Block rogue apps with Windows Server -- for free

You can stop users from putting bad software on good machines.

Windows in some organizations is a free-for-all -- users have local administrator rights, install software to their hearts' content, never update it and generally are susceptible to running bad stuff on good machines. Fortunately for Windows administrators, there is a way to stop that.

Controlling what applications run in your environment sounds like a herculean effort, and make no mistake -- it is a lot of work. Setting up policies that restrict software installation and execution, and using the tools that make that possible, is not just a "check and refresh" type of administrative task. It takes trial, some error, most likely a pilot, and then a gradual rollout. But once you get on the other side, you experience benefits including:

  • Malware being virtually eliminated. Applications that you do not approve, or whitelist, simply fail to execute.
  • A reduction in desktop support issues related to users installing noncompany-approved applications, like iTunes and Dropbox.
  • Enhanced protection against data leakage, since users cannot circumvent other security policies by using applications that, for example, do not recognize Group Policy settings.

In this piece, I will take a look at the various options for controlling software installation and execution on Windows client computers. Everything I talk about here is included at no extra charge with Windows Server 2008 and up, so there is no extra licensing cost that would typically be associated with third-party tools. And I'll profile some advantages and disadvantages of each approach.

Restricting the Windows Installer

If you are a firm believer in the 80/20 rule, you can get about 80% of the benefits of software restriction with 20% of the effort by simply restricting the execution of the Windows Installer. The most common way to do this is through Group Policy. Create a group policy object (GPO), then right-click to edit it, and in the Group Policy Object Editor window, navigate through the following menu structure: Computer Configurations, Administrative Templates, Windows Components, Windows Installer.

To continue reading this article register now

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon