Recommended Best Practices for the Flexera Inventory Agent on Windows

IT Asset Management (Cloud)

Installing the agent

On Microsoft Windows, the agent installs with a standard Windows Installer package. The agent installer is intended to be installed for all users (per machine install). However, Windows Installer will not prevent such an install from being installed to a path that is writable by a standard user. As such, it is recommended that either the default installation path be used, or a path that is only writable by the SYSTEM account and administrators (this set of permissions would be similar to the default permissions for the Program Files folders). Using the default install path will simplify agent installation as no additional action needs to be taken on directory permissions.

User write access to Windows registry data

Standard users should not be allowed to modify any registry data, especially anything that would affect how Windows normally operates. Certain registry data, such as anything part of HKEY_CLASSES_ROOT\Classes should be protected as much as reasonably possible (blocking regedit.exe, reg.exe, PowerShell, and/or placing third party security filters in place). Windows provides mechanisms that could allow standard users to alter behavior of built in Windows functionality defined through HKCR\Classes related registry keys. More specifically, care should be taken to protect data written to HKEY_CURRENT_USER\Software\Classes such that no user can add registry data to this path that alters predefined system behavior. Monitoring rules should be in place to determine when unwanted modification in this registry path occurs.

IT Asset Management (Cloud)

Current