These days, most administrators go to great lengths to lock down and secure their networks. One aspect of the network's overall security that is often overlooked, however, is a good software installation policy. Regardless of how lax your corporate culture may be, it is critically important to configure your workstations in a way that prevents users from installing applications on their own. In this article, I will explain why this is the case.
One of the primary reasons why it is important to prevent users from installing software on their workstations is because of tricky software licensing issues. I won't even pretend to be a lawyer, but here is the legal situation as it has been explained to me.
Let's pretend that a user has some kind of application that they want to install on their office PC. For the purposes of this article, I will assume that the user is honest and has a legitimate license for the application. The problem is that even though the user owns a license, the computer is owned by the company; not by the user. As such, software license compliance is the company's responsibility and the company does not own a license for the software. If the company were to receive a software audit, they could not prove that there was a legal license for the software that the user installed. Even if by some miracle, the user handed over the installation CD, manuals, and End User License Agreement, the company can not guarantee that the user did not make a copy first.
As I said earlier, I am not a lawyer. There might be a way around these issues, but I would never allow a user to install their own application in an organization that's under my control. Doing so just raises too many legal questions.
Increased support costs
Another reason for not allowing users to install applications of their own is because doing so can greatly increase support costs. I once worked for an organization that allowed users to install anything that they wanted onto their PCs. One particularly arrogant user would install all kinds of crazy applications and then make angry phone calls to the Human Resources department when the IT staff refused to support them. Granted, the Human Resources staff took our side in the issue, but the time that we wasted defending ourselves could have been better spent assisting users with legitimate problems.
Even if your users don't expect you to support the software that they install, user installed applications can increase support costs in other ways. For example, imagine that a user installs a buggy application that causes the system to become instable. If you don't know that the application exists, how much time will it take you to diagnose it as the cause of the problem? Even if you can make the diagnosis relatively quickly, how long will it take you to repair the damage? The whole incident could have been avoided if the user had not been allowed to install the application in the first place.
Another reason for not allowing users to install applications of their own is because of the threat of malicious software. There are two different types of threats that you have to worry about when it comes to malicious software. One threat is malicious software that is piggybacked onto legitimate software. The Internet is chock-full of freeware applications that are bundled with adware or spyware modules. Often reading the application's end user license agreement will reveal the fact that the malware is going to be installed as a condition of installing the application. The problem is that few people take the time to thoroughly read the end user license agreement. Even if a user does read the license agreement, companies have gotten so good at hiding undesirable conditions inside of cryptic legalese, that the user could totally miss the statement regarding the malware.
The other type of malicious software that you have to worry about is the type that gets installed without the user's knowledge or consent. A classic example of this is the fact that a major record company was busted placing root kits onto audio CDs. When the audio CD was played, the root kit would be silently installed in the background without the user's knowledge. However, if you have a good software installation policy in place, assign users only the minimal necessary permissions over the local operating system, it will greatly reduce the chances that a root kit or other type of malicious software can be installed.
One last reason why a good software installation policy is important is because unauthorized software can increase the chances of the system being exploited. There is a law of computing that states that the greater the amount of code that's executing on the system, the better the chances that the code will contain at least one critical security vulnerability.
The point that I'm trying to make is that almost every application contains some kind of security vulnerability. If a user installs a random application, then there is a chance that some vulnerability in that application could be exploited by someone (maybe even the user themselves) in order to gain a higher level of access to the system.
As you can see, there are a number of arguments for not allowing users to install applications on their own. A good software installation policy can prevent the issues that I have talked about in this article.
You can quickly implement a software installation policy in your organization by downloading TechRepublic's Software Installation Policy. Included you'll find a risk assessment spreadsheet that will help you determine the importance of such a policy to your organization's security along with a basic policy that you can use and modify. You can purchase it from the TechRepublic Catalog or download it for free as part of your TechRepublic Pro membership.