Prevent users from running portable version of Anydesk
Posted by IlijaS96@reddit | sysadmin | View on Reddit | 124 comments
Hi all,
Is there an option to prevent users from using portable version of Anydesk?
They are not local admins, so they can't install classic Anydesk/Teamviewer, but I saw them using portable version. Can it be done by GPO or something similar?
Thanks.
SevaraB@reddit
Applocker can do this, BUT you're heading down a very slippery slope... when you start restricting executable files in user profiles, it's very easy to accidentally tighten things down so hard that it breaks Windows for your users.
Also... where's your endpoint security product in all this? If you've got Windows Defender Firewall or whatever else you want to use configured properly, Anydesk should be neutered even if they can launch the portable version... because the app isn't allowed to send any network traffic out from the computer.
TheJesusGuy@reddit
As a one-man team I can vouch for app/etc whitelisting being completely unmanageable on my own. There's no way I could stay on top of that.
marklein@reddit
ThreatLocker makes it easy. I'm one man managing around 300 endpoints with app whitelisting.
TheJesusGuy@reddit
But that costs money..
Bird_SysAdmin@reddit
and alot of setup/onboarding time
Ok-Juggernaut-4698@reddit
Do you want free or do you want easy?
You won't get both.
marklein@reddit
I don't spend more than a few minutes onboarding new clients to TL. The whole point of it is that it's fast and easy.
Bird_SysAdmin@reddit
The learning mode makes things easier than AppLocker for sure, but to refine it and truly build the correct policies takes time.
Valkeyere@reddit
This is the truth. We implemented it after like 6 months internal learning mode. Still fucks me out of doing my day job on the reg.
Bird_SysAdmin@reddit
Security vs convenience sliding scale strikes again
Admirable-Fail1250@reddit
Software Restriction Policies still works and is built in to AD and Windows.
marklein@reddit
I know (assume) that you're just reflecting the constraints that your management have put on IT. But security breaches cost money too. The basic version of TL costs less than $2. Does your org use hotmail for your business email because 365 costs money? Hell no. Make the business case for it using dollars (because that's all mgmt understands) lost in a breah or from shadow IT. It's cheap insurance, even more so considering how effective it is.
Admirable-Fail1250@reddit
I think it depends on the size and complexity of the software your users use.
99% of our computers run everything either from c:\windows or c:\program files, which are read-only for non-admins by default and whitelisted by default.
There are a few workstations that run specific programs from the appdata folders - those exe files are whitelisted by hash or certificate. a few times a year i usually have to whitelist a new "upgrade.exe" file, then whitelist the new "application.exe" file but it's not that much of a pain.
I've been doing this for about 10 years now and I usually don't have to mess with the settings on average more than twice a month.
Unable-Entrance3110@reddit
This is exactly my experience as well
chum-guzzling-shark@reddit
I disagree. App locker is not bad at all and has auditing tools to make it easier to deploy.
ZY6K9fw4tJ5fNvKx@reddit
Put applocker in learning mode, after a month you have enough info. You can also whitelist certificates, that makes it future proof.
Did that with a 3 man team with 800 desktops/1500 users. Best security decision i made.
Unable-Entrance3110@reddit
I am doing it alright with minimal effort by myself. I am using BeyondTrust's Privilege Management, though so maybe the rules are easier to manage than with AppLocker.
The biggest problem is devs that ship unsigned executables AND install to user-writable locations. In those cases, I do need to get creative with my allow permissions which often include file hashes.
If they install to Program Files, have the proper admin ownership and file system permissions (directory isn't user writable), no further custom rule is needed.
Vendors that sign their executables are easy to whitelist since you just do an exact match on the publisher attribute in the certificate.
DGC_David@reddit
As a troublemaker who would find ways around the company's firewalls to continue to do whatever I want (in IT it's allowed, just can't be mad when it's later fixed due to your testing) and the last paragraph is the best answer. While Applocker can handle it, it's way better and easier to prevent it on a network level.
thortgot@reddit
Blocking it on the corporate network does help but if someone is trying to circumvent controls, it's pointless. A mobile hotspot bypasses the firewall.
