05: Change the BLOCK message dialog box

PolicyPak Least Privilege manager has a standard dialog box telling users when they have violated a policy. You can change that dialog box using a standard policy setting.

PPLPM: Change the BLOCK message dialog box

Hi. This is Jeremy Moskowitz, and in this video I’m going to show you how you can use Least Privilege Manager to block applications that even you, the admin, installed.

By way of example, I’m just using this as an example, the idea here would be let’s say Firefox is out there or Chrome or WinZip or something that you’ve actually installed but instead of removing the app, you just want to block it or maybe block it for just some people. It might be in the image. It might be being deployed properly using your systems management tool. But then for some reason for certain conditions, you want to expressly block it. You can do that.

Just to show you my current state of affairs, I can run “Mozilla Firefox” on my Windows 10 machine and I can run “Mozilla Firefox” on my Windows 7 machine. What I’m going to show you is how you can use PolicyPak Least Privilege Manager to expressly stop the applications from running.

What I’m going to do is create a “New Executable Policy.” I’m going to “Use simple rule.” I’m going to block, well, I could do it by name (“Path”) if I want to just say everything that’s called Firefox. I could even go more secure and I could use “Hash,” which will say this particular version of Firefox. Or I can say “Signature,” which is anything by a particular publisher. So I’ll go ahead and say “Signature.”

I’m going to “Select reference file” “From EXE file.” I have a copy of Firefox handy here: “Apps to manage” and here’s “Firefox Setup.” You can see there’s the digital signature for everything from Mozilla, so I’m going to put the smack down on all things Mozilla for this example. I’ve got nothing against Mozilla. I love them. I think they’re great. It’s just an example here.

What I’m going to do here is simply “Deny execution,” and that’s all there is to it. I’m going to say “No more Firefox for now.” We’ll go ahead and click Finish here. We’ll go to our endpoints, and we’ll run GP Update on your Windows 7 machine. We’ll run GP Update on our Windows 10 machine. I just happen to be using Group Policy. If you wanted to use SCCM or PolicyPak Cloud or your own way to get stuff out there, that’s perfectly fine. I just used Group Policy in this demonstration.

I’ll close that out. I’ll go over here. I’ll close this out. Now let’s see what happens what I try to run “Mozilla Firefox.” Because I put an explicit deny, “This program is blocked by Group Policy. For more information, contact your system administrator.” Let’s see what it looks like on Windows 10. There you go. Other applications are perfectly fine. Those are exempt because they’re not on the block list.

That’s thing number one. The second thing I want to talk about is the actual dialogue box. Here on Windows 10, you can see that it says, “Your system administrator has blocked this program. For more information, contact your system administrator.” On Windows 7, the message is a little different, “This program is blocked by Group Policy. For more information, contact your system administrator.”

That’s fine. That’s great. It gives them a little information, but it could be a little better. What would be more interesting is if there could be a way for you to dictate which computers got an alternate message. Now we can’t customize the text in PolicyPak Least Privilege Manager, but you can change the dialogue box. Let me show you how to do that.

For all of my “East Sales Desktops” for instance, I’m going to “Create a GPO in this domain, and link it here.” It has to be a GPO that’s linked over to the desktops. We’re going to “Change the GP block message.” We’ll right click and click “Edit” here. We’ll dive down under the right place, which is computer side, “Policies/Administrative Templates.” We’re looking for “Windows Components,” and it’s “File Explorer.” The guy we’re looking for is called “Set a support web page link.”

If you click “Enabled” here, you can give it a URL of your choice. For instance, I’ll put in “internal.yourcompany.com.” (I hope this works out on the Internet.) There you go. It’s linked over to my “East Sales Desktops,” that Group Policy setting.

Let’s take a look and see if it works. On our Windows 10 machine, we’ll go ahead and run “gpupdate /force.” We’ll do the same thing on Windows 7 machine: “gpupdate /force.” I’m just getting Group Policy to get the latest versions and stuff.

Once this is finished here, the block message will be changed to a different looking square shape, which is not all that exciting, but what is exciting is that you get this “More information” link that you can point to a web page of your choosing. I chose “internal.yourcompany.com.” Based on whatever default browser they have, it will go out and introduce this web page to them telling them why they’re naughty or telling them how to get help.

If we look at Windows 10 and we try to do the same thing here, “Your system administrator has blocked you from running this program.” Click “More information” and you get the same exact experience. Just whatever your default browser is, is what’s going to launch there. You could use Browser Router to set your default browser if that was very important to you, a part of the PolicyPak Suite.

There you go. That gives you the ability to not quite customize the message in the dialogue box but give you enough to go on so that you can change the dialogue box and give them a pointer toward a website of your choice that explains to them what they’re doing right and what they’re doing wrong.

I hope this helps you out. Thanks so much.

  • 183
  • 19-Mar-2020