Software Management Iltce2007b


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Clarifying this up front will allow people to leave and find an alternate session if this is not what they are looking for.
  • Briefly review each term/concept
  • Briefly mention three processes for installing software – each will be covered in detail later
  • Do NOT spend much time on this – everyone in attendance will be familiar with a traditional install method. The main purpose of this slide is to build a rapport with the audience and build their comfort level
  • Review each bullet briefly, no need to elaborate. Main purpose is to differentiate an GPO-based install from a traditional install.
  • Discuss what .msi file is. This is a topic that even some experienced users are not extremely familiar with. Do NOT go into TOO much depth at this point.
  • Emphasize that most software that would be mass deployed either comes with a .msi file or has some other means to mass deploy. This is likely the EXCEPTION. Briefly describe the differences between each tool, but no need to dwell on each tool. These tools are likely more advanced than much of the audience is going to want to get into at this point. Perhaps poll the audience to determine how many are interested in making their own .msi files.
  • Depending on interest determined previously, a demo of a real .msi creation can be started at this time. This is where the process can be reviewed. Again, depending on the audience this explanation may be sufficient to satisfy their interest.
  • Do NOT spend much time on this slide. Use it simply as an introduction as some in the audience may not be familiar with the tool yet.
  • General info – let them read from the handout. No need to discuss.
  • Most users are probably familiar with this concept, but it should be mentioned because it is a key part of the process and is different from the way a “traditional” install works.
  • Intro slide – each of these topics will be covered in depth. Do NOT spend much time on this slide.
  • Review the process and start a demonstration at this time.
  • If performing live demo at this point, you can choose to Assign or Publish before Advanced, but ultimately you will need to use Advanced in order to show the transforms. If pressed for time, ONLY use the Advanced option.
  • This would be a good time to show the Sophos KB article where this exact scenario is discussed.
  • No need to go into too much detail here as this is beyond the scope of this session. If they are interested in this process, they need to attend one of the imaging sessions.
  • Hash Rules A hash rule is a cryptographic fingerprint that uniquely identifies a file regardless of where it is accessed or what it is named. An administrator may not want users to run a particular version of a program. This may be the case if the program has security or privacy bugs, or compromises system stability. With a hash rule, software can be renamed or moved into another location on a disk, but it will still match the hash rule because the rule is based on a cryptographic calculation involving file contents. A hash rule consists of three pieces of data, separated by colons: • MD5 or SHA-1 hash value•File length•Hash algorithm IDIt is formatted as follows: [MD5 or SHA1 hash value]:[file length]:[hash algorithm id] Files that are digitally signed will use the hash value contained in the signature, which may be SHA-1 or MD5. Files that are not digitally signed will use an MD5 hash. Example: The following hash rule matches a file with a length of 126 bytes and with contents that match the MD5 (denoted by the hash algorithm identifier of 32771) hash of 7bc04acc0d6480af862d22d724c3b049— 7bc04acc0d6480af862d22d724c3b049:126:32771 Certificate Rules A certificate rule specifies a code-signing, software publisher certificate. For example, a company can require that all scripts and ActiveX controls be signed with a particular set of publisher certificates. Certificates used in a certificate rule can be issued from a commercial certificate authority (CA) such as VeriSign, a Windows 2000/Windows Server 2003 PKI, or a self-signed certificate. A certificate rule is a strong way to identify software because it uses signed hashes contained in the signature of the signed file to match files regardless of name or location. If you wish to make exceptions to a certificate rule, you can use a hash rule to identify the exceptions. Path Rules A path rule can specify a folder or fully qualified path to a program. When a path rule specifies a folder, it matches any program contained in that folder and any programs contained in subfolders. Both local and UNC paths are supported. Using Environment Variables in Path Rules. A path rule can use environment variables. Since path rules are evaluated in the client environment, the ability to use environment variables (for example, %WINDIR%) allows a rule