Sinsilenc@reddit
Not when you tie it into the local firewall rules. I can block traffic no matter what corp device they are on.
thortgot@reddit
How do you manage a case like this? Blacklisting destinations? Or do you whitelist applications for network access?
Sinsilenc@reddit
https://support.anydesk.com/knowledge/firewall use their own rules against them. Block the anydesk app in your firewall explicitly then add in their specific ports against the .exe.
thortgot@reddit
While that works against casual abuse of installed apps it doesn't solve the issue at hand here.
The user in this case is using the portable version, simply renaming the file bypasses an .exe control.
Heck, even with their fully installed client, nothing stops the user from simply coping the .exe into their user space and executing from there. DLL linkage will still work. Renaming if path is a variable in your firewall rules.
DGC_David@reddit
True, but I would argue this is as secure as you need to go if the user both doesn't have Admin Rights and doesn't have network privileges to change this... Another way is to go clientless, like Mesh Central hosts the remote, and you only connect via an online portal.
thortgot@reddit
A user doesn't need admin to run tools like anydesk, or to connect to a mobile hotspot (no admin rights required to connect to a WiFI network, or to use a USB hotspot (unless you've specifically disabled these entirely).
An ethernet to USB C adapter for a phone and provision a hotspot network also works. If a desktop accepts DHCP over ethernet, you can't assure it's only connecting to your network without a ton of work.
Clientless (Citrix, W365 etc.) is a very different architecture of an environment that could make just as much work for you as correctly implementing execution control.
yehuda1@reddit
Application whitelisting is one of the most effectives way to increase security. Although one of the most expensive ways (in terms of setup and maintenance)
SevaraB@reddit
Allow listing application execution is just an effective way to increase your ticket queues and make busy work, because the base Windows OS alone can involve hundreds of executables. Allow listing network traffic from applications avoids somebody going rogue and onboarding network applications without going through proper procedures, which is exactly what OP is complaining has happened here.
yehuda1@reddit
That why is expensive. You can hire experts to do it manually or implement security solution that handles the common challenges.
But you are right, Op ask how to prevent users from using team viewer and anydesk. This apps are usually useless without network traffic, and restrict network based on application white list is easier than restricting app execution
SevaraB@reddit
No. That thinking worked in the 1980s and 1990s when it took 2-5 years for a major OS update to happen, but modern OSes are too dynamic and updated too frequently for any system involving allow-listing processes to scale. Those systems aren't human-comprehensible and aren't meant to be.
What process-level allow listing will get you nowadays is systems that are FAR behind on security patches, because your allow list management can never keep up with the cadence of system updates.
It's like deep packet inspection- sounds great in theory, but the infrastructure to actually do it at wire rate for an entire enterprise never scaled down to where that single enterprise could afford to do it in-house, and I'm at a company large enough to say that confidently. We use Zscaler, because Zscaler amortized the massive investment across all their customers, but even that turned out to have so many gotchas that it turned out to be physically impossible to inspect 100% of traffic.
yehuda1@reddit
So all current vendors are still in the 90s?
OS executables usually signed, if you decide to trust Microsoft you don't need to manually whitelist every new executable.
I think it is wrong to compare DPI to the cadence of system updates.
If managed correctly - I don't want all my users to have the new adobe reader just because adobe decide they have to try a new feature.
Application whitelist is usually used alongside patch management, so the approved list of apps should be sync with the whitelist.
Of course this is not suitable for every type of workstation. I wouldn't want to work as a developer in a company that requires special permission for every new application i want to use. But most end users in the world don't need that flexibility. The amount of vulnerabilities you can neutralize by this is huge.
Admirable-Fail1250@reddit
Pretty much any ransomware infection I've read about could have been prevented if the user didn't have admin rights and/or app whitelisting was in place.
thortgot@reddit
The base Windows OS apps are all signed by Microsoft. It's trivial to allow application execution based on a publisher signature.
