Windows 8 provides an array of tools that will help prevent users from installing unwanted applications on their devices. User-installed applications can cause problems with other applications or with the operating system.
Of course, organizations are legally responsible for making sure that any software that is installed on those computers is properly licensed. Such problems can be time-consuming to correct because the helpdesk staff may not know that there is a compatibility issue with the application that the user installed. In other words, unauthorized applications can decrease productivity while increasing support costs.
Rather than delve into a discussion of third-party solutions, I want to talk about the mechanisms that are available using native Microsoft features.
Although virtual desktops aren’t specifically intended to be a mechanism to prevent users from installing unauthorized applications, Microsoft’s VDI implementation actually does a really good job. A Windows Server based VDI implementation makes use of virtual desktop pools. Assuming that personal virtual desktops are not being used, the connection broker connects clients to random virtual desktops.
Once connected and logged in, the user is free to do anything that he wants (within the limits of the administrative controls that have been put into place). However, once the user logs out, any changes that the user might have made to the virtual desktop are rolled back, and the virtual desktop is left in a pristine state for the next user. In other words, users might theoretically be able to install unauthorized software onto a virtual desktop, but that software will be removed as soon as the user’s session ends (unless personal virtual desktops are being used).
Group policy settings
When it comes to legacy desktop applications, effective use of NTFS permissions are essential to preventing users from installing unauthorized applications. Simply put, users should not have local administrative permissions. Even so, NTFS permissions alone are inadequate for locking down Windows 8. You will also need to make use of group policy settings.
There are two main group policy settings that you should focus on. First, take a look at Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access. This area of the group policy tree allows you to implement settings to block access to removable media. This can go a long way toward preventing users from installing unauthorized software from removable media.
The second group policy setting that you should focus on is Computer Configuration\Windows Settings\Administrative Templates\Windows Components\Store. This section of the group policy tree contains a setting named Turn Off the Store Application. You can use this setting to prevent users from downloading and installing apps from the Windows Store.
AppLocker is a Windows feature that is specifically designed to prevent the execution of unauthorized applications. AppLocker is technically a collection of group policy settings, but Microsoft treats it as a Windows feature rather than merely as a sub-component of group policies.
AppLocker in Windows 8 supports the creation of four different types of rules, including:
- Executable Rules -- Executable rules either allow or block access to specific executable files. These rules can identify files based on the publisher that signed the executable, a file hash, or the path to the executable file.
- Windows Installer Rules -- Windows Installer Rules are similar to executable rules, except that they apply to Windows Installer files. Windows Installer rules can be based on file hash, file path, or publisher.
- Script Rules -- Script rules govern the running of scripts. These rules can apply to PowerShell scripts, batch files, VB script, Java script, and CMD files.
- Packaged App Rules -- Packaged app rules govern packaged apps (which are also known as Windows 8 apps. Published App Rules can be based on the publisher name, package name, or package version.
As you can see, Microsoft provides a variety of mechanisms that can be used to prevent the installation of unauthorized applications. However, the most effective approach, depending on your needs, is usually to use a combination of techniques including Windows resources, third-party apps, internal policies, and user training.