none
How do i Block Group Friefox through Groupl Policy?

    Question

  • I work in an organization where we need to limit the user from using firefox. Is there a way we can use groupl policy to prevent user who have firefox installed from being about to use it?
    Tuesday, October 19, 2010 7:01 PM

Answers

  • Hello,

    You can also configure Applocker to block firefox by using group policy.

    How to configure AppLocker Group Policy in Windows 7 to block third-party browsers
    http://www.grouppolicy.biz/2010/04/how-to-configure-applocker-group-policy-in-windows-7-to-block-third-party-browsers/

    Brent
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Friday, October 22, 2010 8:41 AM
    Moderator
  • Hi,

     GPOs in Windows XP and Vista have a mechanism called Software Restriction Policies that will allow you to block firefox either by path or file hash (I would suggest using both) as requested. Windows 7 introduced an enhanced version of this called AppLocker. Both can be found under Computer Configuration\Windows Settings\Security Settings.

     More information can be found here:

    http://technet.microsoft.com/en-us/library/bb457006.aspx

    http://technet.microsoft.com/en-us/library/dd723678(WS.10).aspx

     

    Thanks,

    Guy

    Tuesday, October 19, 2010 7:18 PM
  • Am 19.10.2010 21:01, schrieb Richard Garcia:

    I work in an organization where we need to limit the user from using firefox.

    You can not do that properly by GPO.
    Why do you want to configure 2.500 clients if you can do it on one
    single machine? Disable the user-agent in your proxy.
    You do not have a proxy? Now you know, why you should have it ...

    Mark


    Mark Heitbrink - MVP Windows Server - Group Policy

    Homepage:    www.gruppenrichtlinien.de - deutsch
    GPO Tool:    www.reg2xml.com - Registry Export File Converter
    NNTP Bridge: http://communitybridge.codeplex.com/releases

    Tuesday, October 19, 2010 8:52 PM
  • Hi,

    Am 19.10.2010 21:18, schrieb Guy Yardeni [MVP]:

    to block firefox either by path or file hash

    rename it, change version, unzip or copy to %temp% = FireFox will work

    SRP can only handle it with a pure whitelist, you do not want to
    administrate a whitelist ...

    AppLocker.

    Same problem, only whitelisting can garantee the function of
    "blocking".

    Why do all people try to configure clients with GPO, if the job need to
    be done on a central system?

    Web access is the job of your Proxy/Firewall/Routing concept and not
    the business of your clients.

    Mark


    Mark Heitbrink - MVP Windows Server - Group Policy

    Homepage:    www.gruppenrichtlinien.de - deutsch
    GPO Tool:    www.reg2xml.com - Registry Export File Converter
    NNTP Bridge: http://communitybridge.codeplex.com/releases

    Tuesday, October 19, 2010 8:52 PM
  • Thanks for the contribution Mark, you make an excellent point. 

     

    A true blocking solution does require a whitelisting configuration that defines allowed software and blocks the rest. However, a decent approximation can be created by adding a few dozen hashes for easily available downloadable versions and keeping the list up to date as new versions come out. Blocking the download web site would also be useful to make it harder for folks to get the software.

     

    A proxy server is a great solution but it does introduce additional technology and complexity - it must be redundant if its inline, it must be deployed to every outbound Internet access location and it must be understood, secured and maintained.

     

    As is common in IT, there is a trade off between the effort required for a complete solution and the potential weakness of a 90 something perfect solution.

     

    Guy 

    Tuesday, October 19, 2010 9:32 PM
  • Hi Guy,

    Am 19.10.2010 23:32, schrieb Guy Yardeni [MVP]:

    [...] and the potential weakness of a 90 something perfect solution.

    Your are really optimistic, my guess it´s less :-))

    To me, the administrative effort to keep the list uptodate etc. is more
    then introducing a proxy, but perhaps thats because I am familiar with
    the  technic.

    And another point is, I like the idea more, because even a local admin
    can not get around my configuration on the proxy.

    Mark


    Mark Heitbrink - MVP Windows Server - Group Policy

    Homepage:    www.gruppenrichtlinien.de - deutsch
    GPO Tool:    www.reg2xml.com - Registry Export File Converter
    NNTP Bridge: http://communitybridge.codeplex.com/releases

    Wednesday, October 20, 2010 9:31 PM
  • you can use HASH rule under software restriction policies in GPO.

    You can restrict it using path rule also but it will not work properly because it will block the software based on path only.