Gathering all the applications that you need to approve isn't that bad, you deploy a policy that puts in "warn" state that creates an event log for all instances that aren't approved.
Funnel those event logs centrally, match for your approved executables, add the publishers of those apps to your allowed list, repeat until you are satisfied.
Roll out to a small section of your environment at a time (the riskiest first) before continuing to the remainder of your systems.
SevaraB@reddit
So are a ton of free-to-use downloadable tools that the business may not want to allow everyone carte blanche to use. That's a really blunt hammer.
thortgot@reddit
Example?
SevaraB@reddit
For starters, any AppX package distributed through the Windows Store (including 3rd parties like AnyDesk).
thortgot@reddit
I think I understand the concern here. The AppX package uploaded (and downloaded) is signed by Microsoft as part of their distribution security to prevent tampering. The same as Intune packaging.
The actual .exe's themselves (C:\Progiram Files\WindowsApps\$AppXpath\*.exe) is signed by the developer themselves.
mnvoronin@reddit
For the OP's use case, publisher-based blacklisting should be sufficient.
slugshead@reddit
Don't explicitly deny exe's, use the signatures/publishers/version
throwmeoff123098765@reddit
Applocker is how you do it
hmartin8826@reddit
Consider writing and deploying a custom service if the process name is consistent. If the network endpoints are consistent, consider firewall rules.
HITACHIMAGICWANDS@reddit
Could you not block Anydesk’s external IP and break it? That seems like the simpler option IMO. I’m sure they have a publicly available IP range
danielcoh92@reddit
I used the AV to block the run of anydesk using the certificate hash they use to sign the exe file. Right click on it -> Digital signatures -> details and get the serial number / thumbrint depending on what your AV supports. It's pretty simple on SentinelOne.
JMejia5429@reddit
Why are they allowed to run things off unauthorized locations like \windows, \program files , and \program files (x86)? Disallow all unauthorized locations and problem solved. Need a reason why? Malware, ransom ware, etc. that’s generally the starting point, user downloads some shady shit and bam. Yeah your xdr/ edr SHOULD get it but why risk it. Block it before it cans even run.
derohnenase@reddit
If those are unauthorized, does that mean we should permit \Users instead?
JMejia5429@reddit
I edited my mistake. If it was r/shittysysadmin, give them admin rights :)
Graham99t@reddit
You can't. Haha
MReprogle@reddit
Very helpful
King_Tamino@reddit
Portable Installations always use the same temp folder somewhere in %Appdata% IIRC.
Besides all the mentioned things already, you could also create a folder named exactly like that in advance and remove all write access except for admins. That way, if the user tries to do it, it should fail.
Not the best solution but probably one of the easiest that you could enroll on a bunchload of devices without breaking anything. Just a small script that checks if the folder exists, if not then creates it and then adjusts the permissions. Limit it via GPO to a group that contains all enduser clients or better, endusers and you are done.
In a similar way you could also keep track of installations done by the users. Run a script that checks if the folder exists and gives you feedback in a way that you prefer. Could be a simple .txt created when such a folder is detected and dropped in a folder with basic informations like device, user and so on.
Sushi-And-The-Beast@reddit
grab the md5 hash from the portable version and add it to your blocked apps on your security software and gpos...
ODJIN5000@reddit
We use threatdown.. They can download the portable app but can't run it basically
Admirable-Fail1250@reddit
Software Restriction Policies still work and is built into AD and Windows.
Configure it with the defaults (deny anything that isn't whitelisted, and c:\windows and c:\program files are whitelisted) and apply the GPO to just one or two workstations. Start using the workstation as a normal user and make note of anything that isn't running - unfortunately in todays world there are a lot of programs that run in appdata.
Whitelist the ones that need whitelisted - hash or certificate. I don't recommend whitelisting based on path since a savvy user could just rename their desired exe to whatever is whitelisted.
It won't take long to get everything working smoothly. Then you can apply the GPO to the rest of the network.
