Security

The reason I make a gripe list is because I believe there is a balance between necessary security and functionality. We all know vendors make bad architectural decisions with their applications and sometimes utopian security concepts cause more grief than reduction of support costs and real world security. I have been scripting in some secure environments and I'd like to see what policies have caused you grief. Here is my list of top security configurations that have caused me fun.


Windows Installer's DisableBrowse has caused upgrades using different source paths and REINSTALL=ALL to fail.

Restriciting access to the security eventlog will prevent Windows Installer 3.1 from installing.

Locking down access to HKCR for end users causes huge ammounts of scripting overhead finding all the registry keys that need to be opened up so the app will work. Maybe it is the apps I work with but you'd be suprised how many apps need to manipulate this hive.

Enabling cab signing is more of a pain in the ______. Apps that do not allow you to make an administrative installation but use many cab files require some jumping through hoops to sign all the cabs.