Re: Peeling off desktop Administrator Rights

[David Escalante <david.escalante () BC EDU>]

randy marchany wrote:
> Call me silly, but I think there is an end to this battle but we don't
> want to put in the effort to accomplish this. That end involves a)
> enforcing user responsibility for their actions b) give them basic
> training (you want to be able to install stuff, you have to sit in
> this training) c) speed up legit software install requests.
I generally agree with Randy, and would add that I've been interested
for the past couple years in deploying some type of "whitelisting"
software to assist with this, but have not done so.

For example, the whitelist software that interests me most at the moment
has a hash table of various "legit" software packages, and when the user
installs something new, it checks the executable against this table, and
can take various actions if the hash does not match, such as: (1) block
the install, (2) notify the user that the software is unusual, (3)
notify the Security staff of same, etc....  You can choose the level of
enforcement you're comfortable with in your environment, but even worst
case, the user installs something and the Security folks get a message
that the user installed "AdobeeeeAcrobot.exe" and that it doesn't match
the hashes of any known version of Acrobat, which would be a good thing
to know in my humble opinion.

One reason we haven't moved more aggressively on this has been "client
bloat" on our Windows computers...by the time one runs all the
executables one desires for security and backup and other functions on
one's endpoints, there are a host of potential conflicts where the apps
can step on each other, hog memory, slow down the computer, etc.  I'm
loath to make the situation worse by adding even more security apps.
Thoughts on that issue most welcome....
--
David Escalante
Boston College

Attachment: david_escalante.vcf
Description:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature