The process of securely installing software in Windows is something that IT professionals grapple with, especially in an enterprise setting.
The idea of using package management in Windows is a recent development with Chocolatey and has brought additional security enhancements, especially with the Chocolatey for Business version. The Chocolatey folks have gone to great lengths to attempt to have Chocolatey as secure as possible for installing third-party software in Windows. In this article, I will go over some of these security features.
1. Community Moderation
One of the best features of Chocolatey is the sheer number of community software packages available to anyone (over 5,000). Users should feel good that each time a version of a package is submitted to the community repository, rigorous testing and vetting takes place and I can say this from personal experience as a package maintainer.
For packages that are not deemed to be “trusted” a human inspects the package to ensure it is compliant with Chocolatey’s standards. During moderation, any installers are also tested to ensure that HTTPS is used when possible. Keep in mind for enterprises, Chocolatey recommends internalizing packages to an internal repository, which means there is no need for packages to reach out to the internet at all during installation.
2. Chocolatey Agent
The Chocolatey agent is another licensed feature that allows a service in run in Windows that can run Chocolatey. By default, when the agent is installed, a local user account is created along with a random password. This account actually runs the service.
In addition, the agent can allow non-administrative users install software via self-service both from the CLI or with the Chocolatey GUI. Along with the agent, licensed users can also take advantages of a CDN for when internet URL’s break with 404 errors.
3. Software auditing
One of the newer features of the licensed version of Chocolatey is the ability to view for each package what time installation occurred and what user installed the software by auditing. This is done with the command choco list -lo --audit. With PowerShell, IT can easily run remoting commands on many machines at once to see when a particular software was installed.
4. Anti-Virus Integration
In addition to having community packages go through anti-virus scans during package moderation, packages also go through anti-virus scans at installation runtime on the client side for licensed users. Users have the choice of either integrating with the installed anti-virus software on the local machine or by using VirusTotal to compare to its database. Users can even set a specific number of “bad” antivirus sites that VirusTotal finds for a particular installer. If that threshold is over for the package at runtime, installation halts.
Chocolatey is the de facto Windows package manager. With its great integration with configuration management tools like Puppet and Chef, it makes for a perfect DevOps tool, but it also serves to be a great tool in general for an enterprise. Security is baked into Chocolatey (no pun intended) and certainly helps IT professionals feel better about installing software for both servers and end users.