Scribd Logo
Upload

Welcome to Scribd!

  • Viewfinity Windows 7 Desktop Lockdown and Privilege Management

    Uploaded by

    Hemendra Nowrag
    150 views15 pages
    Windows 7 and Desktop Lockdown with Privilege Management TABLE OF CONTENTS. 3 Principle of Least Privilege and Windows Desktops. 4 Benefits For Organizations when Users are Not Local Administrators. 5 Better Protection Against Malware. 5 Tighter Control on Software Installations. 6 Increased Data Security. 6 Common Challenges When Removing Local Administrator Rights. 7 Application Compatibility. 8 User Self Service application installation. 9 Granular Control. 9 Support for Remote

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Windows 7 and Desktop Lockdown with Privilege Management TABLE OF CONTENTS. 3 Principle of Least Privilege and Windows Desktops. 4 Benefits For Organizations when Users are Not Local Administrators. 5 Better Protection Against Malware. 5 Tighter Control on Software Installations. 6 Increased Data Security. 6 Common Challenges When Removing Local Administrator Rights. 7 Application Compatibility. 8 User Self Service application installation. 9 Granular Control. 9 Support for Remote

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    150 views15 pages

    Viewfinity Windows 7 Desktop Lockdown and Privilege Management

    Uploaded by

    Hemendra Nowrag
    Windows 7 and Desktop Lockdown with Privilege Management TABLE OF CONTENTS. 3 Principle of Least Privilege and Windows Desktops. 4 Benefits For Organizations when Users are Not Local Administrators. 5 Better Protection Against Malware. 5 Tighter Control on Software Installations. 6 Increased Data Security. 6 Common Challenges When Removing Local Administrator Rights. 7 Application Compatibility. 8 User Self Service application installation. 9 Granular Control. 9 Support for Remote

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 15

    Windows7andDesktop LockdownwithPrivilege Management

    2010

    TABLEOFCONTENTS TheWindows7DesktopRefreshandSecurity.....................................................................3 PrincipleofLeastPrivilegeandWindowsDesktops..............................................................4 BenefitsForOrganizationswhenUsersareNotLocalAdministrators..................................5


    BetterProtectionAgainstMalware.............................................................................................................................5 TighterControlonSoftwareInstallations................................................................................................................6 CompliancewithRegulatoryMandatesandIndustryBestPractices...........................................................6 IncreasedDataSecurity...................................................................................................................................................6

    CommonChallengesWhenRemovingLocalAdministratorRights........................................7
    ApplicationCompatibility...............................................................................................................................................7 UserSelfServiceApplicationInstallations..............................................................................................................8 . UserInitiatedSystemMaintenanceTasks...............................................................................................................9

    ViewfinityPrivilegeManagementSolutions.........................................................................9
    GranularControl.................................................................................................................................................................9 SupportforRemoteandnonADConnectedSystems.......................................................................................12 . CentralizedPolicyAuditandValidation.................................................................................................................13 . Conclusion...........................................................................................................................................................................14

    AbouttheAuthor...............................................................................................................15

    TheWindows7DesktopRefreshandSecurity
    AllorganizationshavetoconsiderhowtodeployWindows7overthenextfewyears becauseMicrosofthasannouncedtheendoflifedatesforWindowsXPsupport(see figure1below).ThemigrationtoWindows7providesanopportuneeventtoreevaluate desktopsecuritystandardsandlookforwaystomorecosteffectivelyprovidesecureand productivedesktopcomputingenvironments.

    Figure1 Source:HowlongwillMicrosoftsupportXP,Vista,andWindows7? EdBott,ZDNet,August2010

    Studieshaveshownthatalockeddownenvironmentismorecosteffectivetosupport becausetheendusersarelesslikelytomakeunnecessarychangestothecoresystem configuration.Implementingalockeddownenvironmentisalsokeyincomplyingwith variousregulatoryandcomplianceinitiatives. SystemAdministratorscanusethedesktoprefreshasawaytorolloutchangesinhow securityprivilegesaremanagedontheendpointsothatthelocalloggedonuserdoesnot needtohavelocaladministratorrights. Iflockdownisdoneproperly,thatis,inconjunctionwithsoftwarethatwillhelpyou manageprivileges,theimpactonuserproductivityshouldbenilandenduserswillhave theabilitytoconductbusinessasusual.Essentiallywhateverprivilegestheenduser requirestogethisjobdoneismanagedthroughthesoftwareproductandwillseamlessly makeavailableallrequiredapplicationsanddesktopfunctions.