This doesn't work on users that run as local admins - but it gives a great reason to remove that if any do (aside from the standard reasons on why it's not a good idea to run as an admin).
burundilapp@reddit
Applocker, you can set rules so users can run any files from central locations like \program files\ but they can only run specified executables from the areas they can write to as a regular user.
Takes a little setting up but works well and once in place doesn't need touching much.
IlijaS96@reddit (OP)
This one sounds interesting. Can you give me a little bit of details about how can I set it up?
burundilapp@reddit
When you create a GPO for Applocker it should create 2 default rules to allow the Windows folder and the Program Files folder, leave them in.
We added a DENY rule for the path 'C:\Users\*\*' and then we add Exceptions to that rule for software we want the user to be able to run from their profile location. We add publishers such as Microsoft, Adobe, Citrix, etc... in there and some paths, we don't use file hashes.
You'll find a lot of apps get blocked but Windows itself should work fine, we worked through our standard apps list and allowed then one by one until we had a working standard machine again.
AppLocker has it's own event log in Event Viewer to make it easy to find what it's blocking.
scratchduffer@reddit
Does this block the user from creating c:\temp and saving the .exe there and launching? I take it it should be from your first line?
Admirable-Fail1250@reddit
It probably won't prevent the user from creating the folder or copying the exe but it should prevent the user from launching it. This is assuming applocker is configured to deny by default and only allow what is whitelisted.
Kurosanti@reddit
What's the problem you're trying to solve here?
What's the problem they are trying to solve when they keep installing Anydesk/TV?
IlijaS96@reddit (OP)
It's my client request, they want to prevent it on corporate level, maybe for some security reasons since they are financial institution...
redwiresystems@reddit
If they are a financial institution they must have a decent firewall jsut for compliance reasons and if they have a firewall it should be trivial to block:
Watchguard's can do it with Application control, it literally has an option for Anydesk
Fortinet can block it under either Application control or ISDB just as easily
Palo Alto I haven't done it recently but I know folks who have with some custom rules
Basically it should be fairly trivial to do with their existing equipment and while you are in there, you should likely do the same for TeamViewer and similar apps they will likely pivot too once AnyDesk stops working.
ZAFJB@reddit
You are missing the question:
edited slightly:
What's the problem the users are trying to solve by installing Anydesk/TV?
Aperture_Kubi@reddit
There was a post over on the IT rage subreddit where it was used as part of a phishing compromise.
I made a comment about looking into blocking AD/TV via applocker as we have an existing other remote assistance tool.
So there's no problem the users should be trying to solve on their own that requires other RA tools we don't have, and it's a bit of a proactive attempt at work.
Abandoned_Brain@reddit
This \^\^.
As an IT professional you need to scope the client's/users' needs and wants. If people are using the portable version of AnyDesk, is it because they don't know better? Is it because they tried to install the full version and didn't have admin privileges? Then ask the deeper question: what is so important for an end user to run AnyDesk for? What are they trying to control remotely, and why? Is data moving? Is it to end-run a security block? Or is there a perfectly legitimate reason to ask for a remote-access solution and they can't get buy-in from management?
It's the "10,000 ft. view" part of IT's job, gather the info and make the best decision for the company as a whole, even if it's not your company.
kernpanic@reddit
There are some security standards around that mandate the blocking of any desk.
Natural_Sherbert_391@reddit
I would imagine the problem is they shouldn't be using it.
Kurosanti@reddit
So you're saying Brawdo is what plants crave?
Natural_Sherbert_391@reddit
What would you rather use? Water from the toilet?
Drivingmecrazeh@reddit
We blocked AnyDesk and many other RATs by doing it at the network level (DNS blocking with DNSFilter) and blocking it with a STAR rule with SentinelOne Storyline Active Response (STAR) rules. If the device is a mobile device, we use DNSFilter's Agent, to maintain DNS entries no matter where they connect from.
