Windows 7 Enterprise - Allow standard user to install approved apps

Squelchy · 08 Jan 2012

Hi,

I have over 120 clients running Windows 7 Enterprise in a Windows Server 2008 R2 domain. I am currently doing some testing around AppLocker, and generally locking down the user environment. I will soon be setting up some new Windows 7 clients with the users added as the Standard User type.

When a standard user attempts to install an application, the UAC prompt is displayed, which requests administrative credentials. Is there a way that I can approve/publish specific applications that the standard users can install themselves? If so, is there a way that the users can install updates for these approved applications themselves?

Any help would be much appreciated. Many thanks.

**cluberti** · 08 Jan 2012

You could, but that would require additional software. In a Windows world, this is generally accomplished by using System Center Configuration Manager (SCCM) 2007 or other competing products (SCCM is the most featureful and integrated with the other MS products, of course, and is my personal preference for lifecycle management). There are products that can be installed on Windows that provide "silent elevation" of certain programs, but those are generally not advised as they open up that user session to security risks (admin code now running in a user session with the same user token - not a good idea).

Squelchy · 01 Feb 2012

Thank you for your reply. A few other people have confirmed that it is not possible to configure a user as a Standard User in Windows 7 and provide them with the privileges to elevate certain programs. I have tested Script Logic's Privilege Authority, and it has met the requirements mentioned in my original post.

**cluberti** · 01 Feb 2012

Be aware that programs that provide silent elevation mean the application is no longer interacting with the secure desktop, and removing one of the security mechanisms the OS has put in place to provide "regular users" security - using auto-elevation software sort of defeats the purpose of running as a standard user, and puts a nice bit elevatable security hole (silently, no less) that could potentially be exploited without any real user notification or interaction. While those sorts of things are good in theory, they would most certainly (at least from a security perspective) not be recommended in practice. You might as well make your users administrators at that point, because that's what doing such a thing amounts to.