Our organization is a bit different than most. During certain times of the year, we grow to thousands of employees, and during off-times, less than a hundred. Over the course of a few years, many thousands of people have come and gone in our offices, and left their legacy behind in the form of all sorts of unwanted, unapproved, (and sometimes unlicensed) software installs on our desktops.
We are currently installing redundant domain controllers and upgrading current servers, all running Windows Server 2008 Enterprise, and will eventually be able to run a pure 2008 DC network. With that in mind, what are our options in being able to lock down users, such that they cannot install unauthorized software on systems without the assistance (or authorization) of the IT group?
We need to support approximately 400 desktops, so automation is key. I've taken note of the Software Restrictions we can implement via Group Policy, but that implies that we already know what users will be installing and attempting to run… not quite so elegant.
Any ideas?
Best Answer
If you're talking about laptops or desktops that are checked out/assigned to people, then simply do not give them administrator access. This will still allow them to install programs (Assuming they were written properly) to their home folder, and then when they leave, you need only delete their profile/user account to remove any programs they installed / changes they made. This will also limit the damage that a virus can do - simply quarantine & clean their documents on any system which they have not logged into, delete & recreate their account, restore their cleaned documents. Virus gone.
It's quite hard to actually create a "white list" of approved executables based on the fact that executable code need not even have a name, simply reside in memory on a page marked as executable. Your best bet is to simply make it easier for you to remove the unwanted applications when the user leaves.
If this is a security issue and not a "cleanup" issue, how did they get the programs onto the system in the first place?