Software Management Iltce2007b
-
Upload
guest804df32c5 -
Category
Technology
-
view
484 -
download
0
description
Transcript of Software Management Iltce2007b
Software ManagementThrough GPOs
Jim Pattenaude, Marshall CUSD #C-2
Terry Sullivan, Shiloh CUSD #1
Disclaimer
• This session is intended for those using or planning to use Active Directory on Windows Server 2000 or 2003 with Windows 2000 Professional, Windows XP or Vista
• The concepts discussed in this class do not directly pertain to earlier versions of Windows products or any non-Windows products
Introduction• Active Directory• Group Policy Objects• Microsoft Installer (msi)• Network install points• Alternate ways to automate
software deployment
Methods for installing software
• Traditional
• Group Policy Objects
• Scripts
• Imaging
Traditional Method
• Requires manual intervention at each machine
• Requires administrator rights• Poor control over install options• OK for small installs or “exceptions”• Bad for large-scale deployments
Using GPO to install
• Good way to deploy on large scale• Requires advance planning and testing• Tight control over install options• Does not require individual intervention at
the workstation• Requires .msi file
.msi Files
• Microsoft installer• All recent MS software includes .msi
installer files• Much 3rd party software uses .msi• Tools available to build .msi files for
apps that do not include them
Creating .msi files
• WinINSTALL LE– Included with Windows 2000– DISCOZ.EXE is used to build .msi– Requires “clean” computer
• MakeMSI– Freeware tool– http://dennisbareis.com
• InstallShield X– Commercial tool
Software Install Makers
• My Inno Setup (Jordan Russell’s Software)
– http://isx.wintax.nl/• Advanced Installer 3.8.1 (Caphyon)
– http://www.advancedinstaller.com/
• OnDemand Software $$– Winstall & Winstall LE – 2003
• http://www.ondemandsoftware.com/PurchaseLE.asp
Demonstration
• Creating a .msi file can take some time• Requires “clean” system to start• Make sure no other apps are running• Software takes “snapshot” of system before install• Installation proceeds as typical• Software takes “snapshot” of system after install• All changes are recorded and stored in the .msi• When newly created .msi file is run, all the
recorded changes are applied to the target system
Problems creating .msi
• Process not extremely reliable
• Must be redone when software revisions are made
• Time consuming
Group Policy Management Console (GPMC)• Included with Windows Server 2003 SP1• Can be downloaded from Microsoft• Works with both Windows Server 2003
and 2000 Group Policies• Runs on Windows Server 2003 and
Windows XP (currently will not run on 64 bit version)
GPMC Key Features• A unified graphical user interface (GUI) that makes
Group Policy much easier to use.• Backup/restore of Group Policy objects (GPOs).• Import/export and copy/paste of GPOs and Windows
Management Instrumentation (WMI) filters.• Simplified management of Group Policy–related
security.• HTML reporting for GPO settings and Resultant Set of
Policy (RSoP) data.• Scripting of Group Policy related tasks that are exposed
within this tool (not scripting of settings within a GPO).
Network install point
• Installer and related files must be on a publicly accessible share
• Most .msi files have “administrative” install option that allows installing to a network share for mass deployment
Deploying Software through GPOs
• Overview of process
• Assigning vs. Publishing
• Computer vs. User
• Deployment Options
• Transforms (.mst)
Overview of process
• Create or open Group Policy Object• Determine if software installation will be by user
or computer• Locate .msi package• Determine deployment method
– Published (User only)– Assigned– Advanced (use for additional options)
• Modify properties, security, etc.
