Determine How to Deploy Applications to Client Computers Running Windows 7

  • Article

Applies To: Windows 7, Windows Server 2008 R2

In this step, you decide how applications will be deployed to client computers running Windows 7. These decisions can affect the relative security of the client computers and the amount of support that the IT department must provide to users. Use the following three scenarios to help determine how applications will be deployed to client computers running Windows 7. They are presented in order of relative security from highest to lowest:

  • Managed environment

  • Applications are installed on a case-by-case basis by the IT department

  • Unmanaged environment

Managed environment

In this scenario, all applications, operating systems, and software updates are installed by using an application deployment technology. The benefits of using technologies such as Microsoft System Center Configuration Manager 2007 and Group Policy Software Installation in this instance include:

  • An IT department can easily maintain a list of installed applications and prevent unwanted applications from being installed.

  • The overall total cost of ownership is lower in part because the ability of malicious software (malware) to install, execute, or hide itself is greatly constrained.

  • By centrally administering the User Account Control (UAC) security settings with Group Policy, the IT department can ensure that the local computer policy cannot be changed to circumvent the department's policy.

  • Because users log on to their computers as standard users and do not know the credentials for a local administrator account, they cannot modify system settings or install software and malware.

  • Although users are all standard users, they can still install and update applications that are deployed by using Configuration Manager 2007, Group Policy, and other deployment methods.

Requirements for this scenario include:

  • If you are using Configuration Manager 2007 as the application deployment technology, Configuration Manager 2007 must be installed on a dedicated server.

  • All users must have standard user accounts and must log on to their computers with the standard user account.

Recommendations for this scenario include:

  • Domain administrators should have two accounts—a standard user account and a domain administrator account with UAC enabled.

  • The User Account Control: Run all administrators in Admin Approval Mode policy setting should be enabled and administered centrally by using Group Policy.

  • The User Account Control: Switch to the secure desktop when prompting for elevation policy setting should be enabled and administered centrally by using Group Policy.

Applications are installed on a case-by-case basis by the IT department

While this is a mid-level security scenario, it is the most difficult to manage. In this scenario, all users have to submit a request to the help desk each time they want to install an application. The help desk then has to use Remote Desktop to install the application or physically input the credentials at the user's computer. While the IT department should know what applications are installed on which computer, the process of tracking this can be cumbersome and difficult to manage. In addition, if the credentials for a local administrator account are disclosed to a standard user even once, it must be assumed that the security policy is then compromised.

Unmanaged environment

In this scenario, users can install applications at will. There are three possible configurations. The following configurations are presented in decreasing levels of security, with the first being the most secure.

Users are standard users but know the user name and password for a local administrator account.

  • The User Account Control: Run all administrators in Admin Approval Mode policy setting is enabled.

  • Users log on with their standard user accounts and provide credentials for a local administrator account in the User Account Control credential prompt when they want to perform administrative tasks.

Impact: There is no efficient way for the IT department to track application installations or to track the status of the computer. Additionally, users can still inadvertently install malware by providing credentials on a User Account Control credential prompt for an executable file that they cannot identify.

Users are local administrators.

  • The User Account Control: Run all administrators in Admin Approval Mode policy setting is enabled.

  • Users log on with their administrator accounts and provide consent on the User Account Control consent prompt when they want to perform administrative tasks.

Impact: Although UAC is enabled, all users log on as administrators and any user can easily install software, manipulate system settings, and circumvent the computer's security policy. Additionally, there is no efficient way for the IT department to track application installations or to track a computer's status.

UAC is disabled, and users are local administrators.

  • The User Account Control: Run all administrators in Admin Approval Mode policy setting is disabled.

  • Users log on with their administrator accounts and perform administrative tasks.

Impact: When UAC is disabled, the user's administrative token is always used and all applications run with full control over the entire computer. As a result, there is no efficient way for the IT department to track application installations or to track a computer's status. In addition, malware can be silently installed because users are not prompted for approval or credentials before an administrative executable file can run.