I'm a sysadmin managing around 200 Windows endpoints and need some advice on handling two main issues. First, while standard users can't install software in Program Files, they can still add apps to their user profiles in AppData, which bypasses many restrictions. I want to control what users can execute and install without spending a fortune. What tools or approaches do you recommend? Should I consider AppLocker, Windows Defender Application Control, affordable third-party solutions, or any effective group policy methods that work at scale?
Second, I'm looking into Wazuh as a potential SIEM/XDR solution. I want to set up alerts for activities like users launching PowerShell or CMD, any suspicious activity, and general endpoint visibility. I've read that this may require PowerShell logging and setting up Sysmon with custom rules. Do any of you have experience using Wazuh for these purposes? Is it a high-maintenance tool? What essential configurations or issues should I watch out for? I've also heard about ManageEngine tools as affordable options—are they reliable?
Would love to hear any real-world experiences or recommendations!
5 Answers
Just set up group policies to prevent user installations in AppData. It's a straightforward way to manage installations, especially for a larger number of endpoints.
AppLocker is a solid choice for preventing unwanted installations, especially if you're sticking to approved software only. It can effectively stop those AppData installs. However, I'd suggest considering Windows Defender Application Control (WDAC) for a more future-proof solution, especially if you're using Intune in your environment. If you're after a non-Microsoft tool, ThreatLocker is another good option that could meet your needs while also addressing PowerShell and CMD usage.
Have you thought about blocking specific applications at the firewall level? If most unwanted installs are for social media or messaging apps, they won't work anyway if you restrict their internet access. It’s a way to mitigate the problem even if it won’t stop all installations.
WDAC is like AppLocker but with extra features. It's designed for more complex environments but can provide robust security. It’s built into Windows, which makes it easier to manage. Just keep in mind that it may take some effort to set up initially.
If you're looking at ThreatLocker, it's great for stopping executables from running, including installers. It's user-friendly, plus it has features for users to request app access. It's a cost, but many find it worth it compared to managing AppLocker.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures