Professional Documents
Culture Documents
2010
CommonChallengesWhenRemovingLocalAdministratorRights........................................7
ApplicationCompatibility...............................................................................................................................................7 UserSelfServiceApplicationInstallations..............................................................................................................8 . UserInitiatedSystemMaintenanceTasks...............................................................................................................9
ViewfinityPrivilegeManagementSolutions.........................................................................9
GranularControl.................................................................................................................................................................9 SupportforRemoteandnonADConnectedSystems.......................................................................................12 . CentralizedPolicyAuditandValidation.................................................................................................................13 . Conclusion...........................................................................................................................................................................14
AbouttheAuthor...............................................................................................................15
TheWindows7DesktopRefreshandSecurity
AllorganizationshavetoconsiderhowtodeployWindows7overthenextfewyears becauseMicrosofthasannouncedtheendoflifedatesforWindowsXPsupport(see figure1below).ThemigrationtoWindows7providesanopportuneeventtoreevaluate desktopsecuritystandardsandlookforwaystomorecosteffectivelyprovidesecureand productivedesktopcomputingenvironments.
Studieshaveshownthatalockeddownenvironmentismorecosteffectivetosupport becausetheendusersarelesslikelytomakeunnecessarychangestothecoresystem configuration.Implementingalockeddownenvironmentisalsokeyincomplyingwith variousregulatoryandcomplianceinitiatives. SystemAdministratorscanusethedesktoprefreshasawaytorolloutchangesinhow securityprivilegesaremanagedontheendpointsothatthelocalloggedonuserdoesnot needtohavelocaladministratorrights. Iflockdownisdoneproperly,thatis,inconjunctionwithsoftwarethatwillhelpyou manageprivileges,theimpactonuserproductivityshouldbenilandenduserswillhave theabilitytoconductbusinessasusual.Essentiallywhateverprivilegestheenduser requirestogethisjobdoneismanagedthroughthesoftwareproductandwillseamlessly makeavailableallrequiredapplicationsanddesktopfunctions.
PrincipleofLeastPrivilegeandWindowsDesktops
Theprincipleofleastprivilegemeansthatamoduleinacomputingenvironmentsuchas auseraccountshouldonlyhaveaccesstoinformationandresourcesthatarenecessary toitslegitimatepurpose.(seehttp://en.wikipedia.org/wiki/Principle_of_least_privilege) TheDepartmentofDefenseDOD5200.28STDOrangeBookstates[ThePrincipleof LeastPrivilege]requiresthateachsubjectinasystembegrantedthemostrestrictiveset ofprivileges(orlowestclearance)neededfortheperformanceofauthorizedtasks.The applicationofthisprinciplelimitsthedamagethatcanresultfromaccident,error,or unauthorizeduse. Basedupontheprincipleofleastprivilege,inaWindowsdesktopenvironmentthe locallyloggedonuserwillnothavelocaladministrativerightsonthedesktop.However manyorganizationshavehistoricallynotfollowedtheprincipleofleastprivilegewhen theydeployedWindowsXPorWindowsVistaandhaveenabledthelocalusertohave localadministratorrights.Ormanyorganizationshaveremovedadministratorrightsfor themajorityofitsendusersbuthaveallowedselectgroupsormemberstostillhave administrativeprivileges.Thispracticepreventsanorganizationfrommeetingits complianceregulationsandtrulysecuringitsdesktopenvironment,whichcausesthe entirenetworktobevulnerable. Thiswhitepaperhighlightssomeofthekeybenefitstoanorganizationwhentheusersdo nothavelocaladministratorrights.Thepaperwillthendiscusssomeofthemost commonchallengesthatorganizationsfacewhenthelocalusernolongerhaslocal administratorrights.Finally,thepaperwillhighlighthowprivilegemanagement solutionsfromViewfinityaddressthemostcommonchallengesorganizationsfacewhen 4
BenefitsForOrganizationswhenUsersareNotLocalAdministrators
Thereareanumberofbenefitstoorganizationswhenusersdonothavelocal administratorrightsontheirdesktopsystems.Desktopmanagementcostsarereduced becausetheendpointismorecontrolled,complianceobjectivesaremetandyour distributeddesktopenvironmentismoresecure.
