I have an application server running Remote Desktop Session Host (RDSH) on Windows Server 2016 in an isolated Azure cloud environment and would like to prevent the users (who login via RDP) from being able to install software on a whim. How to best enforce this?
I know gpmc.msc has been suggested in other similar articles on serverfault (such as here: how to disable a user to install program being domain user?); however, it seems the solutions provided there using group policy won't work on my platform. Therefore, my question is a lot more specific. I would perform what I want via group policy; however, I get the error, "Windows cannot find 'gpmc.msc'. Make sure you typed the name correctly, and then try again."
Any other ideas?
POSTSCRIPT: I've since learned that gpmc.msc doesn't come loaded on Windows Server by default, and must be installed manually through Server Manager | Add Roles and Features. That got me past the error I mentioned earlier and enabled me to set the DisableUserInstalls group policy.
But my question still stands, is this method the best or are there more manageable ideas?
Best Answer
Application whitelisting. Which for Windows usually means AppLocker.