and might give you a chance to prevent some certain damage aswell. Either that or only give users access to the Computer through Guest accounts, and then just specify what the Guest account can get to :. If not Chromebook then just load a friendly flavor of Linux as the main OS.
Create shortcuts to the important stuff, call them things like “Internet”, “Email”, “Letter writing thingy” or whatever the main user calls them. It is so unfortunate that some folks just don’t get it when someone is trying to hoodwink them.
Good suggestions listed, especially limited account type and locking down software installs. Good luck. Ground Hog Day You can leave folders unthawed if needed My Documents. Or check out Horizon DataSys products. Rollback Home and Reboot Restore Rx are both free for home use.
Quick way to add a normal user As others have mentioned, remove admin rights doesn’t stop users installing apps on their user profile but still less dangerous. What i also do for relatives is install something like teamviewer that i can then support them over the internet with, so if they panic i can get on and help them out. Seems we are missing out on an opportunity for user training and education. The person in question could still receive the phone call claiming they owe back taxes and they need to pay with gift cards.
The scammer calls are not just computer related. I agree to limit the users abilities on the computer but training and education should be the first line of defense. One thing that can help block a lot of the profile applications is to block executables from appdata folders.
Can be done by gpo. This topic has been locked by an administrator and is no longer open for commenting. To continue this discussion, please ask a new question. Hello fellow spiceheads. Does anyone know where I can find instructions for deploying software to a system the next time it comes online using SCCM? I know it’s possible because we were using SCCM to install the antivirus, if it was missing, when systems ca Your daily dose of tech news, in brief.
– Zoom install for all users or me only – none:
For me, though, Linux is not just an operating system or a kernel. the Arch installer doesn’t have any graphical user interface to. System Requirements · Image only without a physical green screen. Zoom Desktop Client for Mac, () or higher; 4th generation i7 quad-core or.
The Arch Linux Handbook.
I’ll explain both techniques here. Can I move all users in my account at once?