I realize that the majority of companies cannot prevent their users from installing whatever software they like. Heck, I have a hard time controlling what software runs on my own family’s PCs. If you can’t stop new software from being installed, you must make a proactive plan to manage the risk. Here are some tips:
- Educate your users on your company’s software install policy (i.e., do they need IT approval?).
- Educate users on the kinds of software installs to avoid, the ones bound to be full of spyware and other malware. Explain that every new piece of software can lead to remote exploitation and complete, malicious control of their computer.
- Put an auditing mechanism in place to find out what your end-users are running. Even if you don’t have control of what they install, you must know what is running. Audit installed programs and listening IP ports.
- Develop a process to ensure that newly installed applications get installed in a secure way (you don’t want file-sharing, p-to-p apps sharing out confidential directories).
- Ensure that any installed program has its auto-update feature enabled, if it has one. Also, be aware of programs which do a poor job of removing the old, vulnerable code after the updated version is installed. Adobe Acrobat and Sun’s Java have been criticized for this lately.
- Make a case to management to remove any high-risk program, along with penalties for repeat offenders.
- Institute a content layer inspection device that can prevent unauthorized protocols sneaking over authorized ports (such as IM over port 80).
- Teach your IT team to be aware of new programs and to report them to IT management when discovered, so the risk can be analyzed immediately.
It's a simple fact that users are going to install new software you don’t know about, and that it will increase the chances of malicious exploitation. My best advice is to control what is installed and running on all managed PCs. Failing that, become proactive about the software you don’t control.