WinBatch Tech Support Home

Database Search

If you can't find the information using the categories below, post a question over in our WinBatch Tech Support Forum.

TechHome

How To
plus
plus
plus
plus
plus
plus
plus
plus
plus
plus
plus

Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

Block New Program Installs

Keywords: 	  prevent installation block install

Question:

Does anyone have any suggestions for a WinBatch script to use on Win95/Win98 machines to prevent users from adding new unauthorized software?

Answer:

I watched a mult-billion dollar per year health care / health insurance company waste about a million dollars dealing with this issue. They decided that they would implement Win95 instead of WinNT on the desktop because their hardware would not support WinNT and they did not want to replace their hardware.

They were concerned about the total lack of security and wide-open nature of Win95. They decided that Win95 policies were not sufficient for their own draconian security measures that they wished to implement. The end result was that they bought an add-on product that integrates directly into Win95 via a .VXD device driver. This product put hooks into the file system to control read/write access to all directories on the local hard drive. All software was then forced to run from directories on file servers. This product also got its hooks into the image activation routines in Win95 and verified that each and every .EXE and .DLL that was being loaded into memory was allowed to be run.

The end result of all this foolishness was that they ended up with a Win95 desktop environment that was unstable and performed very poorly. They then spent a lot of money trying to fix their Win95 installation to make it reliable. They bought overdrive processors for 800 PC's, along with new hard drives, add-on IDE cards to handle hard drives larger than 512MB and BIOS upgrades to make their PC's Y2K compliant. Finally, after doing all this their desktop was still slow and unreliable and they dropped the security package and went back to a vanilla Win95 implementation. They also scrapped all 800 or so of their PC's (486's) and replaced them with new PII's and PIII's.

Anyway, the moral of the story is that Win95 is not worth the effort of trying to secure it. If you are really interested in security then install WinNT and use NTFS partitions and permissions to control access to control access to the NTFS partitions and the registry. Do this and you will have control over what does and does not get installed on your end users' PC's.

For further control, implement some sort of push-install technology such as ZenWorks or, dare I say it, SMS [not for the faint of heart], and make sure that all software installs are done via these tools. Make it official policy in your work place that end users do not run software installs of any kind on their own. Violations of the policy become a human resources issue. Repeat offenders suffer the same penalties that they would if they showed up drunk at work or if they were breaking some other policy or rule at work. Training of end users in the proper use of their workstations is very important.

Also, make sure that you have your computers set up so that you can clone them with a product like Ghost or Drive Image. The combination of cloning and software push install technology makes it very easy to restore a corrupted computer back to working condition very easily. Very little time has to be spent fixing a workstation that the end user screwed up. Simply determine that the user did something really bad and then just clone the workstation again. This saves a tremendous amount of time in the trouble shooting process. End users who need their computers cloned on a regular basis are the ones who need more training or who are violating your policies about what they should not be doing with their computers.

Failing to implement a secure WinNT desktop, the only thing that is left for you to do is to implement some sort of software inventory system to track what has been installed on each computer. There are good packages that can be bought for this purpose. If you want to steer clear of SMS and you don't have a Netware 4/5 environment for ManageWise, then you might have to roll your own.

Software inventory revolves around taking a baseline snapshot of a computer and then storing that information in a database of some sort. Periodically, you re-scan the computer and compare the two scans looking for differences. The differences get reported on and then the baseline gets updated. Records of software installation or removal are not deleted from the database just because a change is made on the workstation. Instead, the records are marked as being some sort of history record so that if a package is installed and removed several times you will have a record of this.

Obviously, you might not have control over whether a user installs software to the default directory as suggested by the installer or whether they override this value during the installation process. You also don't know what options they might be installing for a suite such as MS Office or WordPerfect Office.

About the best that you can do in home grown inventory program is to check the registry for new entries under the key that contains all of the software listed in the "Add/Remove Programs" software list. Also check the local hard drive for new or deleted directories and files.

Some very common directory names and file names can be associated with software package names for reporting purposes. However, since there may be far more software packages available for users to install than you can keep track of, this may be a losing battle and you may have to settle for simply reviewing reports of new directories & files and then you will have to determine what was installed.


Article ID:   W14852
File Created: 2001:11:08:12:40:30
Last Updated: 2001:11:08:12:40:30