Announcement

Collapse
No announcement yet.

Limit Software Installation for End Users

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Limit Software Installation for End Users

    Pre Question statement: Most, if not every single one, of the users at all of my clients are local admins on their computers.

    I want to see if I can limit the ability of the end users to install software. I know this can be done a myriad of ways, the easiest and most common is to dump all of the users out of the "Local Admin" group on their computers and put them in a power user type role.

    But, say we don't do that.. Say we want to keep those users as local admins... My job gets a little tougher.

    I know I can restrict software installation via GPO using things like AppLocker and editing the security levels in Software Restriction Policies.

    I've never done that before so I'm not 100% sure it's going to work as I am planning. Some of the questions I have...

    1) If I use Software Restriction Policies, should I use Computer or User based policies?
    2) Is AppLocker worth setting up? I've never used it.
    3) Should I create an OU specific GPO for software restrictions or use the default domain policy, I'm still a little hazy as to whether or not OU overrides default domain...

    Again, and as always, any help or guidance would be greatly appreciated!
    I'd rather check my Facebook than face my checkbook...

    Thanks,
    Todd

  • #2
    Get the users out of the admins group!!! I don't even run my own computers as an admin user. If I need to do an admin task, I use an admin account for that. The risks to too great and the protection you get from exploits outweighs the headaches IMO. You will mitigate so much just by doing this one best practice.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      I know, I know! everywhere I've worked, except one place, has had all users as local admins...

      I think, in all honesty, that's the best and easiest solution. I'm going to pitch it over everything else.
      I'd rather check my Facebook than face my checkbook...

      Thanks,
      Todd

      Comment


      • #4
        Cool, sounds good. Good luck!
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Wow this sheds some light on why I was tasked with finding this out... so one of our clients that we took over about 11 months ago is getting audited by the government. Long story short, they're over their license count for Microsoft Office and Adobe Pro. Their old IT company kept no record of their license count or where the licenses were installed. When we took over as their managed services provider (prior to me coming on board), we didn't due enough due diligence and find out what their actual license count was.

          So, we are going to be removing all users from the Local Admin group and putting them as power users. Our main goal is to prevent users from installing cracked/bogus copies of legit software.

          We're also redoing our contracts to include stiffer security measures and whatnot to ensure that we are operating properly.

          I'd rather check my Facebook than face my checkbook...

          Thanks,
          Todd

          Comment


          • #6
            So should I remove them from teh Local Admin group with an edit to teh default domain policy or create OU policies for each OU.. I'm going to be running a test tomorrow, so we'll see.
            I'd rather check my Facebook than face my checkbook...

            Thanks,
            Todd

            Comment


            • #7
              I would not modify the default domain policy - add an additional policy at the appropriate level (domain or OU - your choice). If your modified default policy becomes corrupted, it is the devil to sort out

              Coming back to your original post, if you use AppLocker (IMHO better than SRPs) check which edition of Windows you have - it is licensed in Win7 Enterprise only, but I think it came down to Pro for Win10)
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment

              Working...
              X