Applications; Portable vs. Installed
-
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
-
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Annnnd there is of course -THAT- aspect. Yea,.. general end users don't need to be able to do that.
-
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.
-
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
The issue there is using the registry as a means for app control. That's not really a good mechanism for that. Yes, it stops system wide use of the installer, but if that isn't the goal (which it isn't here), it's totally the wrong tool. So the issue here is attempting to use a tool that does X and hoping that it does Y.
Portable apps are not installed. So your users are not installing whatever they want. They aren't installing at all (which generally users don't have the power to do anyway.) But what they are doing is running an arbitrary binary which, almost always, is exactly how things are supposed to work. You do this far more often than you realize.
A big question would be... why do you want to restrict binaries from users?
-
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Annnnd there is of course -THAT- aspect. Yea,.. general end users don't need to be able to do that.
Actually, they generally do. Not all the time, but way more often than you think.
-
@scottalanmiller said in Applications; Portable vs. Installed:
Portable apps are not installed. So your users are not installing whatever they want. They aren't installing at all (which generally users don't have the power to do anyway.)
Yeah your right I just phrased it wrong, I know better lol. Just wasn't thinking.
-
Portable = Not Installed.
Users generally need to be able to write and run and use binaries. Whether they make them themselves, get them from coworkers, run them from the network, have them spawned from their browser, etc. you run apps that aren't installed, constantly.
In fact, the entire purpose of a web browser (okay, not the entire purpose, but most of it today) is as a platform for being able to do exactly this. Why are we generally okay with users getting portable Javascript apps all day long, but aren't okay if they are written in some other language? Why are we okay with 99% of the portable apps that they use, but not others? What's the concern, define the problem in human terms then we can address it in computational ones.
-
@scottalanmiller said in Applications; Portable vs. Installed:
A big question would be... why do you want to restrict binaries from users?
Thats the sysadmin decision. He considers it a security measure and I can understand it somewhat.
-
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
Portable apps are not installed. So your users are not installing whatever they want. They aren't installing at all (which generally users don't have the power to do anyway.)
Yeah your right I just phrased it wrong, I know better lol. Just wasn't thinking.
This also means that they aren't "working around" your permissions. The perms that you have in place are only in reference to installation, not in reference to downloading or running. They aren't working around you, it's that the limitations put on the users are far different than believed.
-
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
A big question would be... why do you want to restrict binaries from users?
Thats the sysadmin decision. He considers it a security measure and I can understand it somewhat.
Does he? Because he's not restricting them in any way, and totally okay with all the portable apps delivered in the web browser, right? So he's totally okay with them. Just confused, I'd guess.
-
@jmoore said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.
I'm curious on how you set this up,.. I know I have just been using a simple batch file once the core is installed.
-
@scottalanmiller said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
Portable apps are not installed. So your users are not installing whatever they want. They aren't installing at all (which generally users don't have the power to do anyway.)
Yeah your right I just phrased it wrong, I know better lol. Just wasn't thinking.
This also means that they aren't "working around" your permissions. The perms that you have in place are only in reference to installation, not in reference to downloading or running. They aren't working around you, it's that the limitations put on the users are far different than believed.
Yes that is correct. I need more coffee. So the idea is to keep users from installing anything on their own unless its an approved app.
-
@scottalanmiller said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
A big question would be... why do you want to restrict binaries from users?
Thats the sysadmin decision. He considers it a security measure and I can understand it somewhat.
Does he? Because he's not restricting them in any way, and totally okay with all the portable apps delivered in the web browser, right? So he's totally okay with them. Just confused, I'd guess.
Well, I can't presume to know his mind but hes just trying to limit the damage that can be done i suppose. I am guessing that is what he is thinking.
-
@jmoore said in Applications; Portable vs. Installed:
He considers it a security measure and I can understand it somewhat.
If you understand it, describe it. What exactly is the concern? Don't use a term like "portable app", because that's so broad that everyone is confused. In general we restrict installing because that's how really dangerous things happen. But portable apps are normally allowed because they essentially have to be for computers to work. What use is a computer with no portable apps today? Basically, it's just a brick. Not completely, but close to it.
Avoid agreeing with him, based on a feeling. If you can define the concern, do so. If not, it's important to recognize an emotional response and address it. My guess is that like most "out of his league" sys admins, he feels inadequate in his job and knows that he's in over his head and that people around him know that he doesn't know his job. And to feel better about himself, it's common to desire power and control over users to compensate. That's generally where something like this comes from. Not because it makes sense, or even works. Not because it's about security, or is good for the business. But out of a personal desire to inflict discomfort on end users in order to feel a sense of power when, in reality, he probably feels impotent at work from not understanding his job.
-
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
Portable apps are not installed. So your users are not installing whatever they want. They aren't installing at all (which generally users don't have the power to do anyway.)
Yeah your right I just phrased it wrong, I know better lol. Just wasn't thinking.
