Are regular staff prevented from installing software on their work computers?
Demonstrate that standard users lack technical permissions to install software on organizational endpoints and that administrative controls enforce this restriction consistently across the computing environment.
Description
What this control does
This control restricts the ability of standard users to install, modify, or execute unauthorized software on organizational workstations and laptops by enforcing least-privilege access policies through technical controls such as operating system permission restrictions, application allowlisting, or endpoint management solutions. Implementation typically involves removing local administrator rights from regular user accounts and configuring group policies or mobile device management (MDM) platforms to block installation attempts. This reduces the attack surface by preventing malware delivery through social engineering, limiting shadow IT proliferation, and maintaining a standardized, auditable software baseline across the enterprise.
Control objective
What auditing this proves
Demonstrate that standard users lack technical permissions to install software on organizational endpoints and that administrative controls enforce this restriction consistently across the computing environment.
Associated risks
Risks this control addresses
- Users inadvertently install malware or trojanized applications delivered through phishing emails or malicious websites, leading to system compromise
- Ransomware payloads execute with elevated privileges when users retain local administrator rights, enabling lateral movement and encryption of network resources
- Unlicensed or pirated software introduces legal liability and potential backdoors or vulnerabilities that bypass patch management processes
- Shadow IT applications lacking security review create unmanaged data exfiltration paths and bypass data loss prevention controls
- Incompatible or poorly coded applications destabilize operating systems, causing business disruption and increased help desk workload
- Attackers exploit privilege escalation vulnerabilities in third-party installers to gain persistent administrative access to endpoints
- Audit trails become incomplete when unmanaged software executes outside centralized logging and monitoring infrastructure
Testing procedure
How an auditor verifies this control
- Obtain the current organizational policy document defining software installation restrictions and user privilege standards
- Export Active Directory group policy objects (GPOs) or equivalent configuration profiles controlling user permissions and software restriction policies
- Select a stratified random sample of at least 20 endpoints across departments, operating systems, and user roles for technical validation
- Log into sampled endpoints using standard user credentials and attempt to install representative software packages (e.g., browser extensions, standalone applications, system utilities)
- Review endpoint management console (e.g., Microsoft Intune, JAMF, CrowdStrike) configurations to verify application allowlist rules or blacklist policies are enforced
- Query endpoint logs and security information and event management (SIEM) systems for unauthorized installation attempts and alerting rules within the past 90 days
- Interview IT support staff to confirm the privileged access request workflow and document evidence of approved temporary elevation procedures
- Cross-reference sampled endpoints' local user group memberships to verify standard users are not members of Administrators, Power Users, or equivalent elevated groups