May 13, 2013, 10:21 AM — Windows in some organizations is a free-for-all -- users have local administrator rights, install software to their hearts' content, never update it and generally are susceptible to running bad stuff on good machines. Fortunately for Windows administrators, there is a way to stop that.
Controlling what applications run in your environment sounds like a herculean effort, and make no mistake -- it is a lot of work. Setting up policies that restrict software installation and execution, and using the tools that make that possible, is not just a "check and refresh" type of administrative task. It takes trial, some error, most likely a pilot, and then a gradual rollout. But once you get on the other side, you experience benefits including:
- Malware being virtually eliminated. Applications that you do not approve, or whitelist, simply fail to execute.
- A reduction in desktop support issues related to users installing noncompany-approved applications, like iTunes and Dropbox.
- Enhanced protection against data leakage, since users cannot circumvent other security policies by using applications that, for example, do not recognize Group Policy settings.
In this piece, I will take a look at the various options for controlling software installation and execution on Windows client computers. Everything I talk about here is included at no extra charge with Windows Server 2008 and up, so there is no extra licensing cost that would typically be associated with third-party tools. And I'll profile some advantages and disadvantages of each approach.