One of the most challenging task in system administration is to restrict usage of certain applications. Endpoint Central facilitates you to perform this task at ease. You will be able to block the required applications/executable using this feature. You can apply these restrictions for specific computers. Endpoint Central's prohibited software helps you in detecting and uninstalling the software applications which are not allowed in the network. Block executable feature, allows you to restrict the executable when it is launched, on the target computers. You can block even executables like, notepad.exe, putty.exe etc which are launched without being installed on the target computer. All the file formats supported under Windows "Software Restriction Policy" can be blocked using Endpoint Central. There are two ways to block an application/executable, they are:
The following prerequisites should be met for blocking the executable
Click here to watch the video:
You can choose this option to create a policy in order to block an executable. Path Rule, is used to block an executable based on the name of the executable and its extension. If the user renames the application then the application will not be recognized, which means the application will not be blocked. This rule can be used to block applications even if they are not available in your network. All you need to know is just the name of the executable and its file extension. With the help of path rule, all the versions of the specified application can be blocked. For example, if you have created a path rule to block Google Chrome browser for a specific version, say version 44.0, this policy will block all the versions of Google Chrome browser, unless the executable is not renamed.
Hash is a unique value, that represents the executable. If you choose to block an executable using the hash value, then it will be blocked even if renamed. If you want to block an executable using hash value, you should locate it on the server, for the hash value can be calculated.
If you wanted to block an executable to a specific target, then you will have to create a policy. Selecting the target computers is the first step in creating a policy. You will have to select the executable which needs to be blocked, if it exists in the database. If you wanted to block an executable for the first time, then you will have to add the executable and choose to block rule as path or hash. You can create two different policies for a single executable, one using path and the other using hash value. Policy will be applied on the target computer for the first time, after the system restart. You can also remove a policy if you wish to suspend a block rule and whitelist an executable.
Endpoint Central by default has a custom group, which contains all the managed computers. If you wanted to block an executable for all the managed computers, then you can choose "All Managed Computers" group and select the executable, which needs to be blocked. You will have to create a policy by specifying the target and executable which needs to be blocked.
To block an executable for specific target, you will have to create a new custom group or use the existing custom groups. Custom groups can be of any type such as, unique or static. You can block executable by choosing custom group which contains computers.
Block executable" does not support blocking executable which are initiated by the system.
Click Group Policy
Click on "Turn Off Local Group Policy Objects Processing" as shown below.
Ensure that you have chosen "Not Configured" as shown in the below image.
You have now enabled Local Group Policy on the target machine.
Click "Software Restriction Policy"
Double click "Enforcement" to ensure that "All Users" is selected as shown in the image below
You have now enabled Local Group Policy for Administrators.