Solved Software restriction policy on Workgroup network ?
-
Hello all,
As you know Software restriction policy is one of the best practice to prevent ransomware kind of virus. Well, if all nodes on network are under domain, it can be done with GPO easily.
As of now we are in Workgroup network with OSes Windows 7-10.
So there is any third party tool or script to run on all pcs for SRP ?
Probably we can push script/app with ESET ERA6 to all pcs ? if possible, otherwise, we will do it manually.
Thanks for suggestions !
-
Group Policy is not limited to domains. You can use Group Policy manually at each machine, push it out with PowerShell or control it even more effectively than a domain does using a tool like Ansible or Salt.
-
@scottalanmiller said in Software restriction policy on Workgroup network ?:
Group Policy is not limited to domains. You can use Group Policy manually at each machine
Yeah, I know we can do it manually on each pc (hopefully for home edition OSes also ?)
My intention is for any application or script, which can be done easily instead of editing Group Policy and do modifications at each pc.
-
@scottalanmiller said in Software restriction policy on Workgroup network ?:
push it out with PowerShell
I am not familiar with PowerShell. Are you talking about creating PS script for the SRP and run on each machine or push it remotely for all machines ?
-
@scottalanmiller said in Software restriction policy on Workgroup network ?:
control it even more effectively than a domain does using a tool like Ansible or Salt.
I think, both Ansible and Salt are commercial products to do things easily, but it adds cost. If I am going to spend for this reason, instead we may spend on getting Pro versions to make all workstations under Domain
The actual reason why our all pcs not under domain is, "some PC OSes are Home Editions". And I was not willing to bring half pcs to domain and leave remaining under Workgroup, until we buy Pro Versions.
-
@openit said in Software restriction policy on Workgroup network ?:
@scottalanmiller said in Software restriction policy on Workgroup network ?:
push it out with PowerShell
I am not familiar with PowerShell. Are you talking about creating PS script for the SRP and run on each machine or push it remotely for all machines ?
This would be a great place to start experimenting with it, where the risk is zero and there is a small but important project with a clear goal. Perfect for starting scripting.
PowerShell can be run locally, but the power and point of it is to be run remotely. The tooling is called PowerShell Remoting.
-
@openit said in Software restriction policy on Workgroup network ?:
I think, both Ansible and Salt are commercial products to do things easily, but it adds cost.
No, both are completely free. Both also offer commercial support, but you don't need this at all.
-
@openit said in Software restriction policy on Workgroup network ?:
The actual reason why our all pcs not under domain is, "some PC OSes are Home Editions". And I was not willing to bring half pcs to domain and leave remaining under Workgroup, until we buy Pro Versions.
Then you are in a good position to seriously consider never having a domain. Domains can be great, they can also be expensive and are very hard to remove once you implement them. If you look at tools like Salt, you can pretty easily go with a free alternative that is vastly more powerful (in most ways) than a domain while not locking you into anything.
Or if you feel a domain is required, you can do it from the start using Linux and never become encumbered by the enormous "Windows tax".
-
I'll be interested (only for learning reasons) what you find out for the home edition of Windows regarding the ability of settings you can apply.
-
@scottalanmiller said in Software restriction policy on Workgroup network ?:
Group Policy is not limited to domains. You can use Group Policy manually at each machine.
That's right, but at when you are deploying it with scripts it's considered local policy. Even though you can deploy it just as effectively as you would with Group policy.
-
@scottalanmiller said in Software restriction policy on Workgroup network ?:
@openit said in Software restriction policy on Workgroup network ?:
@scottalanmiller said in Software restriction policy on Workgroup network ?:
push it out with PowerShell
I am not familiar with PowerShell. Are you talking about creating PS script for the SRP and run on each machine or push it remotely for all machines ?
This would be a great place to start experimenting with it, where the risk is zero and there is a small but important project with a clear goal. Perfect for starting scripting.
PowerShell can be run locally, but the power and point of it is to be run remotely. The tooling is called PowerShell Remoting.
Sure, I will learn PS.
I was expecting of some app to do it easily or configuring in one pc and importing if it's possible. Now if I use Power Shell (local or remote), I need to google for code/script and run....
