UAC and Application Installation
Businesses today face a large and daunting task of enforcing desktop standardization. Although a majority of users are listed as administrators, IT departments should be concerned with this elevation of privileges.
Vista’s UAC requires the elevation of privileges to install programs. Because computing environments are dynamic, Microsoft cannot predict every scenario where applications are added to Internet Explorer or to the operating system. A good example of this is Google’s Chrome which can be installed without administrative privileges. Although Google’s Chrome appears to be an exceptional browser however, its first release had security flaws.
Microsoft’s Steadystate and other software applications are available to roll back any changes made by end users. Windows Steadystate allows you to manage whole groups of users as single user accounts. The Windows SteadyState console makes it easy to create and modify user profiles. This software gives the administrator power to delete downloaded files, reset all options, remove unwanted programs, remove malware and viruses and optimize computers.Information Technology departments are challenged by keeping all applications up to date. With users having ‘the power’ to install some applications, this ‘power’ can be detrimental to the overall security of any business.
Before granting a user rights in a computing environment, education, training and trust must be given and gained.
IT Departments need to enforce Domain logons, policies through Microsoft’s policy editor and rely on software to do a necessary roll back if a situation calls for it.
Domain Administrators can also create a Group Policy Object and go into User Config, Admin template, System, Don’t Run specified Windows applications and the admin should enable it and enter setup.exe, install.exe and enter items as necessary in the list.
Policy and Procedures should include “safe computing” and “User Guidelines”. These policies need to be enforced and software should be installed by the IT department only.
There will always be companies on the web pushing software to end users and sometimes bypassing the UAC (Administrator) account. Administrators need to monitor network activity by using firewall logs. With users thinking they are invisible, these logs are critical when monitoring employees.