Recommended Best Practices for the Flexera Inventory Agent on Windows
Installing the agent
On Microsoft Windows, the agent installs with a standard Windows Installer package. The agent installer is intended to be installed for all users (per machine install). However, Windows Installer will not prevent such an install from being installed to a path that is writable by a standard user. As such, it is recommended that either the default installation path be used, or a path that is only writable by the SYSTEM account and administrators (this set of permissions would be similar to the default permissions for the Program Files folders). Using the default install path will simplify agent installation as no additional action needs to be taken on directory permissions.
User write access to Windows registry data
Standard users should not be allowed to modify any registry data, especially anything that
would affect how Windows normally operates. Certain registry data, such as anything part of
HKEY_CLASSES_ROOT\Classes
should be protected as much as reasonably
possible (blocking regedit.exe, reg.exe, PowerShell, and/or placing third party security
filters in place). Windows provides mechanisms that could allow standard users to alter
behavior of built in Windows functionality defined through HKCR\Classes related registry
keys. More specifically, care should be taken to protect data written to
HKEY_CURRENT_USER\Software\Classes such that no user can add registry data to this path that
alters predefined system behavior. Monitoring rules should be in place to determine when
unwanted modification in this registry path occurs.
IT Asset Management (Cloud)
Current