    So recommendation is to go for HASH rule.

    Thursday, October 21, 2010 8:53 AM

All replies

  • Hi,

     GPOs in Windows XP and Vista have a mechanism called Software Restriction Policies that will allow you to block firefox either by path or file hash (I would suggest using both) as requested. Windows 7 introduced an enhanced version of this called AppLocker. Both can be found under Computer Configuration\Windows Settings\Security Settings.

     More information can be found here:

    http://technet.microsoft.com/en-us/library/bb457006.aspx

    http://technet.microsoft.com/en-us/library/dd723678(WS.10).aspx

     

    Thanks,

    Guy

    Tuesday, October 19, 2010 7:18 PM
  • Am 19.10.2010 21:01, schrieb Richard Garcia:

    I work in an organization where we need to limit the user from using firefox.

    You can not do that properly by GPO.
    Why do you want to configure 2.500 clients if you can do it on one
    single machine? Disable the user-agent in your proxy.
    You do not have a proxy? Now you know, why you should have it ...

    Mark


    Mark Heitbrink - MVP Windows Server - Group Policy

    Homepage:    www.gruppenrichtlinien.de - deutsch
    GPO Tool:    www.reg2xml.com - Registry Export File Converter
    NNTP Bridge: http://communitybridge.codeplex.com/releases

    Tuesday, October 19, 2010 8:52 PM
  • Hi,

    Am 19.10.2010 21:18, schrieb Guy Yardeni [MVP]:

    to block firefox either by path or file hash

    rename it, change version, unzip or copy to %temp% = FireFox will work

    SRP can only handle it with a pure whitelist, you do not want to
    administrate a whitelist ...

    AppLocker.

    Same problem, only whitelisting can garantee the function of
    "blocking".

    Why do all people try to configure clients with GPO, if the job need to
    be done on a central system?

    Web access is the job of your Proxy/Firewall/Routing concept and not
    the business of your clients.

    Mark


    Mark Heitbrink - MVP Windows Server - Group Policy

    Homepage:    www.gruppenrichtlinien.de - deutsch
    GPO Tool:    www.reg2xml.com - Registry Export File Converter
    NNTP Bridge: http://communitybridge.codeplex.com/releases

    Tuesday, October 19, 2010 8:52 PM
  • Thanks for the contribution Mark, you make an excellent point. 

     

    A true blocking solution does require a whitelisting configuration that defines allowed software and blocks the rest. However, a decent approximation can be created by adding a few dozen hashes for easily available downloadable versions and keeping the list up to date as new versions come out. Blocking the download web site would also be useful to make it harder for folks to get the software.

     

    A proxy server is a great solution but it does introduce additional technology and complexity - it must be redundant if its inline, it must be deployed to every outbound Internet access location and it must be understood, secured and maintained.

     

    As is common in IT, there is a trade off between the effort required for a complete solution and the potential weakness of a 90 something perfect solution.

     

    Guy 

    Tuesday, October 19, 2010 9:32 PM
  • Hi Guy,

    Am 19.10.2010 23:32, schrieb Guy Yardeni [MVP]:

    [...] and the potential weakness of a 90 something perfect solution.

    Your are really optimistic, my guess it´s less :-))

    To me, the administrative effort to keep the list uptodate etc. is more
    then introducing a proxy, but perhaps thats because I am familiar with
    the  technic.

    And another point is, I like the idea more, because even a local admin
    can not get around my configuration on the proxy.

    Mark


    Mark Heitbrink - MVP Windows Server - Group Policy

    Homepage:    www.gruppenrichtlinien.de - deutsch
    GPO Tool:    www.reg2xml.com - Registry Export File Converter
    NNTP Bridge: http://communitybridge.codeplex.com/releases

    Wednesday, October 20, 2010 9:31 PM
  • you can use HASH rule under software restriction policies in GPO.

    You can restrict it using path rule also but it will not work properly because it will block the software based on path only.

    So recommendation is to go for HASH rule.

    Thursday, October 21, 2010 8:53 AM
  • Hello,

    You can also configure Applocker to block firefox by using group policy.

    How to configure AppLocker Group Policy in Windows 7 to block third-party browsers
    http://www.grouppolicy.biz/2010/04/how-to-configure-applocker-group-policy-in-windows-7-to-block-third-party-browsers/

    Brent
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Friday, October 22, 2010 8:41 AM
    Moderator