With Windows 7 adoption in full force, many organizations are revisiting their desktop architecture and many are looking to move their end users out of the Administrators group and make them a standard users. There are many benefits to a standard user model that include limiting system modification, reducing the risk of web-based threats, and preventing the installation of unwanted software. Let’s focus on this third point and what it means in a typical environment.
Preventing the installation of unwanted software is achieved because Windows 7 does not allow software to install to Program Files or the Windows directory without administrator rights. Problem solved! Or is it? The little known caveat is that software that installs to the Users directory is still allowed. To illustrate what this means, let’s take a look at browsers and the standard user.
Looking at browser market share (Browser Market Share), the top five browsers are Internet Explorer, Firefox, Chrome, Safari, and Opera. In tests here at Arellia, we found interesting results when attempting to install web browsers when running as a standard user. Internet Explorer and Safari installations all required administrator credentials to proceed and failed when none were provided; Firefox prompted for administrator credentials and proceeded to install when none were provide; while Chrome and Opera installed without any prompt for administrator credentials. So 3 out of 5 browsers are installable without any administrator credentials and in all cases were found in a hidden directory C:\Users\stduser\AppData\Local.
Many organizations want to control browser installation for web application support, web security, and general application management. Google, Mozilla, and Opera clearly value user proliferation over enterprise manageability and security (are you really surprised). So now what?
Many of Arellia’s customers leverage Application Control Solution to add administrator privileges to an application (system utility, software installer, or other applications) so that it can run properly as a standard user. With browser infiltration into user directories there are many additional options to manage applications in this area:
- Monitor: See what applications are being run from this and any other part of the file system (don’t forget portable applications) and use this to educate end users of appropriate software usage and\or apply more restrictive policies.
- Orangelist: Arellia Application Control Solution’s Orangelist polices could apply reduce privileges, isolate software in a virtual layer, or restrict file access. Of course blocking is always an option, but better to limit impact than outright deny a potentially productive application. Be aware that many good applications will install components in the AppData directory as well.
- Blacklist: Don’t like the software, deny it and inform the end user that it violates policy.
Remember that application security is a journey and not a destination. The Users directory is one stop to review on the journey to better security and management.