Our organization is a bit different than most. During certain times of the year, we grow to thousands of employees, and during off-times, less than a hundred. Over the course of a few years, many thousands of people have come and gone in our offices, and left their legacy behind in the form of all sorts of unwanted, unapproved, (and sometimes unlicensed) software installs on our desktops.
We are currently installing redundant domain controllers and upgrading current servers, all running Windows Server 2008 Enterprise, and will eventually be able to run a pure 2008 DC network. With that in mind, what are our options in being able to lock down users, such that they cannot install unauthorized software on systems without the assistance (or authorization) of the IT group?
We need to support approximately 400 desktops, so automation is key. I've taken note of the Software Restrictions we can implement via Group Policy, but that implies that we already know what users will be installing and attempting to run... not quite so elegant.
Any ideas?
If you're talking about laptops or desktops that are checked out/assigned to people, then simply do not give them administrator access. This will still allow them to install programs (Assuming they were written properly) to their home folder, and then when they leave, you need only delete their profile/user account to remove any programs they installed / changes they made. This will also limit the damage that a virus can do - simply quarantine & clean their documents on any system which they have not logged into, delete & recreate their account, restore their cleaned documents. Virus gone.
It's quite hard to actually create a "white list" of approved executables based on the fact that executable code need not even have a name, simply reside in memory on a page marked as executable. Your best bet is to simply make it easier for you to remove the unwanted applications when the user leaves.
If this is a security issue and not a "cleanup" issue, how did they get the programs onto the system in the first place?
If you have a good network infrastructure and redirect certain folders (and train users to use home directories), you can get a product like Deep Freeze (I think Microsoft has a similar free product available too) so you can set up the machine to your company's preferred configuration then "freeze" it, so on reboot the computer goes back to the original state you set it up to. If they install something (or it gets infected with a virus), rebooting puts it into a pristine state again. They can still install stuff but it's a hassle to do it every day.
Of course, you can limit their access levels so if they're not power users or admins they can't install most programs. But this still won't limit their creativity from finding ways around your blocks.
Make sure you have your policies well spelled out. Make it a fireable offense if need be (I don't know your company policies or how serious you're taking this). Make it spelled out that the computers are company, not private, property and they should not expect privacy. Then install remote desktop software (VNC, remote assistance, etc.) and spell out that if necessary IT can remotely monitor activity. You need these things spelled out so it's clear what can and cannot be expected as an employee. How draconian you want your rules to be are up to you and HR.
You can also consider making images of your systems and then periodically re-image your computers to a pristine state. Pain in the butt to keep up with Windows Updates, though.
Make sure the domain users aren't administrators or super users on the local desktops. They should not be able to install stuff like Skype or phone suites if the aren't. Double-check.
Get a modern deployment suite going, like the free Microsoft WDS or perhaps even go for System Center Configuration Manager. The images used here are hardware-independent as long as drivers exists it will work on a plethora of different hardware. With Configuraiton Manager you can then automatically deploy the applications they need as well. When this is automated, it should be quick and painless to simply wipe and reload a desktop if needed.
Further tweaking would be a bonus, but could involve GPO lockdown of IE to prevent user toolbars and so on BUT any toolbar installed by a user would only be active for that user. So simply do not re-use user accounts.
Although you can prevent a lot of problems through the use of restricted accounts that will not solve all your problems. Just ask anyone who does IT in a school. :(
In addition to the use of restricted accounts you should use mandatory profiles, as that also helps to reduce some of the problems users can cause.
You might also consider imaging the machines and restoring the machines when appropriate. There are a number of ways machine images can be restored (semi-)automatically, so that the number of machines really isn't all that much of a problem. I'm sure there are others here who can provide the specifics.
Something like DeepFreeze is a sure-fire way. Not sure how much management goes into something like that though. There's other ways - the simplest and most hands-off is to not make them local admins, as Zoredache mentioned. They can install somethings but not much, that way.
The Microsoft version is called Windows SteadyState. XP or Vista only though - there are no plans to support it on Windows 7.