Huh? Standard Users an Install Softward
I've just started rolling out my Win7 SOE via Config Mgr 2012 to the company and all looking well so far. I've just realised though that people with a standard user account can still install some applications like internet browsers and Google Talk. This is killing our IT Policy of 'Authorised Software Only' that we publish through SCCM.
Does anyone know of a way to lock this down without going down the path of deploying AppLocker or other software? I'm about to try the group policies 'Prohibit User Installs' and 'Disable Windows Installer' but I have a feeling this may mess with installations by the SYSTEM account.
Thanks
Does anyone know of a way to lock this down without going down the path of deploying AppLocker or other software? I'm about to try the group policies 'Prohibit User Installs' and 'Disable Windows Installer' but I have a feeling this may mess with installations by the SYSTEM account.
Thanks
Comments
-
blargoe Member Posts: 4,174 ■■■■■■■■■□There are applications that don't use Windows Installer. I think out SCCM admin is fighting the same thing with the Google browser and other Google apps. There are also standalone executable versions of some of the alternative browsers.
If you set the "prohibit software installs" policy on a user based policy, it shouldn't impact the system account since it is not a domain user. For the one-off things like standalone executables, maybe you could use a Software Restriction policy and disallow that executable from running.
What are some of you other guys using in these situations?
As always, do not just set a policy without creating a test policy/OU and trying the settings out for size.IT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands... -
CodeBlox Member Posts: 1,363 ■■■■□□□□□□We have the same problem... People are able to install chrome. It was also discovered that some folks have dropbox installed too.Currently reading: Network Warrior, Unix Network Programming by Richard Stevens
-
WafflesAndRootbeer Member Posts: 555Unfortunately, there is no real solution that doesn't require A LOT of work on your part. The only thing that comes to mind is compiling a master list of those applications - they have identifiers unique to each application and their installers - and then you blacklist those in the policy control registry. After you do that, Steve can't install Pr0nSniffer to find the latest Backroom Casting Couch updates through the file-sharing services because you've told the system that Pr0nSniffer is a bad app that shall not be run!
-
About7Narwhal Member Posts: 761I, too, am curious about this. In my previous work environment, standard users were able to run Adobe Flash installations. They would fail, but the Google Toolbar would install. Once they restarted their web browser, the toolbar would attempt to run a command that required elevation rights and crash IE. It was running rampant in our corporation.
While I am not with the company anymore, I would love to see a solution to this for future reference. And while WafflesAndRootbeer has a great idea, it sounds very similar to the XP way of doing things which required an update everytime a blacklisted app released a new version. -
sratakhin Member Posts: 818I think you need to use either Software Restriction Policies (XP, Vista, 7, all editions except Home) or AppLocker (Win 7 Enterprise/Ultimate). Then create a list of approved programs and restrict all others.
Even if you somehow manage to block installations, most programs have portable versions. -
mikedisd2 Member Posts: 1,096 ■■■■■□□□□□Glad I'm not the only one having issues with this, especially after the upper manager made snide comments blaming my "great" SOE for not blocking software. I've put it to the fearless leader that we need something like Applocker. He told me that they haven't even got their security policy approved yet so nothing can be enforced anyway. I'm not wasting any more time of this. Thanks for the posts.
-
dover Member Posts: 184 ■■■■□□□□□□Yeah, welcome to the aggravation. Not even got the security policy approved? Good luck.
If you aren't comfortable (or allowed) to use GPOs and policy restrictions for your clients, take a look at whatever AV/protection suite you are using to see if they have a way to establish whitelists. Allow the system to only run approved executables. Its a PITA to setup and maintain (updates and change control) and you end up fighting 'exception-creep' but since you have no established policy anyway...
I like to use the AV/protection suite to manage whitelisted applications. I can group similar systems and manage exceptions and specific apps better. Its just easier to manage and keep version control over and the end systems get refreshed much quicker than group policy.
As for the snide comment, yeah that would have chapped my #@$ pretty good.
EDITED OUT MORNING, PRE-COFFEE RANT. -
nosoup4u Member Posts: 365Dover has good advice, we blacklisted a few executable's in FEP, along with software restriction gps, managed to get 95% of the installs down.
If only we could do something about freaking java! -
dover Member Posts: 184 ■■■■□□□□□□Nosoup. Amen brother!
Between Adobe and Oracle....I don't know who to send hate mail to. This week I think Java wins with their Internet Explorer plug-in.....