to adapt to a particular user's environment. Important: Environment variables are not protected by access control lists (ACL). If users can start a command prompt they can redefine an environment variable to a path of their choosing. Using Wildcards in Path Rules. A path rule can incorporate the '?' and '*' wildcards, allowing rules such as "*.vbs" to match all Visual Basic® Script files. Some examples: • "\DC-??login$" matches \DC-01login$, \DC-02login$•"*Windows" matches C:Windows, D:Windows, E:Windows•"c:win*" matches c:winnt, c:windows, c:windirRegistry Path Rules. Many applications store paths to their installation folders or application directories in the Windows registry. You can create a path rule that looks up these registry keys. For example, some applications can be installed anywhere on the file system. These locations may not be easily identifiable by using specific folder paths, such as C:Program FilesMicrosoft Platform SDK, or environment variables, such as %ProgramFiles%Microsoft Platform SDK. If the program stores its application directories in the registry, you can create a path rule that will use the value stored in the registry, such as %HKEY_LOCAL_MACHINESOFTWAREMicrosoftPlatformSDKDirectoriesInstall Dir%. This type of path rule is called a registry path rule. The registry path is formatted as follows: %[Registry Hive][Registry Key Name][Value Name]% Note: Any registry path rule suffix should not contain a character immediately after the last % sign in the rule. • The registry path must be enclosed in percent signs ("%").•The registry value must be a REG_SZ or REG_EXPAND_SZ. You cannot use HKLM as an abbreviation for HKEY_LOCAL_MACHINE, or HKCU as an abbreviation for HKEY_CURRENT_USER.•If the registry value contains environment variables, these will be expanded when the policy is evaluated.•A registry path rule can also contain a suffix path such as %HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersCache%OLK* This registry path rule identifies the folder that Microsoft Outlook XP uses to store attachments before launching them. The attachment folder always starts with the letters "OLK" so the rule uses wildcard matching. As an example, this rule matches the following path: C:Documents and SettingsusernameLocal SettingsTemporary Internet FilesOLK4Important When you set a path rule, you should check the access control list (ACL) entries on the path. If users have write access to a path, they can modify its contents. For example, if you allow C:Program Files, any power user on the machine can copy software into the Program Files folder. Path Rule Precedence. When there are multiple matching path rules, the most specific matching rule takes precedence. The following is a set of paths, from highest precedence (more specific match) to lowest precedence (more general match). • Drive:Folder1Folder2FileName.Extension•Drive:Folder1Folder2*.Extension•*.Extension•Drive:Folder1Folder2•Drive:Folder1one Rules A rule can identify software from the Internet Explorer zone from which it is downloaded. These zones are: • Internet•Intranet•Restricted Sites•Trusted Sites•My ComputerCurrently this applies to only Windows Installer (*.MSI) packages. It does not apply to software downloaded in Internet Explorer.
  • This slide is HIDDEN. Only use this slide if time permits and the audience is sufficiently advanced.
  • Software Management Iltce2007b

    1. 1. Software Management Through GPOs Jim Pattenaude, Marshall CUSD #C-2 Terry Sullivan, Shiloh CUSD #1
    2. 2. Disclaimer <ul><li>This session is intended for those using or planning to use Active Directory on Windows Server 2000 or 2003 with Windows 2000 Professional, Windows XP or Vista </li></ul><ul><li>The concepts discussed in this class do not directly pertain to earlier versions of Windows products or any non-Windows products </li></ul>
    3. 3. Introduction <ul><li>Active Directory </li></ul><ul><li>Group Policy Objects </li></ul><ul><li>Microsoft Installer (msi) </li></ul><ul><li>Network install points </li></ul><ul><li>Alternate ways to automate software deployment </li></ul>
    4. 4. Methods for installing software <ul><li>Traditional </li></ul><ul><li>Group Policy Objects </li></ul><ul><li>Scripts </li></ul><ul><li>Imaging </li></ul>
    5. 5. Traditional Method <ul><li>Requires manual intervention at each machine </li></ul><ul><li>Requires administrator rights </li></ul><ul><li>Poor control over install options </li></ul><ul><li>OK for small installs or “exceptions” </li></ul><ul><li>Bad for large-scale deployments </li></ul>
    6. 6. Using GPO to install <ul><li>Good way to deploy on large scale </li></ul><ul><li>Requires advance planning and testing </li></ul><ul><li>Tight control over install options </li></ul><ul><li>Does not require individual intervention at the workstation </li></ul><ul><li>Requires .msi file </li></ul>