    PrincipleofLeastPrivilegeandWindowsDesktops
    Theprincipleofleastprivilegemeansthatamoduleinacomputingenvironmentsuchas auseraccountshouldonlyhaveaccesstoinformationandresourcesthatarenecessary toitslegitimatepurpose.(seehttp://en.wikipedia.org/wiki/Principle_of_least_privilege) TheDepartmentofDefenseDOD5200.28STDOrangeBookstates[ThePrincipleof LeastPrivilege]requiresthateachsubjectinasystembegrantedthemostrestrictiveset ofprivileges(orlowestclearance)neededfortheperformanceofauthorizedtasks.The applicationofthisprinciplelimitsthedamagethatcanresultfromaccident,error,or unauthorizeduse. Basedupontheprincipleofleastprivilege,inaWindowsdesktopenvironmentthe locallyloggedonuserwillnothavelocaladministrativerightsonthedesktop.However manyorganizationshavehistoricallynotfollowedtheprincipleofleastprivilegewhen theydeployedWindowsXPorWindowsVistaandhaveenabledthelocalusertohave localadministratorrights.Ormanyorganizationshaveremovedadministratorrightsfor themajorityofitsendusersbuthaveallowedselectgroupsormemberstostillhave administrativeprivileges.Thispracticepreventsanorganizationfrommeetingits complianceregulationsandtrulysecuringitsdesktopenvironment,whichcausesthe entirenetworktobevulnerable. Thiswhitepaperhighlightssomeofthekeybenefitstoanorganizationwhentheusersdo nothavelocaladministratorrights.Thepaperwillthendiscusssomeofthemost commonchallengesthatorganizationsfacewhenthelocalusernolongerhaslocal administratorrights.Finally,thepaperwillhighlighthowprivilegemanagement solutionsfromViewfinityaddressthemostcommonchallengesorganizationsfacewhen 4

    removinglocaladministratorrightsfromendusers.ViewfinityPrivilegeManagement allowsorganizationstomanageuserpermissionsataverygranularlevelafter organizationshaveimplementedaleastprivilegeenvironmentwhenmovingto Windows7.

    BenefitsForOrganizationswhenUsersareNotLocalAdministrators
    Thereareanumberofbenefitstoorganizationswhenusersdonothavelocal administratorrightsontheirdesktopsystems.Desktopmanagementcostsarereduced becausetheendpointismorecontrolled,complianceobjectivesaremetandyour distributeddesktopenvironmentismoresecure.

    BetterProtectionAgainstMalware
    Whenthelocallyloggedonuserdoesnothavelocaladministrativerights,theprograms andprocessesthattheuserrunsdonothaverightstomodifycoreoperatingsystemfiles andsettings.Thisreducesthesurfaceareaofanattackfrommalware.Malwarethat runsonthesysteminthecontextoftheloggedonuserisnotabletochangecoresystem settings.Whilethisdoesnotmeanthatthesystemdoesntneedothersecuritysoftware suchasfirewallandantivirus,removaloflocaladminrightsdoesprovideamoresecure environment. Forexample,therearemanybenefitswhenrunningthebrowserandmailclientina modethatdoesnothavelocaladminrights.Asusersinteractwithwebsitesanddata sourcesthatarenotnecessarilytrusted,malwarethatmaybeencounteredisnotas likelytobeabletomakeunauthorizedchangesandintroducesysteminstabilities. EverymonthMicrosoftreleasesawiderangeofsoftwareupdates(alsoknownaspatch Tuesday).Manyoftheseupdatesaresecurityrelated.Alargepercentageofsoftware updatesthatarereleasedbyMicrosofteverypatchTuesdayhavethefollowing statementintheexecutivesummarythatdescribesthepatch: Userswhoseaccountsareconfiguredtohavefeweruserrightsonthesystemcould belessimpactedthanuserswhooperatewithadministrativeuserrights.(Asan exampleseehttp://www.microsoft.com/technet/security/bulletin/ms10 053.mspx) AnalysisofthepatchesreleasedforMicrosoftOfficeandInternetExplorerprocesses thataretypicallyruninthecontextoftheloggedonusershowthataveryhigh percentageofthepatchescontaintheabovementionedstatement.Thesameistruefor manyofthepatchesassociatedwithoperatingsystemprovidedapplicationssuchas mediaplayersandchatprograms. TheanalysisoftheMicrosoftpatchdataclearlyshowsthatwhentheloggedonuserdoes nothavelocaladministrativerights,thenitismoredifficultformalwaretoattacka 5