BetterProtectionAgainstMalware
Whenthelocallyloggedonuserdoesnothavelocaladministrativerights,theprograms andprocessesthattheuserrunsdonothaverightstomodifycoreoperatingsystemfiles andsettings.Thisreducesthesurfaceareaofanattackfrommalware.Malwarethat runsonthesysteminthecontextoftheloggedonuserisnotabletochangecoresystem settings.Whilethisdoesnotmeanthatthesystemdoesntneedothersecuritysoftware suchasfirewallandantivirus,removaloflocaladminrightsdoesprovideamoresecure environment. Forexample,therearemanybenefitswhenrunningthebrowserandmailclientina modethatdoesnothavelocaladminrights.Asusersinteractwithwebsitesanddata sourcesthatarenotnecessarilytrusted,malwarethatmaybeencounteredisnotas likelytobeabletomakeunauthorizedchangesandintroducesysteminstabilities. EverymonthMicrosoftreleasesawiderangeofsoftwareupdates(alsoknownaspatch Tuesday).Manyoftheseupdatesaresecurityrelated.Alargepercentageofsoftware updatesthatarereleasedbyMicrosofteverypatchTuesdayhavethefollowing statementintheexecutivesummarythatdescribesthepatch: Userswhoseaccountsareconfiguredtohavefeweruserrightsonthesystemcould belessimpactedthanuserswhooperatewithadministrativeuserrights.(Asan exampleseehttp://www.microsoft.com/technet/security/bulletin/ms10 053.mspx) AnalysisofthepatchesreleasedforMicrosoftOfficeandInternetExplorerprocesses thataretypicallyruninthecontextoftheloggedonusershowthataveryhigh percentageofthepatchescontaintheabovementionedstatement.Thesameistruefor manyofthepatchesassociatedwithoperatingsystemprovidedapplicationssuchas mediaplayersandchatprograms. TheanalysisoftheMicrosoftpatchdataclearlyshowsthatwhentheloggedonuserdoes nothavelocaladministrativerights,thenitismoredifficultformalwaretoattacka 5
TighterControlonSoftwareInstallations
Whenusersdonothavelocaladministrativerights,itbecomesmoredifficultforthe userstoinstallunauthorizedsoftware.Setupprogramsthatmodifycoresystemfiles andregistrysettingscannotsuccessfullycompleteiftheuserdoesnthavetheproper rights. Unauthorizedsoftwaremayintroducesysteminstabilitiesandconflicts.Unauthorized applicationsmayintroducefilesystemandregistrychangesthatcanimpactother programsthatrunonthedesktop.Whenthishappensitleadstoanincreaseinsupport callstothehelpdesk.Variousthirdpartyreviewshaveconsistentlyshownthatthere arefewersupportcallswhenfewerchangesareallowedonasystem,therebyreducing desktopTCOandITsupportcosts. Unauthorizedsoftwaremayalsoputanorganizationatriskfromasoftwarelicense complianceandsoftwarepiracyperspective.Ifusersareabletodownloadandinstall anysoftwareatanytime,thenitbecomesmuchmoredifficultfortheorganizationto ensurethatthesoftwareisproperlylicensed.
CompliancewithRegulatoryMandatesandIndustryBestPractices
Anotherreasontoimplementtheprincipleofleastprivilegeistocomplywithvarious regulatorymandates.Forexample,theUSFederalGovernmentsFederalDesktopCore Configuration(FDCC)regulationrequiresusersshouldnothaveadministratorrights. SarbanesOxley,HIPAA,andvariousotherstandardsprovidebestpracticesand requirementsthatincluderemovalofadministratorrights.Evenifagivenorganization isnotlegallyboundbyoneofthesemandates,thereisvalueinlearningfromthebest practicesthathavebeenputinplacebythevariousorganizations.Organizationsofall sizesandindustriesbenefitfromthesetofsecuritystandardsthathavebeengenerated overyearsofexperience.