If they download the file with the digital certificate of Anydesk, etc., it will flag it as malicious, we get an immediate alert, and we have a discussion with HR and the employee.
linux_n00by@reddit
may i know why you dont llike anydesk and teamviewer?
iiThecollector@reddit
IR dude here - 3rd party remote access tools present a serious security concern and are very commonly abused by threat actors.
Any remote access tools that you dont directly control is just begging for trouble.
linux_n00by@reddit
what do you guys use for remote support?
iiThecollector@reddit
In my current role is varies per client, if I need remote access we use what they approve of. Generally speaking bomgar/beyond trust, screenconnect, mstsc, or rmm remote desktop.
In my last role we used N-able’s RMM remote session feature.
Lots of good solutions for remote desktop, any of them are generally fine but they need to be very, very well secured. Bomgar/beyond trust is my favorite.
linux_n00by@reddit
just to be clear. anydesk and teamviewer is considered not secure is becuse the wy they connect? like giving the ID and password.
the others you mentioned doesnt have that?
stromm@reddit
TeamViewer is frowned upon by most Enterprise level IT Security teams because it has a long history of critical vulnerabilities.
Where I work it’s been officially banned. And even though we implemented measures to force its removal and everyone was told “do not even try to use it”, people still try to
So the promise of termination was given. And quite a few people have actually been terminated for trying to use it.
Still others try.
iiThecollector@reddit
Sorry if I wasnt clear, I never explicitly said that anydesk or teamviewer are not secure. I said that any 3rd party tool thats not directly under your control is a huge risk. I specifically mentioned anydesk and teamviewer because they’re free and they’re commonly observed by threat actors (I’ve seen it plenty of times). So I consider those to be risky because of their lengthy history of abuse.
I really like a tool like bomgar/beyond trust because of the security controls that are baked into it admin side (app control, zero trust, segmentation, session logging and auditing, etc.) If you’re using an RMM’s remote session tool like N-able or Datto thats even better (in some cases) for remote support.
When it comes to a remote access tool I want: full control of what it can and cant do, I want verbose logging, I want to control access to that tool, and I want to limit/control who can do what with it. Once I have a tool picked, everything else is locked down and blocked (unless there is a specific use case for another tool).
R0NAM1@reddit
Applocker blocking all execution in C:/Users
judgethisyounutball@reddit
If it's corporate policy to not run any desk (portable or otherwise) maybe suggest to the client that they monitor rather than block, any instance found becomes a write up, in the case of repeat offenders, grounds for termination?
Moontoya@reddit
This is the way, throwing tech at wetware issues does not work
thortgot@reddit
Technology, when correctly applied, enforces the compliance policy to prevent at least casual abuse.
This is the equivalent of an open door being used in a trespass.
Moontoya@reddit
No, this is the equivalent of people propping fire doors open from the inside to get a breeze going, not listening to the adults telling them its a bad idea / not legal / not safe behaviour.
thortgot@reddit
This is why fire doors have alarms attached to them. The indicator to leave the door closed is right on it, why do you need a technical control to prevent the behavior?
If a user doesn't have any indicator that the behavior is not allowed, how are they supposed to know?
Moontoya@reddit
the alarms were put on after people kept opening them - the original legislation for fire doors didnt include sounders.
the signage indicates the proper use of the fire door, warns of the alarm and warns of the consequences of tampering.
you dont need to know the full judicial code to comprehend "I will be arrested and bad stuff happens".
policy/procedure/education/understanding are the first approach - then you start piling technical solutions on top.
otherwise you can end up with scenarios where doors fail to locked, not fail to open - or someone chaining the door shut to stop the staff.
thortgot@reddit
If you expect a user to inherently know that Anydesk is a remote access tool that is in contravention to policy without warning them, you are setting them up for failure.
You don't need to relearn lessons from every instance and take each intervening step.
Let's take a clear example. Users are told not to make international phone calls over system X or they will be directly financially responsible for them.
Which is more effective?
A) Preventing users at a technical level (blocking country codes outside of those preauthorized)
Or
B) Assume that users are going to comply with the request 100% of the time? Have some failure condition for that to occur, run reports to associate international charges to users, handle those edge conditions in payroll etc.
