I’m working for a large organization which are using ArcGis Desktop on some (windows) clients. The security requirements for the system is very strict, and a part of that is prohibiting the users the ability to use compilers and interpreters. This pose an issue with ArcGis products since they rely heavily on Python scripting. We are looking into different ways of locking down python as much as possible without rendering ArcGis Desktop useless. The environment is Windows 2008 R2 servers with Windows clients. We would prefer to lock down python to only allow for execution of scripts in the ArcGis folder, and block other folders as well as the interactive prompt.
We have heard rumors that a solution for locking down Python in ArcGis has been presented at a user conference but we have not seen a description of how it was done. The ArcGis version we are using is 10.2 and we have experimented using both the “in process” bundled python as well as the external python installation in the system. Our first approach was looking into restricting python with group policies, but that is not easily done since Python is not “GPO aware”. Using software restriction policies are basically a block Python for all or allow Python for all. Since python scripts are run through the interpreter (python.exe), the GPO software restriction settings for executable locations only checks the python.exe and not the script location itself (the GPO system only sees the python script as a generic argument to the python.exe executable).
So my question is if anyone has have any experience in tightening the security concerning ArcGis and Python?