    system.Malwarethatisexecutedinthecontextofanonadministrativeusersimplydoes nothavetheaccesstothesystemtomakethechangesthatitcoulddoifitwererunning withlocaladministratorrights.Iffornootherreasonthanthisanalysis,organizations shouldremovelocaladministratorrightsfromenduserswhenmovingtoWindows7.

    TighterControlonSoftwareInstallations
    Whenusersdonothavelocaladministrativerights,itbecomesmoredifficultforthe userstoinstallunauthorizedsoftware.Setupprogramsthatmodifycoresystemfiles andregistrysettingscannotsuccessfullycompleteiftheuserdoesnthavetheproper rights. Unauthorizedsoftwaremayintroducesysteminstabilitiesandconflicts.Unauthorized applicationsmayintroducefilesystemandregistrychangesthatcanimpactother programsthatrunonthedesktop.Whenthishappensitleadstoanincreaseinsupport callstothehelpdesk.Variousthirdpartyreviewshaveconsistentlyshownthatthere arefewersupportcallswhenfewerchangesareallowedonasystem,therebyreducing desktopTCOandITsupportcosts. Unauthorizedsoftwaremayalsoputanorganizationatriskfromasoftwarelicense complianceandsoftwarepiracyperspective.Ifusersareabletodownloadandinstall anysoftwareatanytime,thenitbecomesmuchmoredifficultfortheorganizationto ensurethatthesoftwareisproperlylicensed.

    CompliancewithRegulatoryMandatesandIndustryBestPractices
    Anotherreasontoimplementtheprincipleofleastprivilegeistocomplywithvarious regulatorymandates.Forexample,theUSFederalGovernmentsFederalDesktopCore Configuration(FDCC)regulationrequiresusersshouldnothaveadministratorrights. SarbanesOxley,HIPAA,andvariousotherstandardsprovidebestpracticesand requirementsthatincluderemovalofadministratorrights.Evenifagivenorganization isnotlegallyboundbyoneofthesemandates,thereisvalueinlearningfromthebest practicesthathavebeenputinplacebythevariousorganizations.Organizationsofall sizesandindustriesbenefitfromthesetofsecuritystandardsthathavebeengenerated overyearsofexperience.

    IncreasedDataSecurity
    Whenunauthorizedsoftwareisinstalledorunauthorizedchangesaremadetothe systemconfiguration,thenitismorelikelythatadditionalportsmaybeopenedonthe system,firewallandantivirussettingscanbechanged,accesscontrolsettingscanbe changed,etc.Thesechangesincreasetheriskofdatabeingmadeaccessibletopeopleor processesthatshouldnothaveaccesstosuchdata.Whenusershavelessrightsonthe desktop,theinformationthatisaccessedonthatsystemismoreprotected.

    CommonChallengesWhenRemovingLocalAdministratorRights
    Anorganizationmustconsiderthepracticalrealitieswhenremovinglocaladministrator rightsfromendusers.Inmanyorganizations,localusershavehadadministrativeaccess ontheirdesktopsystemssincePCshavebeeninuse. Manyorganizationsuseanoperatingsystemplatformupdate(suchasthemoveto Windows7)asaneventtoevaluateavarietyofdesktopstandards.Thereareanumber ofscenarioswherethemovetoalockeddowndesktopmaygenerateenduser productivityissues.