    7. 7. .msi Files <ul><li>Microsoft installer </li></ul><ul><li>All recent MS software includes .msi installer files </li></ul><ul><li>Much 3 rd party software uses .msi </li></ul><ul><li>Tools available to build .msi files for apps that do not include them </li></ul>
    8. 8. Creating .msi files <ul><li>WinINSTALL LE </li></ul><ul><ul><li>Included with Windows 2000 </li></ul></ul><ul><ul><li>DISCOZ.EXE is used to build .msi </li></ul></ul><ul><ul><li>Requires “clean” computer </li></ul></ul><ul><li>MakeMSI </li></ul><ul><ul><li>Freeware tool </li></ul></ul><ul><ul><li>http:// </li></ul></ul><ul><li>InstallShield X </li></ul><ul><ul><li>Commercial tool </li></ul></ul>
    9. 9. Software Install Makers <ul><li>My Inno Setup (Jordan Russell’s Software) </li></ul><ul><ul><li> </li></ul></ul><ul><li>Advanced Installer 3.8.1 (Caphyon) </li></ul><ul><ul><li> </li></ul></ul><ul><li>OnDemand Software $$ </li></ul><ul><ul><li>Winstall & Winstall LE – 2003 </li></ul></ul><ul><ul><ul><li>http:// </li></ul></ul></ul>
    10. 10. Demonstration <ul><li>Creating a .msi file can take some time </li></ul><ul><li>Requires “clean” system to start </li></ul><ul><li>Make sure no other apps are running </li></ul><ul><li>Software takes “snapshot” of system before install </li></ul><ul><li>Installation proceeds as typical </li></ul><ul><li>Software takes “snapshot” of system after install </li></ul><ul><li>All changes are recorded and stored in the .msi </li></ul><ul><li>When newly created .msi file is run, all the recorded changes are applied to the target system </li></ul>
    11. 11. Problems creating .msi <ul><li>Process not extremely reliable </li></ul><ul><li>Must be redone when software revisions are made </li></ul><ul><li>Time consuming </li></ul>
    12. 12. Group Policy Management Console (GPMC) <ul><li>Included with Windows Server 2003 SP1 </li></ul><ul><li>Can be downloaded from Microsoft </li></ul><ul><li>Works with both Windows Server 2003 and 2000 Group Policies </li></ul><ul><li>Runs on Windows Server 2003 and Windows XP (currently will not run on 64 bit version) </li></ul>
    13. 13. GPMC Key Features <ul><li>A unified graphical user interface (GUI) that makes Group Policy much easier to use. </li></ul><ul><li>Backup/restore of Group Policy objects (GPOs). </li></ul><ul><li>Import/export and copy/paste of GPOs and Windows Management Instrumentation (WMI) filters. </li></ul><ul><li>Simplified management of Group Policy–related security. </li></ul><ul><li>HTML reporting for GPO settings and Resultant Set of Policy (RSoP) data. </li></ul><ul><li>Scripting of Group Policy related tasks that are exposed within this tool (not scripting of settings within a GPO). </li></ul>
    14. 14. Network install point <ul><li>Installer and related files must be on a publicly accessible share </li></ul><ul><li>Most .msi files have “administrative” install option that allows installing to a network share for mass deployment </li></ul>
    15. 15. Deploying Software through GPOs <ul><li>Overview of process </li></ul><ul><li>Assigning vs. Publishing </li></ul><ul><li>Computer vs. User </li></ul><ul><li>Deployment Options </li></ul><ul><li>Transforms (.mst) </li></ul>
    16. 16. Overview of process <ul><li>Create or open Group Policy Object </li></ul><ul><li>Determine if software installation will be by user or computer </li></ul><ul><li>Locate .msi package </li></ul><ul><li>Determine deployment method </li></ul><ul><ul><li>Published (User only) </li></ul></ul><ul><ul><li>Assigned </li></ul></ul><ul><ul><li>Advanced (use for additional options) </li></ul></ul><ul><li>Modify properties, security, etc. </li></ul>
    17. 17. Deployment Methods <ul><li>Assign </li></ul><ul><li>Publish </li></ul><ul><li>Advanced </li></ul><ul><ul><li>Choose to Assign or Publish </li></ul></ul><ul><ul><li>Set other options </li></ul></ul><ul><ul><li>Only way to specify transform (.mst) files </li></ul></ul>
    18. 18. Assign vs. Publish <ul><li>Assign </li></ul><ul><ul><li>Automatically installs the software </li></ul></ul><ul><li>Publish </li></ul><ul><ul><li>software can be made available, but not installed </li></ul></ul><ul><ul><li>Not available for machine-based configuration </li></ul></ul>
    19. 19. Computer vs User <ul><li>Computer can only use “Assign” option </li></ul><ul><li>Software deployed based on Computer is installed upon computer boot </li></ul><ul><li>Software deployed based on User is installed upon user login </li></ul>
    20. 20. Deployment Options <ul><li>Toggle Assign/Publish (User only) </li></ul><ul><li>Auto install by file ext (Publish only) </li></ul><ul><li>Uninstall when app falls out of scope of mgmt </li></ul><ul><li>Do not display in Add/Remove Prog </li></ul><ul><li>Install this app at logon (Assign only) </li></ul>
    21. 21. Transforms (.mst) <ul><li>Used to apply customization </li></ul><ul><li>Different .mst files can be applied in different policies </li></ul><ul><li>Multiple transforms can be applied </li></ul>
