In a security context, the ideal situation is to reformat the machines and reinstall everything from scratch and secure everything before putting the machines on the network, since we cannot establish 100% integrity of an unsecured network. However, in real life this is simply too costly for many companies, and is a huge task to undertake, not to mention lost productivity usually encountered in big deployment projects. So the next best thing is to secure the existing machines with the different tools covered so far in this paper, and take the bet that these new security measures will be able to stop, or at least detect, any previous security breach.
As we have seen above, it is very costly to make an enterprise-wide software deployment by going from machine to machine (I still often see it done this way), and it opens the door to human mistakes. In the case of a simple configuration change, we have seen that Security Expression was letting us do the changes remotely. It is also possible, with the use of scripts, to use it to deploy software. However, another approach that I favor particularly, is to create custom installation packages (with a software like InstallRite, which is free) according to our specifications. The installation of this custom package on a machine will not need any other effort to make its configuration match our specifications.
InstallRite works by taking a snapshot of all your hard disk and registry content, before and after the installation of your software, and identifies the changes made to the system by the installation (files or registry keys that have been added, removed or modified). It can then extract these files and registry keys and create a self-extract program that will automatically install the software with the desired configuration. The trick is of course to configure your software as you want it to be before taking the second snapshot of your system. So you can use this to deploy your pre-configured antivirus, personal firewalls and just any other productivity software you may want to deploy. The installation itself can then be launched from the login script or any other method you prefer.
6. Optimising applications security
8. Costs and savings