|
Posted by Ben on October 8, 2007, 5:11 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi,
I'm looking for some advice on software auditing and enforcement, and I
don't know whether I'm trying to talk myself into this, or our IT Director
out of it!
Here is the situation: Until a couple of months ago, all our users had local
admin rights on their laptops - bad idea I know - 4 months ago I finally got
management to support me in removing users admin rights, at which point we
decided to take a software audit to make sure there was nothing
unlicensed/against company policy installed. We did this using sysinternals
psinfo, which exported the software list for each machine to a text file. I
then imported all of the files into excel, removed duplicates, MS hotfixes &
updates, leaving me with a list of just the installed applications, which
was about 700 long. I then sorted through this list, categorising each app
into 1 of 3 categories, 1= must have, i.e. Symantec Firewall, Acrobat
Reader, MS Office etc, 2=Can have, i.e. Acrobat Pro, MS Visio etc, 3=Can't
have, games, p2p apps, unlicensed software etc. We then publish this list on
the internal intranet for our users, if they have any cat 3 software, they
have to remove it (if it requires admin access they come and ask IT dept).
This audit is something that management want to run on a regular basic, but
they know how long it took to collate and sort through so they want a piece
of software that can audit each machine, compare the results against the
list of categories, and remove anything that is banned, or push out anything
that is required.
However, most of these laptops, probably 75%, are either over 3 years old,
or coming up to 3 years, which is usually the time that we'll scrap them,
and buy replacements. I think half of that 75% will be replaced this side of
Christmas, with the other half being scheduled for replacement in February.
The rest have been replaced, with a standard build, recently, AFTER we
removed admin rights from everyone.
So, I'm trying to think of a situation when we would actually need to run an
audit, and enforce the software policy. If users have a standard build, with
updates being pushed out via WSUS, and new packages installed via GP
software installation, and can't install any software themselves, will we
ever need to enforce the software policy?
Does anyone have a good argument for needing a package to enforce a software
policy when users don't have local admin rights? If so, can you recommend a
software package? Does System Center Configuration Manager 2007 have this
functionality?
Many thanks
Ben
|
|
Posted by on October 8, 2007, 6:15 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hello Ben,
An argument for auditing installed software? The maxim "prevention is
ideal, detection is a must" comes to mind.
You prevent people from installing software by removing them from
Power Users and Administrators. Now, the only point in time that you
can be certain that the users were not administrators is when you last
checked.
What can happen? Some obliging admin or helpdesk may add the person
back into these groups at a later date. Or perhaps the person learns
the local Administrator password. I have seen both of these happen, as
well as the less likely privilege escalation bug installing software.
Running a regular audit against the machines is your detection
control. It lets you catch any exception. As an added bonus, this may
give you an early indication of colleagues who are passing out admin
memberships or credentials.
Regards,
J Wolfgang Goerlich
> Hi,
>
> I'm looking for some advice on software auditing and enforcement, and I
> don't know whether I'm trying to talk myself into this, or our IT Director
> out of it!
>
> Here is the situation: Until a couple of months ago, all our users had local
> admin rights on their laptops - bad idea I know - 4 months ago I finally got
> management to support me in removing users admin rights, at which point we
> decided to take a software audit to make sure there was nothing
> unlicensed/against company policy installed. We did this using sysinternals
> psinfo, which exported the software list for each machine to a text file. I
> then imported all of the files into excel, removed duplicates, MS hotfixes &
> updates, leaving me with a list of just the installed applications, which
> was about 700 long. I then sorted through this list, categorising each app
> into 1 of 3 categories, 1= must have, i.e. Symantec Firewall, Acrobat
> Reader, MS Office etc, 2=Can have, i.e. Acrobat Pro, MS Visio etc, 3=Can't
> have, games, p2p apps, unlicensed software etc. We then publish this list on
> the internal intranet for our users, if they have any cat 3 software, they
> have to remove it (if it requires admin access they come and ask IT dept).
>
> This audit is something that management want to run on a regular basic, but
> they know how long it took to collate and sort through so they want a piece
> of software that can audit each machine, compare the results against the
> list of categories, and remove anything that is banned, or push out anything
> that is required.
>
> However, most of these laptops, probably 75%, are either over 3 years old,
> or coming up to 3 years, which is usually the time that we'll scrap them,
> and buy replacements. I think half of that 75% will be replaced this side of
> Christmas, with the other half being scheduled for replacement in February.
> The rest have been replaced, with a standard build, recently, AFTER we
> removed admin rights from everyone.
>
> So, I'm trying to think of a situation when we would actually need to run an
> audit, and enforce the software policy. If users have a standard build, with
> updates being pushed out via WSUS, and new packages installed via GP
> software installation, and can't install any software themselves, will we
> ever need to enforce the software policy?
>
> Does anyone have a good argument for needing a package to enforce a software
> policy when users don't have local admin rights? If so, can you recommend a
> software package? Does System Center Configuration Manager 2007 have this
> functionality?