    22. 22. Removing software <ul><li>Right-click on package and select Remove </li></ul><ul><ul><li>Option to remove immediately will remove software the next time the machine updates its policies </li></ul></ul><ul><ul><li>Option to remove package, but leave software installed </li></ul></ul><ul><li>If option is checked to remove when app falls out of mgmt </li></ul><ul><ul><li>Software will be removed when Policy is no longer linked </li></ul></ul><ul><ul><li>Software will be removed if machine is removed from OU where it is applied </li></ul></ul>
    23. 23. Issues <ul><li>Installer packages should not be used if user input is required </li></ul><ul><li>GPO software does not uninstall previously installed software (not installed by GPO) </li></ul><ul><ul><li>Some app installers will remove old versions but this is not a feature of GPO </li></ul></ul>
    24. 24. Installing through scripts <ul><li>Software that includes an automated installer, but not a .msi file may be able to be installed using a startup or login script </li></ul><ul><li>Script should check if software is already installed to prevent unnecessary processing </li></ul><ul><li>Since scripts execute before user intervention is allowed, the installer must be fully automated </li></ul><ul><ul><li>Possibly use install files (.inf or .ini for example) </li></ul></ul><ul><ul><li>Possibly use command line switches </li></ul></ul><ul><li>Can still use GPO to deploy by including script in Startup/Shutdown/Logon/Logoff policy settings </li></ul>
    25. 25. Installing using imaging <ul><li>Software can be deployed on software “images” using software such as Symantec Ghost </li></ul><ul><li>Install software using “traditional” method on “build” computer </li></ul><ul><li>Once all software is installed and tested for this configuration, run Sysprep </li></ul><ul><li>Follow manufacturer instructions for capturing the image and deploying to multiple systems </li></ul>
    26. 26. Software Restriction <ul><li>Uses “hash signature” of app to identify </li></ul><ul><li>Can be used to specify “allowed” or “prohibited” software </li></ul><ul><li>New hash must be generated each time a new version of the app is installed </li></ul><ul><li>Use caution when saying only “allowed” software can be run </li></ul>
    27. 27. Process
    28. 28. Default Security Levels <ul><li>If an administrator knows all of the software that should run, then a software restriction policy can be applied to control execution to only this list of trusted applications. </li></ul><ul><li>If all the applications that users might run are not known, then administrators can step in and disallow undesired applications or file types as needed. </li></ul>
    29. 29. 4 rules to identify software <ul><li>Hash—A cryptographic fingerprint of the file </li></ul><ul><li>Certificate—A software publisher certificate used to digitally sign a file </li></ul><ul><li>Path—The local or universal naming convention (UNC) path of where the file is stored </li></ul><ul><li>Zone—Internet Zone </li></ul>
    30. 30. When to use each rule Zone rule Trusted Sites set to Unrestricted You want to allow software to be installed from trusted Internet zone sites Certificate rule Certificate used to digitally sign the scripts You want to identify a set of scripts that can be run anywhere Path rule flcss.exe, set to Disallowed You want to disallow a file installed by a virus that is always called flcss.exe Path rule with wildcards *.VBS set to Disallowed OGIN_SRVShare*.VBS set to Unrestricted You want to disallow all .vbs files, except those in a login script directory Path rule with wildcards C??Share You want to identify a set of scripts on a set of servers, DC01, DC02, and DC03 Path rule ERVER_NAMEShare You want to identify a set of scripts on a central server Registry path rule %HKEY_LOCAL_MACHINESOFTWARE ComputerAssociatesInoculateIT6.0PathHOME% You want to identify a program that can be installed anywhere on client machines Path rule with environment variables %ProgramFiles%Internet Exploreriexplore.exe You want to identify a program that is always installed in the same place Hash rule Browse to file to create hash You want to allow or disallow a specific version of a program Recommended Rule Task
    31. 31. Using Software Restriction Policies to Protect Against Unauthorized Software <ul><li>Full detail & how-to from Microsoft </li></ul><ul><li> </li></ul>
    32. 32. Protect Against Unauthorized Software
    33. 33. MS KB article 324036
    34. 34. Administrative Templates <ul><li>.adm files </li></ul><ul><li>Contain all possible Group Policy Settings </li></ul><ul><li>Can be customized to extend what can be controlled through GPO </li></ul><ul><li>Complete set of templates to control Microsoft Office in Office SDK </li></ul>
    35. 35. Q&A Copy of Presentation: Jim Pattenaude [email_address] Terry Sullivan [email_address]