    ApplicationCompatibility
    Therearethousandsandthousandsofapplicationsthathavebeenwrittenovertheyears thatmaynotworkproperlywhentheloggedonuserdoesnothavelocaladministrator rights.Applicationsmayassumereadandwriteaccesstovariouslocationsinthefile systemorregistrythatarenotaccessiblewithoutadministratorrights.Manyofthese legacyapplicationsmaynothavebeenupdatedoravailableforuseforanon administratoruser. Whenanapplicationtriestoperformanoperationthatrequiresadministrativelevel rights,WindowscanallowtheusertoelevatetheprivilegethroughtheUserAccount Control(UAC)mechanism.WhileUACmayworkinsomesituations,itdoesnotprovide asolutionthatisappropriateformanyusecases.Forexample,ifauserthatisnotalocal administratorencountersaUACdialog,theuserwillneedalocaladministratorpassword toenabletheapplicationtocontinue(seeFigure2below).Sinceoneofthekeypointsof leastprivilegeisthattheuserisnotinthelocaladministratorgroup,providingtheuser withthelocaladministratorpasswordisnotaviablesolution.


    Figure2

    Applicationscanbeconfiguredtoruninthecontextofanaccountotherthanthelocally loggedonuser.Howeverthispresentsmanychallengesinthatthecontextusedto accesstheHKEY_CURRENT_USERlocationintheregistrywillnotbethesameasthe loggedonuser.Also,thelocationfortheuserprofiledatainthefilesystemisnotthe sameastheloggedonuser.Additionally,anyprocessthatisrunningasaseparate securitycontextwillusethatsecurityforaccessingresourcesthatareoffthelocal machine.Forexampleifanapplicationneedstoaccessafilelocatedonanetwork server,itdoesntusetheIDoftheloggedonuser,rathertheIDofthatapplication.This presentsmanychallengesforcontrollingdataaccess.Thusconfiguringapplicationsto runwithadifferentIDfromthatoftheloggedonuserisnotagoodsolution.

    UserSelfServiceApplicationInstallations
    Mostcompanieshavesetsofapprovedsoftwarethattheusermayinstallifitisrequired todotheirjob,howeveritisnotpartofthedefaultsetofapplicationsthatareactively installedoneachcomputerbyIT.Organizationsneedawayforuserstoinstallcertain applicationsondemandwithoutacallintothehelpdesk.Often,theseapplicationsmay requirelocaladministrativerightstobeinstalledproperly. Forexample,manyorganizationshavewebportalsorfileshareswitharangeofavailable applicationsforanyonetouseintheorganization.Theuseronthatendpointneedsto

    beabletoinstalltheseapplicationsfromaknownlocationwithouttheuserhavinglocal administratorrights.

    UserInitiatedSystemMaintenanceTasks
    Manyorganizationsmaywantuserstobeablerunsomesystemmaintenancetasksthat requireadministratorrights.Thisisespeciallytruewhenyouconsiderthelarge amountsofmobileandremoteusersthatarenotnecessarilyregularlyloggedontothe corporatenetwork. Forexample,anorganizationmaywanttoallowenduserstoaddcertainhardwaretothe systemsuchasprintersandscanners.Someorganizationsmaywantenduserstobeable tochangethetimezone,systemtime,rundiskmanagementutilities,adjustapplication settings,orevenstopandstartcertainservices.Manyofthesesystemmaintenance tasksrequireadministratorrights. Ideallyorganizationswanttoenableremoteandmobileuserstobeablesupport themselveswithouthavingtoprovidetheuserwithfulladministratorlevelaccesstothe system.

    ViewfinityPrivilegeManagementSolutions
    ViewfinityPrivilegeManagementenablesenterprisestoremovelocaladministrator rightsfromtheenduserandmanagepermissionsbasedonuserroleandthe functionalitytheyrequiretoperformtheirjob.Byaddressingthesechallenges, organizationscanremoveadministrativeprivilegesduringitsWindows7rolloutwith theconfidencethatapplicationsandapprovedendusermaintenancetaskswillworkas expectedandnotdisruptuserproductivity. ViewfinityPrivilegeManagementisimplementedwithanagentthatrunsonthedesktop. (Note:considerincorporatingtheViewfinityAgentintothestandardoperatingsystem imageinordertoavoiddeployingtheagentafterperformingamigration.)Theagent cachesprivilegepolicysettingsfromaViewfinityserver.Thesystemadministrator centrallydefinestheprivilegemanagementpolicies.Becausetheagentcachesthese policiesontheendpoint,theendpointdoesnotneedtobeconnectedtotheservertobe abletoenforcetheprivilegepolicies.