IncreasedDataSecurity
Whenunauthorizedsoftwareisinstalledorunauthorizedchangesaremadetothe systemconfiguration,thenitismorelikelythatadditionalportsmaybeopenedonthe system,firewallandantivirussettingscanbechanged,accesscontrolsettingscanbe changed,etc.Thesechangesincreasetheriskofdatabeingmadeaccessibletopeopleor processesthatshouldnothaveaccesstosuchdata.Whenusershavelessrightsonthe desktop,theinformationthatisaccessedonthatsystemismoreprotected.
CommonChallengesWhenRemovingLocalAdministratorRights
Anorganizationmustconsiderthepracticalrealitieswhenremovinglocaladministrator rightsfromendusers.Inmanyorganizations,localusershavehadadministrativeaccess ontheirdesktopsystemssincePCshavebeeninuse. Manyorganizationsuseanoperatingsystemplatformupdate(suchasthemoveto Windows7)asaneventtoevaluateavarietyofdesktopstandards.Thereareanumber ofscenarioswherethemovetoalockeddowndesktopmaygenerateenduser productivityissues.
ApplicationCompatibility
Therearethousandsandthousandsofapplicationsthathavebeenwrittenovertheyears thatmaynotworkproperlywhentheloggedonuserdoesnothavelocaladministrator rights.Applicationsmayassumereadandwriteaccesstovariouslocationsinthefile systemorregistrythatarenotaccessiblewithoutadministratorrights.Manyofthese legacyapplicationsmaynothavebeenupdatedoravailableforuseforanon administratoruser. Whenanapplicationtriestoperformanoperationthatrequiresadministrativelevel rights,WindowscanallowtheusertoelevatetheprivilegethroughtheUserAccount Control(UAC)mechanism.WhileUACmayworkinsomesituations,itdoesnotprovide asolutionthatisappropriateformanyusecases.Forexample,ifauserthatisnotalocal administratorencountersaUACdialog,theuserwillneedalocaladministratorpassword toenabletheapplicationtocontinue(seeFigure2below).Sinceoneofthekeypointsof leastprivilegeisthattheuserisnotinthelocaladministratorgroup,providingtheuser withthelocaladministratorpasswordisnotaviablesolution.
Figure2
Applicationscanbeconfiguredtoruninthecontextofanaccountotherthanthelocally loggedonuser.Howeverthispresentsmanychallengesinthatthecontextusedto accesstheHKEY_CURRENT_USERlocationintheregistrywillnotbethesameasthe loggedonuser.Also,thelocationfortheuserprofiledatainthefilesystemisnotthe sameastheloggedonuser.Additionally,anyprocessthatisrunningasaseparate securitycontextwillusethatsecurityforaccessingresourcesthatareoffthelocal machine.Forexampleifanapplicationneedstoaccessafilelocatedonanetwork server,itdoesntusetheIDoftheloggedonuser,rathertheIDofthatapplication.This presentsmanychallengesforcontrollingdataaccess.Thusconfiguringapplicationsto runwithadifferentIDfromthatoftheloggedonuserisnotagoodsolution.
UserSelfServiceApplicationInstallations
Mostcompanieshavesetsofapprovedsoftwarethattheusermayinstallifitisrequired todotheirjob,howeveritisnotpartofthedefaultsetofapplicationsthatareactively installedoneachcomputerbyIT.Organizationsneedawayforuserstoinstallcertain applicationsondemandwithoutacallintothehelpdesk.Often,theseapplicationsmay requirelocaladministrativerightstobeinstalledproperly. Forexample,manyorganizationshavewebportalsorfileshareswitharangeofavailable applicationsforanyonetouseintheorganization.Theuseronthatendpointneedsto
beabletoinstalltheseapplicationsfromaknownlocationwithouttheuserhavinglocal administratorrights.