Sqooky@reddit
I would say be cautious about saying this, because sometimes it's not a personnel issue. Policy should definitely be written that states "employees aren't allowed to use any unapproved remote access or remote management software", blah blah. But... sometimes it's a threat actor using any desk. Ex: https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/
mschuster91@reddit
The problem is, the more punishing IT processes become, the more desperate lengths users will go to to do their job.
You don't want writeups and firings as a consequence for unapproved software usage, you want investigation into why the user did this and to provide a supported way for them to accomplish what they were doing.
GhostDan@reddit
ok. My user is using a P2P app to download pirated software
Whats my supported way to let them accomplish what they are doing?
You are thinking from a completely customer focused point of view, which is not entirely a bad thing, but there's some reasons why software is blocked AND should be a write up-able and fireable offense.
The software you installed that's not approved (or expressly forbidden) may have security vulnerabilities (like downloading pirated content that may have a virus) that could take down your entire network. You really think the best response to this is "Oh pish posh".
music2myear@reddit
Both perspectives are better than any one. Someone unsure the correct way to carry out their legitimate role is grounds for education and correction. Someone blatantly breaking good and reasonable policy for their own benefit and/or doing possibly illegal things on company resources that may open the company to serious financial or trust risk is quite another thing, and should be grounds for far stronger action.
highlord_fox@reddit
This. Sometimes the solution is a technical one, sometimes the solution is an HR one.
Issues happen when you try to apply a technological solution to a people problem (and vice versa).
robersniper@reddit
I rather get an alert and ask the user, through teams or whatever with a simple form,on why is he using/downloading that program.
entrustcyber@reddit
What if you could block the AnyDesk traffic from UTM firewall. I had been plagued by this problems from a couple hundred “pajeets” until I blocked AnyDesk from SonicWall App Controls. Almost all firewalls these days have App Control feature. The lesser you play with Windows feature, the better are your days in IT department. Good luck!
unkiltedclansman@reddit
This sounds like an HR problem that they are trying to avoid confronting their staff about by using technical controls. It’ll turn into a game of whack a mole that you will get blamed for losing if the users figure a way around the controls with another app.
Recommend them to ban the practice through policy.
IlijaS96@reddit (OP)
I totally agree with that.
But it's client request and my duty is only to try to find a solution...
techierealtor@reddit
While I feel this, I disagree. Not all client requests are our duty to fix. Sometimes you need to advise best path.
I had one that wanted to put time to log in on their o365 accounts. I brought up a few factors of “what if someone works late that day due to high influx or short staff? Manager forgets to notify support and they are locked out.” “What if someone is called in to cover a shift due to call out? Manager forgets to notify us and they are locked out” this is an HR / Management problem, not an IT problem.
The best you can do is disable the urls at the firewall and log each attempt. They need to address it from there.
shemp33@reddit
No… you should not just take every request and say “ok…”. Ask why. In fact, you should ask why at least three levels deep. Ask what business problem they are solving. Then, once you can see the whole playing field, then and only then can you advise them on the best approach.
Moontoya@reddit
Send Jimmy "two fists" Giabioni in to have a chat...
Natural_Sherbert_391@reddit
There should be a policy out there, but you can't count on employees to obey them. Security is a game of whack a mole. There will always be new threats.
Stonewalled9999@reddit
I have yet to work in an environment where HR supports IT in any way like this.
caa_admin@reddit
I see this throughout the comments.
A blunt method is to write a service to kill it.
1 Is 'anydesk' running? Yes, kill process, sleep 45; goto 1
xendr0me@reddit
Can you do this at the firewall level, using application control/filters?
chefnee@reddit
What are your policies on disabling usb devices? This might not stop all of it but some success.
Barrerayy@reddit
You can do it via AppLocker... But just block it from your endpoint security / windows firewall or your network firewall.
And make it a policy that non authorised apps are not allowed (this should already be something that's enforced)
silentstorm2008@reddit
Black it on the network level. Dns filtering
Natural_Sherbert_391@reddit
Yes you can do this using Applocker.