Deployment Methods
• Assign• Publish• Advanced
– Choose to Assign or Publish– Set other options– Only way to specify transform (.mst) files
Assign vs. Publish
• Assign– Automatically installs the software
• Publish– software can be made available, but not
installed– Not available for machine-based
configuration
Computer vs User
• Computer can only use “Assign” option• Software deployed based on Computer is
installed upon computer boot• Software deployed based on User is
installed upon user login
Deployment Options
• Toggle Assign/Publish (User only)• Auto install by file ext (Publish only)• Uninstall when app falls out of scope of
mgmt• Do not display in Add/Remove Prog• Install this app at logon (Assign only)
Transforms (.mst)
• Used to apply customization
• Different .mst files can be applied in different policies
• Multiple transforms can be applied
Removing software
• Right-click on package and select Remove– Option to remove immediately will remove software
the next time the machine updates its policies– Option to remove package, but leave software
installed • If option is checked to remove when app falls
out of mgmt– Software will be removed when Policy is no longer
linked– Software will be removed if machine is removed from
OU where it is applied
Issues
• Installer packages should not be used if user input is required
• GPO software does not uninstall previously installed software (not installed by GPO)– Some app installers will remove old versions
but this is not a feature of GPO
Installing through scripts
• Software that includes an automated installer, but not a .msi file may be able to be installed using a startup or login script
• Script should check if software is already installed to prevent unnecessary processing
• Since scripts execute before user intervention is allowed, the installer must be fully automated– Possibly use install files (.inf or .ini for example)– Possibly use command line switches
• Can still use GPO to deploy by including script in Startup/Shutdown/Logon/Logoff policy settings
Installing using imaging
• Software can be deployed on software “images” using software such as Symantec Ghost
• Install software using “traditional” method on “build” computer
• Once all software is installed and tested for this configuration, run Sysprep
• Follow manufacturer instructions for capturing the image and deploying to multiple systems
Software Restriction
• Uses “hash signature” of app to identify• Can be used to specify “allowed” or
“prohibited” software• New hash must be generated each time
a new version of the app is installed• Use caution when saying only “allowed”
software can be run
ProcessProcess
Default Security Levels
• If an administrator knows all of the software that should run, then a software restriction policy can be applied to control execution to only this list of trusted applications.
• If all the applications that users might run are not known, then administrators can step in and disallow undesired applications or file types as needed.
4 rules to identify software
• Hash—A cryptographic fingerprint of the file
• Certificate—A software publisher certificate used to digitally sign a file
• Path—The local or universal naming convention (UNC) path of where the file is stored
• Zone—Internet Zone
When to use each ruleWhen to use each ruleTask Recommended Rule
You want to allow or disallow a specific version of a program
Hash ruleBrowse to file to create hash
You want to identify a program that is always installed in the same place
Path rule with environment variables%ProgramFiles%\Internet Explorer\iexplore.exe
You want to identify a program that can be installed anywhere on client machines
Registry path rule%HKEY_LOCAL_MACHINE\SOFTWARE\
ComputerAssociates\InoculateIT\6.0\Path\HOME%
You want to identify a set of scripts on a central server
Path rule\\SERVER_NAME\Share
You want to identify a set of scripts on a set of servers, DC01, DC02, and DC03
Path rule with wildcards\\DC??\Share
You want to disallow all .vbs files, except those in a login script directory
Path rule with wildcards*.VBS set to Disallowed\\LOGIN_SRV\Share\*.VBS set to Unrestricted
You want to disallow a file installed by a virus that is always called flcss.exe
Path ruleflcss.exe, set to Disallowed
You want to identify a set of scripts that can be run anywhere
Certificate ruleCertificate used to digitally sign the scripts
You want to allow software to be installed from trusted Internet zone sites
Zone ruleTrusted Sites set to Unrestricted
Using Software Restriction Policies to Protect Against Unauthorized Software
• Full detail & how-to from Microsoft
• http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
Protect Against Unauthorized SoftwareProtect Against Unauthorized Software
MS KB article 324036MS KB article 324036
http://support.microsoft.com/kb/324036/en-ushttp://support.microsoft.com/kb/324036/en-us
Q&A
Copy of Presentation:www.shiloh.k12.il.us/Presentations/SoftwareManagement
Jim Pattenaude [email protected]
Terry Sullivan [email protected]