UserInitiatedSystemMaintenanceTasks
Manyorganizationsmaywantuserstobeablerunsomesystemmaintenancetasksthat requireadministratorrights.Thisisespeciallytruewhenyouconsiderthelarge amountsofmobileandremoteusersthatarenotnecessarilyregularlyloggedontothe corporatenetwork. Forexample,anorganizationmaywanttoallowenduserstoaddcertainhardwaretothe systemsuchasprintersandscanners.Someorganizationsmaywantenduserstobeable tochangethetimezone,systemtime,rundiskmanagementutilities,adjustapplication settings,orevenstopandstartcertainservices.Manyofthesesystemmaintenance tasksrequireadministratorrights. Ideallyorganizationswanttoenableremoteandmobileuserstobeablesupport themselveswithouthavingtoprovidetheuserwithfulladministratorlevelaccesstothe system.
ViewfinityPrivilegeManagementSolutions
ViewfinityPrivilegeManagementenablesenterprisestoremovelocaladministrator rightsfromtheenduserandmanagepermissionsbasedonuserroleandthe functionalitytheyrequiretoperformtheirjob.Byaddressingthesechallenges, organizationscanremoveadministrativeprivilegesduringitsWindows7rolloutwith theconfidencethatapplicationsandapprovedendusermaintenancetaskswillworkas expectedandnotdisruptuserproductivity. ViewfinityPrivilegeManagementisimplementedwithanagentthatrunsonthedesktop. (Note:considerincorporatingtheViewfinityAgentintothestandardoperatingsystem imageinordertoavoiddeployingtheagentafterperformingamigration.)Theagent cachesprivilegepolicysettingsfromaViewfinityserver.Thesystemadministrator centrallydefinestheprivilegemanagementpolicies.Becausetheagentcachesthese policiesontheendpoint,theendpointdoesnotneedtobeconnectedtotheservertobe abletoenforcetheprivilegepolicies.
GranularControl
AkeybenefitofViewfinityPrivilegeManagementisthatitallowsanorganizationtohave verygranularcontrolonwhichprocessesarerunwithelevatedrights.Privilege Managementdoesnotchangetheuseridentityusedtorunapplications,ratheritadjusts therightsforthatinstanceoftheapplicationforthatpointintime.
Figure3ExampleofViewfinityPrivilegeManagementgranularlevelprivilegeelevationforapplications
Figure4ExampleofViewfinityPrivilegeManagementgranularlevelprivilegeelevationforActiveXcontrols
11
Figure5ExampleofViewfinityPrivilegeManagementgranularlevelprivilegeelevationforWindowstasks
SupportforRemoteandnonADConnectedSystems
ViewfinityPrivilegeManagementworksjustaswellforsystemsthatrarelyconnectto thecorporatenetworkasthesystemsthatareinsidethecorporatefirewall.Thereisa securecommunicationschannelbetweentheViewfinityagentandtheserver.Asa result,customerscanconfigureaViewfinityserversothatitisaccessiblefromany Internetconnection. WhenevertheendpointconnectstotheInternet,itisabletoreceiveupdatedpoliciesand providefeedbacktotheViewfinityserver.IftheViewfinityagentisnotabletoconnect totheserver,itstillenforcespoliciesbaseduponinformationthatiscachedonthe endpoint. ViewfinityPrivilegeManagementworksindependentofanendpointbeingconnectedto ActiveDirectory.BecausethereisnorelianceonADGroupPolicyObjects(GPOs), Viewfinityprivilegepoliciesworkonsystemsregardlessoftheirstateofconnectionto thedirectoryornetwork.PoliciesareappliedinstantlywithoutdependencyonADGPOs replicationandthereisnoneedforuserstologofforreboottheirPCsinorderfor 12
Figure6ExampleofViewfinityPrivilegeManagementprivilegeelevationbyuser/group
CentralizedPolicyAuditandValidation
TheViewfinityPrivilegeManagementagentprovidespolicycompliancedatatothe serversothatthesystemadministratorreceivesfeedbackintermsofhowandwhenthe privilegemanagementisappliedattheendpoints.Thisaudittrailensuresthatnotonly havepoliciesbeendefined,butalsothatpolicieshavebeensuccessfullydeliveredand applied.Ajournalisavailablewhichchroniclesallpoliciesandhowtheyarebeingused byendusers.Generalstatisticaltrendsregardingpolicyusage,suchasthemost frequentlyblockedapplicationsandelevationprivilegepoliciesthatareusedthemost, areavailable.AlertscanbecreatedtoinformtheITsecurityteamaboutactionstaken thatmaycauseserverstobelesssecure,suchasremovingthefirewallsoftwareor disablinganantivirusprogram. Thisauditreportingofferscriticalinsightsandcompliancevalidationthatisnotavailable withsolutionsthatarebaseduponGPOs.
