The Underlying Repository Is Crucial

Repositories make a significant contribution to the success of a package manager because only a comprehensive and up-to-date repository guarantees a good user experience when it comes to searching for and installing packages. A poorly maintained repository is not only unattractive, but it can put its users' systems at risk if the present version of a package is out of date.

The Chocolatey community repository contains several thousand packages, and some Chocolatey users exclusively rely on it to populate their systems. However, the packages in the community repository are not subject to any real quality control, which means that someone could maliciously release a package bearing the name of a popular application that damages the target systems when installed (Figure 1). This fact was also criticized by Beigi in one of his posts [3].

Figure 1: You need to take the warning on Chocolatey's website quite seriously.

If you want to use only trusted sources for your installations, you need to set up your own repository. The options to do so are described on the Chocolatey website [5] and range from a simple Universal Naming Convention (UNC) share to commercial products such as Artifactory Pro.

If you trust the source, you can add packages from a public repository to your own repository, which is known as internalizing. The instructions are included in the Chocolatey documentation. Depending on the edition, various tools are available for this purpose, but the community edition also supports the manual internalization of packages that originate from external repositories. Likewise, all editions of Chocolatey support addressing multiple repositories simultaneously. You can build a more complex repository landscape, for example, by having individual departments maintain their own repositories and make them available to the entire organization.

Licensed Chocolatey Editions

The community edition of Chocolatey (called the Open Source edition on the website) already includes everything you need to install and keep packages up to date on Windows systems; however, Chocolatey can do far more. Additional functions come with the two commercial editions.

The big advantage of the Pro edition is automatic synchronization of packages installed with Chocolatey and by other means. Therefore, systems set up before you rolled out Chocolatey can be included under Chocolatey's management umbrella. The Pro edition also comes with some additional PowerShell features to improve packaging further. Anti-malware integration is another useful feature of the licensed edition. You can use your installed antivirus software, an upload to VirusTotal, or both variants at the same time.

At the top of Chocolatey's package management tree is the Business (C4B) edition. In addition to numerous features of the installation engine, C4B includes a central management server that lets you track, say, which machines successfully installed a package and which did not. You can install the central management infrastructure in your data center or in Azure, where Chocolatey offers it as a pre-built Azure service.

Chocolatey and AppLocker

As mentioned previously, the Chocolatey package installs the executables in %ProgramData%. According to the default AppLocker rules, choco.exe would not be executable because the program is located in an unauthorized path, so you need to add an exception or an explicit permission rule for Chocolatey in your AppLocker configuration.

Another peculiarity of Chocolatey in the context of AppLocker is shimming. When you install Chocolatey, its installation path is included in the system's %PATH% environment variable. Not every Chocolatey package installer does this. To ensure that each program installed by Chocolatey can be reliably started by calling its name, Chocolatey creates an executable file of the same name in its own installation directory, which directs the input directly to the "real" program, receives the output from it, and returns it to the caller. Of course, these files are not digitally signed and are not known to the system in advance. In other words, the calls will probably be blocked by AppLocker, too, if you have not allowed the entire Chocolatey directory for execution. Incidentally, the shims are not removed when you uninstall packages.