>
> Many thanks
>
> Ben
|
|
Posted by Ben on October 8, 2007, 7:58 am
If you were Registered and logged in, you could reply and use other advanced thread options
Thanks for the reply.
The local admin account on each laptop is disabled by default, and we have a
domain wide group policy that uses restricted groups, the only group added
to the local administrators group is domain admins, and that group only
contains my admin account, plus I'm the only IT /Support person on site, for
the moment (1 admin 25 users) so in theory, no user should ever be able to
get local admin access to their machine.
Point taken on the privilege escalation by buggy software though. And we'll
probably be employing a junior IT support person as the company grows beyond
25, so I guess it'll be useful to make sure they're not giving users admin
rights.
Do you have any recommendations on what software can best accomplish this?
Many thanks
Ben
> Hello Ben,
>
> An argument for auditing installed software? The maxim "prevention is
> ideal, detection is a must" comes to mind.
>
> You prevent people from installing software by removing them from
> Power Users and Administrators. Now, the only point in time that you
> can be certain that the users were not administrators is when you last
> checked.
>
> What can happen? Some obliging admin or helpdesk may add the person
> back into these groups at a later date. Or perhaps the person learns
> the local Administrator password. I have seen both of these happen, as
> well as the less likely privilege escalation bug installing software.
>
> Running a regular audit against the machines is your detection
> control. It lets you catch any exception. As an added bonus, this may
> give you an early indication of colleagues who are passing out admin
> memberships or credentials.
>
> Regards,
>
> J Wolfgang Goerlich
>
>
>> Hi,
>>
>> I'm looking for some advice on software auditing and enforcement, and I
>> don't know whether I'm trying to talk myself into this, or our IT
>> Director
>> out of it!
>>
>> Here is the situation: Until a couple of months ago, all our users had
>> local
>> admin rights on their laptops - bad idea I know - 4 months ago I finally
>> got
>> management to support me in removing users admin rights, at which point
>> we
>> decided to take a software audit to make sure there was nothing
>> unlicensed/against company policy installed. We did this using
>> sysinternals
>> psinfo, which exported the software list for each machine to a text file.
>> I
>> then imported all of the files into excel, removed duplicates, MS
>> hotfixes &
>> updates, leaving me with a list of just the installed applications, which
>> was about 700 long. I then sorted through this list, categorising each
>> app
>> into 1 of 3 categories, 1= must have, i.e. Symantec Firewall, Acrobat
>> Reader, MS Office etc, 2=Can have, i.e. Acrobat Pro, MS Visio etc,
>> 3=Can't
>> have, games, p2p apps, unlicensed software etc. We then publish this list
>> on
>> the internal intranet for our users, if they have any cat 3 software,
>> they
>> have to remove it (if it requires admin access they come and ask IT
>> dept).
>>
>> This audit is something that management want to run on a regular basic,
>> but
>> they know how long it took to collate and sort through so they want a
>> piece
>> of software that can audit each machine, compare the results against the
>> list of categories, and remove anything that is banned, or push out
>> anything
>> that is required.
>>
>> However, most of these laptops, probably 75%, are either over 3 years
>> old,
>> or coming up to 3 years, which is usually the time that we'll scrap them,
>> and buy replacements. I think half of that 75% will be replaced this side
>> of
>> Christmas, with the other half being scheduled for replacement in
>> February.
>> The rest have been replaced, with a standard build, recently, AFTER we
>> removed admin rights from everyone.
>>
>> So, I'm trying to think of a situation when we would actually need to run
>> an
>> audit, and enforce the software policy. If users have a standard build,
>> with
>> updates being pushed out via WSUS, and new packages installed via GP
>> software installation, and can't install any software themselves, will we
>> ever need to enforce the software policy?
>>
>> Does anyone have a good argument for needing a package to enforce a
>> software
>> policy when users don't have local admin rights? If so, can you recommend
>> a
>> software package? Does System Center Configuration Manager 2007 have this
>> functionality?
>>
>> Many thanks
>>
>> Ben
>
>
|
|
Posted by on October 8, 2007, 3:16 pm
If you were Registered and logged in, you could reply and use other advanced thread options
to audited computers' software. Ecora (www.ecora.com) has a utility
that works decently and is inexpensive, too.
J Wolfgang Goerlich
> Do you have any recommendations on what software can best accomplish this?
|
|
Posted by GreenieLeBrun on October 9, 2007, 1:18 am
If you were Registered and logged in, you could reply and use other advanced thread options
management policies of your organisation. If you are the only Admin for your
domain what happens if an elephant falls out of a jumbo jet and lands on
your head or some thing else happens that renders you no longer functional?
Who then has access to the Admin rights on the companies domain?
Ben wrote:
> Hi,
>
> Thanks for the reply.