13
Figure7ExampleofViewfinityPrivilegeManagementpolicyauditreportingandvalidation
Conclusion
WiththeWindowsXPsunsetdatefastapproaching,plansforWindows7migrationsare infullswing.Thishaspromptedmostorganizationstoalsoreassesstheirapproachto PClockdown.Withtheadvancedprivilegemanagementcapabilitiesofferedby Viewfinity,enterpriseshaveanalternativetotheallornothingapproachtoleast privilegesbecauseanallornothingmethodologyprohibitsorganizationsfrom meetingcompliance,securityanddesktopoperationsgoals.ViewfinityPrivilege ManagementallowsITprofessionalstoreachtheseobjectives,withoutsacrificinguser productivityorincreasingsupportcallvolume,byprovidinggranular,multileveluser permissionscontrol.Endpointsaresupportedregardlessofworkerlocationas ViewfinitydoesnotrequirelaptopsordesktopstobepartoftheActiveDirectorydomain ortobedirectlyconnectedtothecorporatenetworkinordertoactivatepolicies. Finally,asyoumigratetoWindows7,bepreparedtomanageandcontroladministrative privilegesbyincorporatingtheViewfinityAgentaspartofthestandardoperatingsystem image.Thiswayyouavoidhavingtoseparatelydeploytheagentafterprovisioninganew desktoporperformingamigration.
14
AbouttheAuthor
Dwainsfocusistohelpcompaniesaligntheirproductportfolio withtheirgotomarketandbusinessrequirements.Priorto SageCreek,DwainwasVicePresidentatSymantecCorporationand wasinchargeofthecollaborationarchitecturetoensuremultiple Symantecproductsworktogether.Hewasinstrumentalinthe successfuladoptionoftheAltirisplatformatSymantec. DwainservedastheCTOatAltirisfrom2000throughthe Symantecacquisitionin2007andoversawadevelopmentteam thatgrewtoover500peopleandanengineeringbudgetinexcess of$50M.Dwainknowshowtoworkwithdiverseteamsacrosstheworld.Hehasa strongbackgroundinhowtomanageteamsthatconsistofbothemployeesand outsourcedresourcesacrosstheworld.Hisleadershipoftheproductteamswas instrumentalinAltirisproductsreceivingalargenumberofindustryawards. Dwainwasinstrumentalinevaluatingacquisitiontargetsandhashadakeyroleinthe M&Aprocessformanytransactions.Dwainisasuccessfulentrepreneurhavingstarted ComputingEdgein1994.Eachyearfor6yearsComputingEdgeexperiencedgreater than40%growthandeachyeartheoperationwasprofitable.ComputingEdgewasthe recognizedleaderinsolutionsthatextendedMicrosoftsmanagementplatform. PriortoComputingEdge,DwainworkedatMicrosoftintheOperatingSystemdivision. DwaingraduatedsummacumlaudewithadegreeinElectricalandComputer Engineering.
15