Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Discussions
Off Topic
Huh? Standard Users an Install Softward
mikedisd2
I've just started rolling out my Win7 SOE via Config Mgr 2012 to the company and all looking well so far. I've just realised though that people with a standard user account can still install some applications like internet browsers and Google Talk. This is killing our IT Policy of 'Authorised Software Only' that we publish through SCCM.
Does anyone know of a way to lock this down without going down the path of deploying AppLocker or other software? I'm about to try the group policies 'Prohibit User Installs' and 'Disable Windows Installer' but I have a feeling this may mess with installations by the SYSTEM account.
Thanks
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
blargoe
There are applications that don't use Windows Installer. I think out SCCM admin is fighting the same thing with the Google browser and other Google apps. There are also standalone executable versions of some of the alternative browsers.
If you set the "prohibit software installs" policy on a user based policy, it shouldn't impact the system account since it is not a domain user. For the one-off things like standalone executables, maybe you could use a Software Restriction policy and disallow that executable from running.
What are some of you other guys using in these situations?
As always, do not just set a policy without creating a test policy/OU and trying the settings out for size.
CodeBlox
We have the same problem... People are able to install chrome. It was also discovered that some folks have dropbox installed too.
WafflesAndRootbeer
Unfortunately, there is no real solution that doesn't require A LOT of work on your part. The only thing that comes to mind is compiling a master list of those applications - they have identifiers unique to each application and their installers - and then you blacklist those in the policy control registry. After you do that, Steve can't install Pr0nSniffer to find the latest Backroom Casting Couch updates through the file-sharing services because you've told the system that Pr0nSniffer is a bad app that shall not be run!
About7Narwhal
I, too, am curious about this. In my previous work environment, standard users were able to run Adobe Flash installations. They would fail, but the Google Toolbar would install. Once they restarted their web browser, the toolbar would attempt to run a command that required elevation rights and crash IE. It was running rampant in our corporation.
While I am not with the company anymore, I would love to see a solution to this for future reference. And while WafflesAndRootbeer has a great idea, it sounds very similar to the XP way of doing things which required an update everytime a blacklisted app released a new version.
sratakhin
I think you need to use either Software Restriction Policies (XP, Vista, 7, all editions except Home) or AppLocker (Win 7 Enterprise/Ultimate). Then create a list of approved programs and restrict all others.
Even if you somehow manage to block installations, most programs have portable versions.
mikedisd2
Glad I'm not the only one having issues with this, especially after the upper manager made snide comments blaming my "great" SOE for not blocking software. I've put it to the fearless leader that we need something like Applocker. He told me that they haven't even got their security policy approved yet so nothing can be enforced anyway. I'm not wasting any more time of this. Thanks for the posts.
dover
Yeah, welcome to the aggravation. Not even got the security policy approved? Good luck.
If you aren't comfortable (or allowed) to use GPOs and policy restrictions for your clients, take a look at whatever AV/protection suite you are using to see if they have a way to establish whitelists. Allow the system to only run approved executables. Its a PITA to setup and maintain (updates and change control) and you end up fighting 'exception-creep' but since you have no established policy anyway...
I like to use the AV/protection suite to manage whitelisted applications. I can group similar systems and manage exceptions and specific apps better. Its just easier to manage and keep version control over and the end systems get refreshed much quicker than group policy.
As for the snide comment, yeah that would have chapped my #
@$
pretty good.
EDITED OUT MORNING, PRE-COFFEE RANT.
nosoup4u
Dover has good advice, we blacklisted a few executable's in FEP, along with software restriction gps, managed to get 95% of the installs down.
If only we could do something about freaking java!
dover
Nosoup. Amen brother!
Between Adobe and Oracle....I don't know who to send hate mail to. This week I think Java wins with their Internet Explorer plug-in.....
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
