Four Chocolatey Security Features
The process of securely installing software in Windows is something that IT professionals grapple with, especially in an enterprise setting.
The idea of using package management in Windows is a recent development with Chocolatey and has brought additional security enhancements, especially with the Chocolatey for Business version. The Chocolatey folks have gone to great lengths to attempt to have Chocolatey as secure as possible for installing third-party software in Windows. In this article, I will go over some of these security features.
1. Community Moderation
One of the best features of Chocolatey is the sheer number of community software packages available to anyone (over 5,000). Users should feel good that each time a version of a package is submitted to the community repository, rigorous testing and vetting takes place and I can say this from personal experience as a package maintainer.
For packages that are not deemed to be “trusted” a human inspects the package to ensure it is compliant with Chocolatey’s standards. During moderation, any installers are also tested to ensure that HTTPS is used when possible. Keep in mind for enterprises, Chocolatey recommends internalizing packages to an internal repository, which means there is no need for packages to reach out to the internet at all during installation.
2. Chocolatey Agent
The Chocolatey agent is another licensed feature that allows a service in run in Windows that can run Chocolatey. By default, when the agent is installed, a local user account is created along with a random password. This account actually runs the service.
In addition, the agent can allow non-administrative users install software via self-service both from the CLI or with the Chocolatey GUI. Along with the agent, licensed users can also take advantages of a CDN for when internet URL’s break with 404 errors.
3. Software auditing
One of the newer features of the licensed version of Chocolatey is the ability to view for each package what time installation occurred and what user installed the software by auditing. This is done with the command choco list -lo –audit. With PowerShell, IT can easily run remoting commands on many machines at once to see when a particular software was installed.