3. Deploying an Application via Group Policy
You can also use Group
Policy to deploy applications. For small-to-medium-size enterprises,
this can be very useful to deploy, update, and maintain applications on
multiple computers in a network.
Any application that is installed with a Microsoft installer (.msi)
package can be deployed via Group Policy. The application is first
copied to a share on a server that is available to clients in the
network, and then the GPO is configured to deploy the application.
Applications are either assigned or published.
3.1. Assigning Applications
An application can be
assigned to a computer or a user. When assigned to a computer, it is
installed on the next startup cycle. When assigned to a user, it is
advertised on the Start menu and installed when the user starts the
program.
In addition, the application
will be installed if the user attempts to open a file that requires it.
For example, if Microsoft Excel is assigned to a user, it will be
installed if the user double-clicks a document with an .xls or .xlsx extension.
In many environments, users
have a single computer that they use all the time. If you want these
users to have a specific application, assigning it to the computer is
often the best method. You can force a reboot during nonworking hours so
that you have a little control of when the application is deployed over
the network.
|
If you need more control
over when an application is deployed, you can use advanced server
products such as System Center Configuration Manager (SCCM). SCCM is a
Microsoft server product that can be purchased, and it allows you to
schedule deployments of applications and also deploy images of systems,
deploy updates, and more.
|
|
If you expect few users to need
the application at the same time, you can assign it to the users so that
it's available on the Start menu. Because users will need it at
different times, the actual deployment will be staggered.
3.2. Publishing Applications
Applications can be
published to users but not to computers. When published to a user, an
application is available to be installed via Control Panel by clicking
the Get Programs link under Programs. The application will also be
installed if the user attempts to open a file that requires it. Figure 4 shows how a program appears in Control Panel when it is published.
Publishing an application to a
user can be useful if you want the application to be widely available
but expect only a limited number of users to install it. Since it isn't
advertised on the Start menu, a limited number of users will see it.
3.3. Configuring Software Installation
The Group Policy settings to deploy applications are located in the Computer Configuration => Policies => Software Settings => Software Installation node for computers and the User Configuration => Policies => Software Settings => Software Installation node for users.
If you want to deploy an application to users or computers in your network, you should take the following steps:
Stage the application. Create a share on a server and copy the .msi file to the share. The share should be available using a UNC path.
Decide
if you want to deploy it to computers or users. This can vary depending
on how many licenses you've purchased for the application and how the
users use applications in your network.
If
it will be deployed to users, decide whether you want to assign it or
publish it. If it will be deployed to computers, it can only be
assigned.
Create a GPO and link it to a site, domain, or OU based on the desired scope of the GPO.
Browse to the Software Installation node. Right-click the node, select New => Package, and point to the package using the UNC path.
Select Assigned or Published.
4. AppLocker
AppLocker
can be used to specify which users or groups can run particular
applications. AppLocker uses rules that specifically allow or deny
applications from running. It is intended to be an improvement over
Software Restriction policies available before Windows 7 and Server 2008
R2.
You can access the AppLocker Group Policy settings in the Computer Configuration => Policies => Windows Settings => Security Settings => Application Control Polices node.
Figure 5
shows the AppLocker node in Group Policy. When you first configure a
rule, you'll be prompted to create rules. These default rules are
intended to ensure that normal operation of the system isn't negatively
impacted by the rule. In the figure, the default rules are on the top
and labeled Allow, and the one rule on the bottom labeled Deny is the
rule created specifically to deny a script for users in the scope of the
GPO.
Three types of rules can be implemented:
Script Rules include files with the .ps1, .bat, .cmd, .vbs, and .js extensions.
|
It's also possible to configure DLL rules to restrict execution of .dll and .ocx
files. However, using DLL rules will impact the performance of the
system because each DLL that is accessed must be checked to see if it is
allowed.
|
|
Two of the significant improvements of AppLocker over Software Restriction policies are as follows:
Per User and Per Group rules
These are Software
Restriction policies applied to all users within the scope of the GPO.
AppLocker allows you to specify which users or groups should be granted
or denied access.
Audit-only mode
This is new and allows you to test the rules before they're deployed. The rules aren't enforced, but activity is logged.
