Applications; Portable vs. Installed
-
@stacksofplates said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
A big question would be... why do you want to restrict binaries from users?
Thats the sysadmin decision. He considers it a security measure and I can understand it somewhat.
Does he? Because he's not restricting them in any way, and totally okay with all the portable apps delivered in the web browser, right? So he's totally okay with them. Just confused, I'd guess.
Well, I can't presume to know his mind but hes just trying to limit the damage that can be done i suppose. I am guessing that is what he is thinking.
Is this from a government requirement? The only way to do this is checksum all of your executables. Unless you are required to do this, you're insane.
Yes we are a 2 year college and this is what I am told.
-
@jmoore said in Applications; Portable vs. Installed:
@stacksofplates said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
A big question would be... why do you want to restrict binaries from users?
Thats the sysadmin decision. He considers it a security measure and I can understand it somewhat.
Does he? Because he's not restricting them in any way, and totally okay with all the portable apps delivered in the web browser, right? So he's totally okay with them. Just confused, I'd guess.
Well, I can't presume to know his mind but hes just trying to limit the damage that can be done i suppose. I am guessing that is what he is thinking.
Is this from a government requirement? The only way to do this is checksum all of your executables. Unless you are required to do this, you're insane.
Yes we are a 2 year college and this is what I am told.
Wait you're told it's a government requirement? If so ask for the reference. Because if you aren't 100% required to do this, you are in for pain for no reason.
I worked for a DoD contractor and we fought tooth and nail to get an exception for that.
-
On Windows I can't help you at all. I mean there's tools like CyberArk but I don't know cost or manageability. On Linux
fapolicyd
can do whitelisting. -
@stacksofplates said in Applications; Portable vs. Installed:
On Windows I can't help you at all. I mean there's tools like CyberArk but I don't know cost or manageability. On Linux
fapolicyd
can do whitelisting.Yeah we are all Windows unfortunately.
-
@jmoore said in Applications; Portable vs. Installed:
@marcinozga said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.
I'm curious on how you set this up,.. I know I have just been using a simple batch file once the core is installed.
<?xml version="1.0" encoding="utf-8"?> <packages> <package id="googlechrome" /> <package id="firefoxesr" /> <package id="flashplayerplugin" /> <package id="adobereader" /> <package id="jre8" /> <package id="7zip.install" /> <package id="vlc" /> <package id="powershell" /> <package id="silverlight" /> <package id="quicktime" /> <package id="irfanview" /> <package id="treesizefree" /> <package id="windirstat" /> <package id="crystaldiskinfo" /> </packages> </xml>
this file is called staff.config
Then i just use:choco install d:\packages.config –y
I'll have to give that a try on my next build. neat way to address the install.
Why not utilize proper configuration management tool for that? Ansible for example works very well with Chocolatey. The above approach might sound cool, but to me it's more of a stone age way.
Not approved here. However i can use powershell all I want.
That's suicide. Are you using group policy? That's config management. These people sound like they have no idea what's going on. I would make one million percent sure this is a real government requirement, more just something some admin thinks is one. There's no way a college needs this level of hardening.
-
@stacksofplates said in Applications; Portable vs. Installed:
These people sound like they have no idea what's going on.
That was pretty much the theme of my analysis. My take is that it seems like a combination of sys admin on a power trip combined with an overall lack of general knowledge of what they are telling him to do.
-
@stacksofplates said in Applications; Portable vs. Installed:
I would make one million percent sure this is a real government requirement, more just something some admin thinks is one.
I'm pretty confident that it is made up. Made up to the point of not being really plausible, hence made up by someone that didn't know enough to know what was even plausible as a requirement.
-
@scottalanmiller said in Applications; Portable vs. Installed:
@stacksofplates said in Applications; Portable vs. Installed:
I would make one million percent sure this is a real government requirement, more just something some admin thinks is one.
I'm pretty confident that it is made up. Made up to the point of not being really plausible, hence made up by someone that didn't know enough to know what was even plausible as a requirement.
Yeah I mean you can do it but you will pay for it for the rest of the time you work there. Especially if config management is "not approved".
-
Can you imagine adding/changing sha256 sums Everytime someone gets a new application or needs to run a script. And doing it by hand every single time. That would be your job day in and day out.
-
@stacksofplates said in Applications; Portable vs. Installed:
Can you imagine adding/changing sha256 sums Everytime someone gets a new application or needs to run a script. And doing it by hand every single time. That would be your job day in and day out.
And needing to do it for every new patch to every application. Eek.
-
@scottalanmiller said in Applications; Portable vs. Installed:
@stacksofplates said in Applications; Portable vs. Installed:
Can you imagine adding/changing sha256 sums Everytime someone gets a new application or needs to run a script. And doing it by hand every single time. That would be your job day in and day out.
And needing to do it for every new patch to every application. Eek.
Yup anytime there's an update to anything you would have to fix it.
-
@stacksofplates said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
@stacksofplates said in Applications; Portable vs. Installed:
Can you imagine adding/changing sha256 sums Everytime someone gets a new application or needs to run a script. And doing it by hand every single time. That would be your job day in and day out.
And needing to do it for every new patch to every application. Eek.
Yup anytime there's an update to anything you would have to fix it.
Yeah, including system updates, chocolatey updates, manual updates, apps like Chrome that update themselves. And anything on a "per user" basis might update at different times.
-
@stacksofplates said in Applications; Portable vs. Installed:
Can you imagine adding/changing sha256 sums Everytime someone gets a new application or needs to run a script. And doing it by hand every single time. That would be your job day in and day out.
It's probably not possible if change management isn't available. But you can do this with SCCM.
-
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Back in the days at my old job, we used Sophos to control those type of apps.
-
@black3dynamite said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Back in the days at my old job, we used Sophos to control those type of apps.
Sophos does so much hardware these days, I begin to forget that they used to be a desktop agent.
-
@jmoore said in Applications; Portable vs. Installed:
@stacksofplates said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
A big question would be... why do you want to restrict binaries from users?
Thats the sysadmin decision. He considers it a security measure and I can understand it somewhat.
Does he? Because he's not restricting them in any way, and totally okay with all the portable apps delivered in the web browser, right? So he's totally okay with them. Just confused, I'd guess.
Well, I can't presume to know his mind but hes just trying to limit the damage that can be done i suppose. I am guessing that is what he is thinking.
Is this from a government requirement? The only way to do this is checksum all of your executables. Unless you are required to do this, you're insane.
Yes we are a 2 year college and this is what I am told.
That's a lot to deal with for a 2 year college. I can understand the annoyances of accreditation and also following like FERPA requirements.