Friday, 9 November 2012

Using Application Manager to allow users to install their own applications

One thing that keeps information security specialists up at night is the fact that more often than not end users have administrator rights. Whether they're highly trained IT Staff or Joe Bloggs who only uses a PC because he has to, the fact that there is a user who has administrator rights as their standard user account compromises the network security.

More often than not administrator rights are deployed for one of the following reasons:
  1. Users need to install their own applications.
  2. Users need to run applications that require administrator rights.
  3. Users travel and need to be able to change date and time settings.
  4. Users need to install printer drivers
AppSense Application Manager is capable of addressing each of the above scenarios and this post will run through scenario 1. 

First things first you need a network share to host all executables. 

Second thing to make sure is that the Administrators group owns all of the executables within the share.

Now to configure Application Manager... Start by Opening the current configuration, locate the condition you're looking to enable the network application repository for, in my case, Everyone.

Note: The screenshots below will only show items I am adding the the configuration now. All existing configured items should remain configured unless they directly conflict with the configuration we are currently building.

Add the Share created above to the Accessible Items list.

  • At this point ensure Trusted Ownership is enabled.
  • Ensure Include Subdirectories is enabled

 Next click on the User Rights list and add the share created above to the list.

  • Ensure Apply to child processes is selected as some installers will extract temporary files and launch these. 
  • Ensure Install as Trusted Owner is selected
  • Select Builtin Administrator Policy

 Next click on the Windows Installer Process Rule, Browse to accessible items and ensure *.msi is added to the list.

Now click on the Windows Installer Process Rule's User Rights section and add the file share created above to the list of elevated items:
  • Ensure Apply to Child Items is selected
  • Ensure Install as Trusted Owner is selected
  • Select the Builtin Administrator Policy is selected

One final thing to check before deploying the configuration is to ensure user rights management is enabled within the Options window on the General Features tab. 

Now to start testing your configuration. 

Note: It is vital to ensure Trusted Ownership checking is enforced AND that the network share is secure.