    GranularControl
    AkeybenefitofViewfinityPrivilegeManagementisthatitallowsanorganizationtohave verygranularcontrolonwhichprocessesarerunwithelevatedrights.Privilege Managementdoesnotchangetheuseridentityusedtorunapplications,ratheritadjusts therightsforthatinstanceoftheapplicationforthatpointintime.

    Forexample,organizationsareabletodefinepoliciesthatenableanyapplicationthatis launchedfromagivennetworklocationtorunwithelevatedrights.Thisallowstheend usertosuccessfullyselfinstallsoftwarefromaknowncorporatecontrolledsoftware repository.ThereisnoUACdialogthatispresentedtotheuserandtheusersimply runsthroughastandardinstallationprocessasiftheuserhadlocaladministratorrights.

    Figure3ExampleofViewfinityPrivilegeManagementgranularlevelprivilegeelevationforapplications

    Asanotherexample,acompanymayhavealegacyapplicationthatneedstohavelocal administratorrights.Whenauserrunssuchanapplication,ViewfinityPrivilege Managementcanadjusttheprivilegesoftheapplicationwhenitstartsupsothatitcan run.HoweverthisapplicationisstillrunningundertheloggedonuserIDandallaccess tothecurrentuserprofilesettingsworkasexpected.ThereisnoUACdialogthatis presentedtotheuserandthechangeinprocessrightsistransparenttotheenduser. PrivilegeManagementalsocontrolstheprivilegelevelofanychildprocess.Forexample, apolicycanbesetupsothatalegacyapplicationcanrunwithadditionalrights,butany childprocessrevertsbacktothedefaultrightsofthelocallyloggedonuser. 10

    Anotherrestrictionimposedinleastprivilegeenvironmentsistheinabilityfornon administrativeuserstoinstallapprovedActiveXcontrols.ITadministratorsmay continuetooperateendpointdevicesinaleastprivilegesmodeanduseViewfinity PrivilegeManagementtograntadministrativerightsforinstallingActiveXcontrolsbased ondigitalsignaturefromaspecificpublisher,URL,orclassID.

    Figure4ExampleofViewfinityPrivilegeManagementgranularlevelprivilegeelevationforActiveXcontrols

    ViewfinityPrivilegeManagementhasgranularcontrolsforvariousadministrativeand maintenancetasks.Administratorscanselectivelychosewhichmaintenancetasksare permittedandevenwhichusersorgroupofuserscanperformthem.

    11

    Figure5ExampleofViewfinityPrivilegeManagementgranularlevelprivilegeelevationforWindowstasks

    SupportforRemoteandnonADConnectedSystems
    ViewfinityPrivilegeManagementworksjustaswellforsystemsthatrarelyconnectto thecorporatenetworkasthesystemsthatareinsidethecorporatefirewall.Thereisa securecommunicationschannelbetweentheViewfinityagentandtheserver.Asa result,customerscanconfigureaViewfinityserversothatitisaccessiblefromany Internetconnection. WhenevertheendpointconnectstotheInternet,itisabletoreceiveupdatedpoliciesand providefeedbacktotheViewfinityserver.IftheViewfinityagentisnotabletoconnect totheserver,itstillenforcespoliciesbaseduponinformationthatiscachedonthe endpoint. ViewfinityPrivilegeManagementworksindependentofanendpointbeingconnectedto ActiveDirectory.BecausethereisnorelianceonADGroupPolicyObjects(GPOs), Viewfinityprivilegepoliciesworkonsystemsregardlessoftheirstateofconnectionto thedirectoryornetwork.PoliciesareappliedinstantlywithoutdependencyonADGPOs replicationandthereisnoneedforuserstologofforreboottheirPCsinorderfor 12

    policiestotakeeffect.ViewfinitypoliciescanbetargetednotonlytoADorganization units,butalsobaseduponanyothergroupthattheadministratorwantstocreatewithin theViewfinityconsole.

