mercoledì 23 novembre 2011 17:39
Not really sure where to put this question but since we run SCCM I will try it here.
We are having a bit of trouble with users that installs Google Chrome, Dropbox and Spotify application. The applications doesn't need administrative priviliges to install because they install in the users profile folder (Appdata\roaming or appdata\local).
We can't seem to find a good way to stop this or uninstall the software. How are you guys dealing with this?
- Spostato Moiz Rassiwala[MSFT]Microsoft Employee giovedì 29 marzo 2012 15:58 Moving to area of expertise. (From:Configuration Manager General)
Tutte le risposte
mercoledì 23 novembre 2011 17:50
- Control it thru a GPO
- Have an IT policy the users respect (might sound a bit naive, but its a management problem if users are not respecting company policies)
- Remove the applications if they are installed using Uninstall commandlines in ConfigMgr.
- and finally make sure the company has a policy for keeping the unwanted software up-to-date. Now when it is there, and you are not dealing with it, you need control the "damage" by closing security threats etc.
Kent Agerlund | My blogs: http://blog.coretech.dk/author/kea/ and http://scug.dk/ | Twitter @Agerlund | Linkedin: /kentagerlund
- Contrassegnato come risposta Michael W [MSFT] venerdì 30 marzo 2012 19:57
mercoledì 23 novembre 2011 18:02
Thanks for the tips Kent.
I have looked at some software restriction gpo's but they only seem to block the application from running but not from installing? If I would to restrict the installationfile.exe they could still just rename it and still install...
We have an IT policy that says that non approved applications cannot be installed, but its as you said an management problem because people don't respect it.
So I was looking to just Uninstall them with commandlines but can't seem to find any for these 3 particular applications either.
Any help would be greatly appreciated.
mercoledì 23 novembre 2011 18:14
mercoledì 23 novembre 2011 19:08
#1 Take away admin rights from your users. If your users are local admins, nothing can totally stop a user from doing things you don't want them to do.
#2 There is a group policy to disable per-user installs: http://technet.microsoft.com/en-us/library/cc784527(WS.10).aspx (search for Prohibit User Installs). That still won’t stop everything – some apps don’t need to be installed or are simple self-extracting installs.
Ultimately, installers are just programs that run. And some programs don't even use installers so trying to only control the installation is only half the problem ans can sometimes be side-stepped anyway.
For that you can use SRP or AppLocker to prevent things from even running. You can take things to an extreme level using white-listing instead of black-listing. With black-listing, you have to be very proactive and can never define everything you don’t want users to run so you essentially create a “grey” set of apps. With White-listing you list only things you want to run – it takes a fair amount of up front work, but eliminates the “grey” apps and “black” apps without having to list them andupdate the list. This also greatly increases your security posture because now malware can’t even run and your attack surface area on a client system is about as close to zero as it gets.
Jason | http://myitforum.com/myitforumwp/members/jasonsandys/ | Twitter @JasonSandys
- Contrassegnato come risposta Michael W [MSFT] venerdì 30 marzo 2012 19:57
giovedì 24 novembre 2011 14:10
The users are not local admin, the problem with these kind of software is that they don't require users to be local admin to be installed.
So it seems the only complete way to go is really AppLocker, but it requires a quite bit of work to plan and to deploy / maintain..
I was thinking of doing a combination of GPO SRP and collections with query of the .exe and then advertise an mandatory advertisement for uninstallation of these software. Problem is I can't seem to find any uninstall commands / instructions. Anybody care to share how they uninstall any of these software unattended?
giovedì 24 novembre 2011 20:15appdeploy.com is a great resource, e.g. http://www.appdeploy.com/packages/detail.asp?id=2149
mercoledì 14 marzo 2012 18:48
As the others said Applocker is your best (and cheapest) bet. We currently support about 650 people and use the whitelist approach. IMO that's the only real approach to staying secure AND keeping what's on your machines to a known minimum. It is a lot of work up front but what I can recommend is this:
Create the Applocker policy in audit mode first so that it will only write event logs for things that "would have been blocked if the policy was enforced" but it doesn't actually block them. Then use log forwarding (built into win7) to forward said logs to some central server that has a log subscription set up on it (all configurable via GPO). From there you can evaluate what should and should not be whitelisted, create the whitelist, and then flip it to enforce mode. Also, try to use Publisher rules when you can, they are the most secure. This will put more load on your help desk as they will need some type of process to get apps white listed for users.
Hope this helps.
mercoledì 14 marzo 2012 22:32
Using a GPO you can also block the hash of the installer file. Users can rename the file as much as they want and it will not impact the hash.
Check out this technet topic.
giovedì 15 marzo 2012 12:42Not a bad idea but keeping up with the new hash for each version of the app would be a nightmare heh.
giovedì 15 marzo 2012 14:06This won't help with Chrome, but dropbox and spotify are, I believe, internet-available services, correct? Sounds like that could be an easy block at the firewall or proxy; to redirect any attempts to get to those web addresses to point them to nowhere.
Standardize. Simplify. Automate.
mercoledì 28 marzo 2012 16:39
I'm surprised no one brought up the fact that MS itself has created a liability in ClickOnce. Chrome installs with ClickOnce on windows. You might be surprised that ClickOnce circumvents the need for admin permissions.
Others have written about this more extensively.
I'm frustrated that a GP, which seems designed to prevent this, does not really do the trick when it comes to these types of apps. A Terminal Services administrator needs better control over this.
we also have a management policy, but that does not stop people from trying. What's worse, you don't even know about it since it's done as a 'local' install under the user and so no notice of the app installation appears for the admin account.
mercoledì 28 marzo 2012 16:41Spotify is only usable through an installable app. Not sure about dropbox.
mercoledì 28 marzo 2012 16:44That's where applocker comes into play. You can deploy an applocker policy to your terminal servers that stops certain publishers or hashes of installers from even running, regardless if they are an admin or not. In a whitelist scenario, it would block everything unless you explicitly say it's okay.
mercoledì 26 settembre 2012 16:07
I know this is quite an old one, but I've just come across it so others might too.
I'm setting up a home user on Windows 7 home premium and there are of course no group policies available to me. The user wants to not install stuff but he's 82, if something looks important he's going to say 'yes' and if it's bundled with it then he's going to leave it ticked (Adobe I'm looking at you here!) Not to mention his 'friends' who come to help him and inevitably install things for him. So I'm setting him up with admin and standard users and of course any installer that bypasses those restrictions is a problem and ought to be treated as a security threat.
Anyhow - So far as I'm aware google chrome only installs to one location and doesn't allow users to change it... with that in mind I created the folder structure as far as the google folder in the local profile with a text file (no extension) called chrome - that seems to be breaking the installation nicely. :)
So far as I'm aware (and I'd be delighted to be proved wrong) there is not an 'execute' flag in NTFS that we could use to prevent these kinds of 'pocket' apps and installers from being executed from within the user profile...
martedì 27 novembre 2012 18:08
I have blocked DropBox like this : http://www.note.id.lv/2012/11/block-dropbox-with-gpo.html
Works like a charm.
With firefox - there's a struggle with hashes. A nightmare.