>
> The local admin account on each laptop is disabled by default, and we
> have a domain wide group policy that uses restricted groups, the only
> group added to the local administrators group is domain admins, and
> that group only contains my admin account, plus I'm the only IT
> /Support person on site, for the moment (1 admin 25 users) so in
> theory, no user should ever be able to get local admin access to
> their machine.
> Point taken on the privilege escalation by buggy software though. And
> we'll probably be employing a junior IT support person as the company
> grows beyond 25, so I guess it'll be useful to make sure they're not
> giving users admin rights.
>
> Do you have any recommendations on what software can best accomplish
> this?
> Many thanks
>
> Ben
>
>
>> Hello Ben,
>>
>> An argument for auditing installed software? The maxim "prevention is
>> ideal, detection is a must" comes to mind.
>>
>> You prevent people from installing software by removing them from
>> Power Users and Administrators. Now, the only point in time that you
>> can be certain that the users were not administrators is when you
>> last checked.
>>
>> What can happen? Some obliging admin or helpdesk may add the person
>> back into these groups at a later date. Or perhaps the person learns
>> the local Administrator password. I have seen both of these happen,
>> as well as the less likely privilege escalation bug installing
>> software. Running a regular audit against the machines is your detection
>> control. It lets you catch any exception. As an added bonus, this may
>> give you an early indication of colleagues who are passing out admin
>> memberships or credentials.
>>
>> Regards,
>>
>> J Wolfgang Goerlich
>>
>>
>>> Hi,
>>>
>>> I'm looking for some advice on software auditing and enforcement,
>>> and I don't know whether I'm trying to talk myself into this, or
>>> our IT Director
>>> out of it!
>>>
>>> Here is the situation: Until a couple of months ago, all our users
>>> had local
>>> admin rights on their laptops - bad idea I know - 4 months ago I
>>> finally got
>>> management to support me in removing users admin rights, at which
>>> point we
>>> decided to take a software audit to make sure there was nothing
>>> unlicensed/against company policy installed. We did this using
>>> sysinternals
>>> psinfo, which exported the software list for each machine to a text
>>> file. I
>>> then imported all of the files into excel, removed duplicates, MS
>>> hotfixes &
>>> updates, leaving me with a list of just the installed applications,
>>> which was about 700 long. I then sorted through this list,
>>> categorising each app
>>> into 1 of 3 categories, 1= must have, i.e. Symantec Firewall,
>>> Acrobat Reader, MS Office etc, 2=Can have, i.e. Acrobat Pro, MS
>>> Visio etc, 3=Can't
>>> have, games, p2p apps, unlicensed software etc. We then publish
>>> this list on
>>> the internal intranet for our users, if they have any cat 3
>>> software, they
>>> have to remove it (if it requires admin access they come and ask IT
>>> dept).
>>>
>>> This audit is something that management want to run on a regular
>>> basic, but
>>> they know how long it took to collate and sort through so they want
>>> a piece
>>> of software that can audit each machine, compare the results
>>> against the list of categories, and remove anything that is banned,
>>> or push out anything
>>> that is required.
>>>
>>> However, most of these laptops, probably 75%, are either over 3
>>> years old,
>>> or coming up to 3 years, which is usually the time that we'll scrap
>>> them, and buy replacements. I think half of that 75% will be
>>> replaced this side of
>>> Christmas, with the other half being scheduled for replacement in
>>> February.
>>> The rest have been replaced, with a standard build, recently, AFTER
>>> we removed admin rights from everyone.
>>>
>>> So, I'm trying to think of a situation when we would actually need
>>> to run an
>>> audit, and enforce the software policy. If users have a standard
>>> build, with
>>> updates being pushed out via WSUS, and new packages installed via GP
>>> software installation, and can't install any software themselves,
>>> will we ever need to enforce the software policy?
>>>
>>> Does anyone have a good argument for needing a package to enforce a
>>> software
>>> policy when users don't have local admin rights? If so, can you
>>> recommend a
>>> software package? Does System Center Configuration Manager 2007
>>> have this functionality?
>>>
>>> Many thanks
>>>
>>> Ben
|
| Similar Threads | Posted | | Downloads Required? | September 6, 2006, 1:23 pm |
| Can a password be required to print? | March 21, 2006, 1:41 pm |
| makecert.ext tool required | July 25, 2008, 10:05 am |
| Terminal servers missing required certificates | August 9, 2005, 2:46 pm |
| Remote users and AD authentication: Required password change is mi | August 19, 2005, 9:38 am |
| No password expiration alert when smart card logon is required | December 27, 2005, 1:14 pm |
| email from MSN Business Operations ".NET Messenger User with Corporate Domain Address: UPDATE REQUIRED" ?SCAM? | July 21, 2006, 9:55 am |
| who does a PKI audit? | January 31, 2008, 3:40 pm |
| User audit | September 6, 2005, 5:02 am |
| Audit Admnistrators | April 11, 2006, 4:02 pm |
|
XML site map