    Figure6ExampleofViewfinityPrivilegeManagementprivilegeelevationbyuser/group

    CentralizedPolicyAuditandValidation
    TheViewfinityPrivilegeManagementagentprovidespolicycompliancedatatothe serversothatthesystemadministratorreceivesfeedbackintermsofhowandwhenthe privilegemanagementisappliedattheendpoints.Thisaudittrailensuresthatnotonly havepoliciesbeendefined,butalsothatpolicieshavebeensuccessfullydeliveredand applied.Ajournalisavailablewhichchroniclesallpoliciesandhowtheyarebeingused byendusers.Generalstatisticaltrendsregardingpolicyusage,suchasthemost frequentlyblockedapplicationsandelevationprivilegepoliciesthatareusedthemost, areavailable.AlertscanbecreatedtoinformtheITsecurityteamaboutactionstaken thatmaycauseserverstobelesssecure,suchasremovingthefirewallsoftwareor disablinganantivirusprogram. Thisauditreportingofferscriticalinsightsandcompliancevalidationthatisnotavailable withsolutionsthatarebaseduponGPOs.

    13

    Figure7ExampleofViewfinityPrivilegeManagementpolicyauditreportingandvalidation

    Conclusion
    WiththeWindowsXPsunsetdatefastapproaching,plansforWindows7migrationsare infullswing.Thishaspromptedmostorganizationstoalsoreassesstheirapproachto PClockdown.Withtheadvancedprivilegemanagementcapabilitiesofferedby Viewfinity,enterpriseshaveanalternativetotheallornothingapproachtoleast privilegesbecauseanallornothingmethodologyprohibitsorganizationsfrom meetingcompliance,securityanddesktopoperationsgoals.ViewfinityPrivilege ManagementallowsITprofessionalstoreachtheseobjectives,withoutsacrificinguser productivityorincreasingsupportcallvolume,byprovidinggranular,multileveluser permissionscontrol.Endpointsaresupportedregardlessofworkerlocationas ViewfinitydoesnotrequirelaptopsordesktopstobepartoftheActiveDirectorydomain ortobedirectlyconnectedtothecorporatenetworkinordertoactivatepolicies. Finally,asyoumigratetoWindows7,bepreparedtomanageandcontroladministrative privilegesbyincorporatingtheViewfinityAgentaspartofthestandardoperatingsystem image.Thiswayyouavoidhavingtoseparatelydeploytheagentafterprovisioninganew desktoporperformingamigration.

    14

    AbouttheAuthor
    Dwainsfocusistohelpcompaniesaligntheirproductportfolio withtheirgotomarketandbusinessrequirements.Priorto SageCreek,DwainwasVicePresidentatSymantecCorporationand wasinchargeofthecollaborationarchitecturetoensuremultiple Symantecproductsworktogether.Hewasinstrumentalinthe successfuladoptionoftheAltirisplatformatSymantec. DwainservedastheCTOatAltirisfrom2000throughthe Symantecacquisitionin2007andoversawadevelopmentteam thatgrewtoover500peopleandanengineeringbudgetinexcess of$50M.Dwainknowshowtoworkwithdiverseteamsacrosstheworld.Hehasa strongbackgroundinhowtomanageteamsthatconsistofbothemployeesand outsourcedresourcesacrosstheworld.Hisleadershipoftheproductteamswas instrumentalinAltirisproductsreceivingalargenumberofindustryawards. Dwainwasinstrumentalinevaluatingacquisitiontargetsandhashadakeyroleinthe M&Aprocessformanytransactions.Dwainisasuccessfulentrepreneurhavingstarted ComputingEdgein1994.Eachyearfor6yearsComputingEdgeexperiencedgreater than40%growthandeachyeartheoperationwasprofitable.ComputingEdgewasthe recognizedleaderinsolutionsthatextendedMicrosoftsmanagementplatform. PriortoComputingEdge,DwainworkedatMicrosoftintheOperatingSystemdivision. DwaingraduatedsummacumlaudewithadegreeinElectricalandComputer Engineering.

    Dwain Kinghorn - Partner at SageCreek

    15

    You might also like