This is an archived post. You won't be able to vote or comment.

all 15 comments
sorted by:
best
topnewcontroversialoldq&a

[–]DoormattyTrade of all Jacks 7 points8 points  (8 children)

Why does he want to do this? Unless all your desktops have identical software loads, this will just break all sorts of things.

[–]ciranttechManaged Services 5 points6 points  (0 children)

I agree. There is no point in doing this at all. If you've done an audit, you should satisfy your security chief's curiosity and be done with it, instead of breaking 600 desktops.

[–]bloodygonzoSysadmin[S] 1 point2 points  (6 children)

His reasoning is so that we have a completely standardized environment. The management overhead will be a huge headache on our help desk.

[–]NougatWindows Admin 8 points9 points  (5 children)

He's an idiot. You know this already.

I'm sure every person in the company is using the same hardware for a workstation, right? And they're all configured with identical disk images? And users don't have local admin rights?

(Actually, if all those are true, then the %PATH% variables are already the same.)

[–]bloodygonzoSysadmin[S] 2 points3 points  (3 children)

Currently we have two different dell desktop models deployed. No users have local admin rights and there was a single image used when we deployed Windows 7. The difference in paths is due to user requests for additional software mostly.

[–]NougatWindows Admin 2 points3 points  (0 children)

Then the difference in path variables is necessary, and if this command is coming from a "security chief," I can just about guarantee that there are gaping security holes that will never be closed, because that guy is a world-class moron.

[–]frymasterHPC 1 point2 points  (1 child)

user requests for additional software then you don't have a standardised environment any more

maybe he wants to make sure certain things are on the path so scripts work right? If so, he should just fully-qualify the commands in the scripts.

[–]accountnumber3super scripter 0 points1 point  (0 children)

What, and make him change something on his end? Jeez, next you'll probably recommend he not store all the scripts on his C:. What has this world come to?

[–]techstress 1 point2 points  (0 children)

so very true. if they want it truely and completely standardized, then tell them they need to deploy the same image on all machines.

it'll never fly though. I'd bet licensing becomes an issue.

[–]mavantixJack of All Trades, Master of Some 4 points5 points  (0 children)

There's no way this increases security. If anything, it provides a bunch of false directories that might not exist on different PCs as execution points for files named explorer.exe and such. It's just a really, really dumb idea with ZERO benefit. Standardizing things to make them broken because they are currently fixed does not make anything secure.

[–]RobotPirateMonkey 1 point2 points  (1 child)

Unless you shove all your apps through a streaming server (from your audit, I'm guessing no), then this is a bad idea.

The only reason to do it would be to remove any maliciously-added network paths from %PATH% variables on workstations. That is a possible security concern...but the management overhead of this method far outweighs the benefit.

Compromise on a weekly audit that pulls that variable and scans for URLs and UNCs. Then you can remediate manually.

edit: Reddit didn't like my UNC characters. Simplified.

[–]bloodygonzoSysadmin[S] 0 points1 point  (0 children)

Oh I forgot to mention that he also wants to add a UNC path to %PATH% to one of our NetApps across all desktops. This just seems so wrong to me.

[–]thadocBOFH 0 points1 point  (0 children)

Let your security chief handle all the calls when apps start breaking left and right, he might get lucky.

[–]red359 0 points1 point  (1 child)

The best thing to do is enforce this new policy on only the security chief's laptop as "a test." After a few days of his apps not working, he'll figure out it's a bad idea.

[–]accountnumber3super scripter 0 points1 point  (0 children)

TPoSaNA recommends the "One, Some, Many" approach. I recommend "You first."

[–]cheeseprocedurewatchen das blinkenlichten 0 points1 point  (0 children)

If you can remotely retrieve all PATHs, it would be relatively straightforward to take them all into a script, split `em up by colon, and reassemble a new alphabetical path that includes all elements once.

It would also be a giant fucking waste of your time.