IlijaS96@reddit (OP)
How can it be done? What would be primary condition? Publisher or maybe hashcode?
DueDisplay2185@reddit
You've got minimal posts in your profile. You're looking for information undeserving of answers. Fucking bot
Cube00@reddit
The proper (admittedly very costly) way is to work off a whitelist basis for AppLocker not a blocklist so you can then can rest easy knowing anything unapproved, no matter what it might be is safely blocked. There's plenty of Anydesk clones they can move on too.
Natural_Sherbert_391@reddit
If you are looking to block all Any desk products do it by publisher. Hash would be a bad choice since you'd need to go chasing down the new hash for every product each time it's updated.
ccatlett1984@reddit
Applocker or WDAC
TrueStoriesIpromise@reddit
Applock rule to block executing from the Downloads folder, maybe desktop too.
cyberman0@reddit
There are a few options. Since it's a client I would find out the exact reason why. That changes how you can approach it.
I'd find a way to block the application depending on the environment setup and tools that changes how you approach it.
If it's a smaller client that just doesn't want it you could go simple. Block the exe , create a weekly run to uninstall that version of any desk. However you should test your options on a non used system on site as it can take some tweaking to get the uninstall to work.
The uninstall can be done a number of way. Endpoint manager, GPO, or simple batch script that run after login for a group of users. It kinda depends on the environment and what tools you have. If it's a small client and not a security issue that is a policy problem or pushes them out of some security compliance thing. I'd probably keep it simple by creating a batch script to run after user login to run the uninstaller.
You need to find out the exact reason why and that changes how you have to approach it. Start there and maybe contact an exgineer if your company has one as an escalation point for advice on next steps.
I'd probably block the exe,
leaflock7@reddit
you want them to use the installed version or none at all?
if you want to block Anydesk in general you can do it via app locker or your EDR/AV etc that has the ability to block apps.
IlijaS96@reddit (OP)
Ideal scenario is that they can't use portable version and if someone need Anydesk for real, he will ask and get full version installed, since they can't install it on their own.
leaflock7@reddit
in this case pay for a custom domain (as any desk calls them) .
you get a custom installer which has a unique fingerprint and which you can whitelist and block any other any desk exes
Bitwise_Gamgee@reddit
Though I disagree with the logic here, the best way to go is to have a default block policy and then a white list.
jekksy@reddit
AppLocker
PM_THE_REAPER@reddit
Depending on your AV solution, I'd think you could block it there too.
drunkenitninja@reddit
Have you asked them why they're choosing to use the portable version? Are your systems locked down?
Honestly, this is a people management problem, not a technical one. If they're not supposed to be using the tool, then call out those that are, and let them know they'll be written up. Pretty simple solution.
IlijaS96@reddit (OP)
I totaly agree with that.
But it's client request and my duty is only to try to find a solution...
drunkenitninja@reddit
Completely understand.
They've put you in an awkward position. Just because they request it, doesn't mean that it's the correct answer. As a sysadmin, you have a duty to inform them of the pros and cons of their request.
If they're not receptive to advice from a professional. Implement whatever solution you deem fit for the request, and let document that your suggestion was to not implement said solution, but were requested to complete the request with a technical solution.
Satoshiman256@reddit
Get a Layer7 firewall and block it
Moontoya@reddit
Why are you trying to solve a wetware problem with hard/software solutions
Stoppit!
HR acceptable use policy should cover it, if they keep using it, punish them as per policy
You cannot put tech users, the universe will spawn better idiots faster than you can possibly hope to stop them
ZAFJB@reddit
AppLocker, or SRP
Booshur@reddit
We have Admin by request and it has a feature to block app installers.
visibleunderwater_-1@reddit
Block it via a GPO and Windows Firewall rules: https://www.mediarealm.com.au/articles/block-anydesk-network-guide/
enterrawolfe@reddit
You can use a DEP to block exe’s.
I don’t know how specific you’ll have to get about versioning.