![]() ![]() Jason | | Twitter know this is quite an old one, but I've just come across it so others might too. If your users are local admins, nothing can totally stop a user from doing things you don't want them to do. Jason | | Twitter Take away admin rights from your users. This also greatly increases your security posture because now malware can’t even run and your attack surface area on a client system is about as close to zero as it gets. With White-listing you list only things you want to run – it takes a fair amount of up front work, but eliminates the “grey” apps and “black” apps without Want users to run so you essentially create a “grey” set of apps. With black-listing, you have to be very proactive and can never define everything you don’t You can take things to an extreme level using white-listing instead of black-listing. And some programs don't even use installers so trying to only control the installation is only half the problem ans can sometimes be side-stepped anyway.įor that you can use SRP or AppLocker to prevent things from even running. Ultimately, installers are just programs that run. That still won’t stop everything – some apps don’t need to be installed or are simple self-extracting installs. (WS.10).aspx (search for Prohibit User Installs). #2 There is a group policy to disable per-user installs: #1 Take away admin rights from your users. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |