Windows in some organizations is a free-for-all -- users have local administrator rights, install software to their hearts' content, never update it and generally are susceptible to running bad stuff on good machines. Fortunately for Windows administrators, there is a way to stop that.
Controlling what applications run in your environment sounds like a herculean effort, and make no mistake -- it is a lot of work. Setting up policies that restrict software installation and execution, and using the tools that make that possible, is not just a "check and refresh" type of administrative task. It takes trial, some error, most likely a pilot, and then a gradual rollout. But once you get on the other side, you experience benefits including:
- Malware being virtually eliminated. Applications that you do not approve, or whitelist, simply fail to execute.
- A reduction in desktop support issues related to users installing noncompany-approved applications, like iTunes and Dropbox.
- Enhanced protection against data leakage, since users cannot circumvent other security policies by using applications that, for example, do not recognize Group Policy settings.