Also, just wondering to know, once we setup SRP, what impact will be while installing legitimate software ? (here we have given users a standard account and separate administrator account for admin to install something)
-
@IRJ said in Software restriction policy on Workgroup network ?:
@scottalanmiller said in Software restriction policy on Workgroup network ?:
Group Policy is not limited to domains. You can use Group Policy manually at each machine.
That's right, but at when you are deploying it with scripts it's considered local policy. Even though you can deploy it just as effectively as you would with Group policy.
Group Policy deploys it locally with scripts, too
-
@openit said in Software restriction policy on Workgroup network ?:
I was expecting of some app to do it easily or configuring in one pc and importing if it's possible.
That's why I told you about Salt.
-
@openit said in Software restriction policy on Workgroup network ?:
Also, just wondering to know, once we setup SRP, what impact will be while installing legitimate software ? (here we have given users a standard account and separate administrator account for admin to install something)
No legitimate business software expects or requires an administration account. If it does, it's a total joke and has no place in a business environment.
-
@scottalanmiller said in Software restriction policy on Workgroup network ?:
@openit said in Software restriction policy on Workgroup network ?:
I think, both Ansible and Salt are commercial products to do things easily, but it adds cost.
No, both are completely free. Both also offer commercial support, but you don't need this at all.
That's great. So I need to setup Salt/Ansible as a server and install agents on all Windows PCs and push/control with Salt/Ansible server ?
Whether these Salt/Ansible servers are available for Windows and/or Linux ?
-
@openit said in Software restriction policy on Workgroup network ?:
Now if I use Power Shell (local or remote), I need to google for code/script and run....
No different than when using GPO. If you don't know how to do the task, you have to look it up. It's not different in that way with PowerShell.
-
@scottalanmiller said in Software restriction policy on Workgroup network ?:
@openit said in Software restriction policy on Workgroup network ?:
The actual reason why our all pcs not under domain is, "some PC OSes are Home Editions". And I was not willing to bring half pcs to domain and leave remaining under Workgroup, until we buy Pro Versions.
Then you are in a good position to seriously consider never having a domain.
This made me feel Happy !
I always felt bad, when I was not able to do easily due to lack of Domain.
-
@openit said in Software restriction policy on Workgroup network ?:
Whether these Salt/Ansible servers are available for Windows and/or Linux ?
You definitely want them on Linux, not Windows. Don't start adding huge (and I really mean huge) costs of Windows just to run some normal software, that would be crazy. You'd need Windows server licensing and CALs for all users just to run Salt. That's a thousand dollars or more rather than 100% free. And it uses fewer resources and is more standard on Linux. My Linux install guide is like two commands to fully set up Salt on Linux, it's that simple. Would be much harder on Windows and no value to it.
-
@openit said in Software restriction policy on Workgroup network ?:
@scottalanmiller said in Software restriction policy on Workgroup network ?:
@openit said in Software restriction policy on Workgroup network ?:
The actual reason why our all pcs not under domain is, "some PC OSes are Home Editions". And I was not willing to bring half pcs to domain and leave remaining under Workgroup, until we buy Pro Versions.
Then you are in a good position to seriously consider never having a domain.
This made me feel Happy !
I always felt bad, when I was not able to do easily due to lack of Domain.
Domains are the panacea that people think that they are. Microsoft's marketing has been very powerful in the SMB. AD Domains are certainly nice and powerful and well integrated into Windows, but we don't use them at NTG for a reason - too much work, too little benefit. We had it and we own the licensing for it, but we removed it and are happier without it. I've worked in companies with hundreds of people not on domains and it worked great. There are lots of cases where they just don't make sense.
-
@scottalanmiller said in Software restriction policy on Workgroup network ?:
@openit said in Software restriction policy on Workgroup network ?:
The actual reason why our all pcs not under domain is, "some PC OSes are Home Editions". And I was not willing to bring half pcs to domain and leave remaining under Workgroup, until we buy Pro Versions.
Then you are in a good position to seriously consider never having a domain. Domains can be great, they can also be expensive and are very hard to remove once you implement them. If you look at tools like Salt, you can pretty easily go with a free alternative that is vastly more powerful (in most ways) than a domain while not locking you into anything.
Or if you feel a domain is required, you can do it from the start using Linux and never become encumbered by the enormous "Windows tax".
Is Salt/Ansible are alternative kind of software for PDQ Deploy ?
Because I tried to use PDQ Deploy Free, I wondered it was asking for Domain Credentials to setup, so I left it.
