Tony2025 Posted April 6, 2006 Share Posted April 6, 2006 Hello everyoneI hope someone will know the answer.Domain controller is MS Windows 2003 Server.MS Office 2003 and Norton Antivirus is installed on workstations.In user mode, how can I setup a laptop so no one can install any extra software but can get updates for already installed software?Thank you for your knowledge Link to comment Share on other sites More sharing options...
Zartach Posted April 7, 2006 Share Posted April 7, 2006 Hi, with WSUS you can centralise the windows updates and force installation, while restricting users from installing anything else via the usual restrictions and GPO's.But i do not know of any software that will install updates for 3rd party applications that does the same, you might want to research how to use packaging in combination with GPO's but it is highly technical and a pain if you have not used it before. especialy if you have to repackage the updates yourself. Link to comment Share on other sites More sharing options...
cluberti Posted April 7, 2006 Share Posted April 7, 2006 Protection Manager from www.winternals.com does allow this sort of thing, but it's about the only product I'm aware of that does. And it isn't cheap .You'd be better off using a solution such as SMS to push out updates, since you need to do more than Windows updates. SMS (or other non-Microsoft patching solution) allows you to package things up and install them in the same manner Windows updates get installed, and the users will not need administrative privileges if the SMS client is on the machine. Link to comment Share on other sites More sharing options...
Tony2025 Posted April 7, 2006 Author Share Posted April 7, 2006 Thank you for your reply, I thought there was a way with software restriction and adding reg keys to allow none MS software to be updated, am I wrong? Link to comment Share on other sites More sharing options...
cluberti Posted April 7, 2006 Share Posted April 7, 2006 Using software restriction policies will restrict software installation for everyone that GPO applies to for the most part, and as such shouldn't be used unless you have specific packages or executables that you want to make users not run.Also, relaxing security in the registry is dangerous, as it potentially opens up a machine to unnecessary security risks that it would otherwise not display.Can installing updates be done by regular users? Probably. Can you relax file and registry permissions to allow this? Also probable. Is doing this a good idea in the long run? I don't know about you, but I would say that doing something that makes systems vulnerable unnecessarily is probably not a wise choice (nor will it be easy to manage). This is the exact reason programs such as SMS, LanDesk, Tivoli, etc. exist - there's not a really good way to do this otherwise without opening up your environment to potential security risks. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now