This also means that they aren't "working around" your permissions. The perms that you have in place are only in reference to installation, not in reference to downloading or running. They aren't working around you, it's that the limitations put on the users are far different than believed.
Yes that is correct. I need more coffee. So the idea is to keep users from installing anything on their own unless its an approved app.
That's easy, Windows does that by default. No need to "do anything" because installation is restricted to admins. You only run into the problem if you give end users installation rights.
-
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
A big question would be... why do you want to restrict binaries from users?
Thats the sysadmin decision. He considers it a security measure and I can understand it somewhat.
Does he? Because he's not restricting them in any way, and totally okay with all the portable apps delivered in the web browser, right? So he's totally okay with them. Just confused, I'd guess.
Well, I can't presume to know his mind but hes just trying to limit the damage that can be done i suppose. I am guessing that is what he is thinking.
No, he's definitely not. There's no real security factor here. It's a bad habit to agree with someone in a situation like this because it's pretty clear he's just confused or angry and acting like a petulant child. If you can articulate a real concern, great. If not, don't assume that he's acting logically, there's realistically no chance that he is. Both because no one anywhere needs these kinds of restrictions in normal businesses (even Wall St. and hospitals don't do this, maybe a nuclear power station does or military ship) and because he has demonstrated that he has no concept of how applications work by thinking he was restricting "binary execution" when he was actually restricting installation, which is conceptually a different thing.
Installation is important for a lot of reasons to restrict. Binary execution almost never is. Without binary execution, all kinds of things stop working.
-
To think about binary execution, this is an insanely broad category. Everything you run on the computer is covered by this. Including just running a command in CMD or clicking on an icon (which is just running a command on CMD.) So if you restrict binary execution, you end up having to white list every last possible thing that someone could do. Every shortcut, requires a whitelist entry. Every action.
It feels like downloading a portable app and running it is somehow a special case, but it's actually not. MangoLassi is a portable app that runs on JavaScript. So is Facebook, or Google. Every batch file you write is the same thing, just using CMD or PS as an underlying binary. To stop arbitrary execution means that not only do we have to stop the OS from running any binary, but that we also have to stop all platforms on the OS from doing so, as well. So things like CMD, PS, Python, .NET, Java, web browsers, Word, Excel, and on and on... all of which are application platforms that can run their own portable apps, have to be disabled. If we don't then we are simply, arbitrarily taking issue with the language of an app, and not the app itself or the concerns around it.
-
@scottalanmiller said in Applications; Portable vs. Installed:
If you understand it, describe it. What exactly is the concern?
Ok here are some past things that have occurred that are not desirable. These are portable apps.
-
browsers - they do not get updated when I run my chocolatey scripts. users end up using a very old browser and functionality breaks. Some of our department of education stuff breaks quickly if not kept updated and then students do not get financial aid which means they arent spending money with the school.
-
dropbox etc.. - we have strict regulations and can get in lots of trouble if financial or documents with personal information pass to others in this unsecured way. At least the government tells us this is not secure enough for them and the school has to abide by these rules for funding.
-
email - also another regulation is that we have to have a standardized email platform that everything goes through for proper audits. We can't have users using an unknown client to send/receive that cant be monitored. I was told this a long time ago by our financial aid people, so probably another state regulation.
-
rogue apps - a while back we had a user use a "registry cleaner" because computer was running slow. it was actually malware.
-
general updates - this kind of goes back to #1 but anyone running portable apps wont get updated and so wont be secure if it goes on for long enough.
-
-
@jmoore said in Applications; Portable vs. Installed:
browsers - they do not get updated when I run my chocolatey scripts. users end up using a very old browser and functionality breaks. Some of our department of education stuff breaks quickly if not kept updated and then students do not get financial aid which means they arent spending money with the school.
Sure, but that's a concern with all code the user uses. If the user chooses to intentionally not have something work because they didn't use the installed tools, there is nothing you can do about that. They could equally just refuse to do their jobs. Once you have a worker refusing to work, whether they use a broken browser as an excuse or not, this is simply an HR issue of someone not doing their job. This is not related to portable apps.
-
@jmoore said in Applications; Portable vs. Installed:
dropbox etc.. - we have strict regulations and can get in lots of trouble if financial or documents with personal information pass to others in this unsecured way. At least the government tells us this is not secure enough for them and the school has to abide by these rules for funding.
Sure, but they don't need a Dropbox app to do that. If users are going to steal data, you need to fire the thieves when they get caught, and use what security restrictions you can to limit the egress of data. The dropbox app is neither here nor there in this picture because they can just upload through any tool that already exists to the same place.
Again, the portable app here is a red herring. Anything a user can do with a portable app that they download, they can do without it. The functionality of uploading to Dropbox is an issue, the Dropbox app is not. Just like how restricting installation wasn't actually addressing any real issue, this isn't either. For the security here, we'd have to focus on the goal, not get distracted by one limited tool someone might use.