Best Practices for PC Lockdown and Control Policies - Viewfinity

4 0 0 T o t t e n P o n d R o a d W a l t h a m , M A 0 2 4 5 1 7 8 1 . 8 1 0 . 4 3 2 0 w w w . v i e w f i n i t y . c o mBest Practices for PC Lockdownand Control PoliciesBy Dwain Kinghorn

TABLE OF CONTENTSControl Endpoint Costs…………………………………………………………………………………………………………………………………... 3Endpoint Lockdown Requires Privilege Management Capabilities………………………………………………………………………………. 3End-To-End Automated and Non-disruptive Transition to Least Privileges……………………………..……………………………………... 3Pre-discover Applications Requiring Elevated Permissions………………………….……………………………………………………………………. 3Discover User Accounts that have Local Administrative Rights…………………………...………………………………………...…………………….. 4Policy Automation for Exceptions to User Permission Needs…………………...………………………..……………………………………………….. 4Keys to an Effective Privilege Management System…………………………………………..……………………………………………………. 5Support for Mobile and Remote Users………………………………………..………………………………………………………………………. 5Granular-level Control……………………………………………..……………………………………………………………………………………. 6Application White Listing / Blocking………………..………………………………………………………………………………………………….. 6Policy Auditing, Validation and Reporting…………………………………..………………………………………………………………………… 6Support for Compliance Initiatives: FDCC, HIPAA, PCI………………………………………………..…………………………………………… 6PCLM Integration………………………………………………………..………………………………………………………………………………. 7Conclusion……………………………………..…………………………………………………………………………………………………………… 7About the Author…………………………………………………………………………………………………………………………………………... 82

Control Endpoint CostsEnd point lockdown is not a new practice. There are a number of advantages when endpoints are lockeddown so that end users do not have full administrative access on their systems. In general, an environmentthat is more locked down has less changes and less variation from a known good configuration. This securesthe desktop which in turns leaves company less venerable to malware, virus, etc. Yet a completely lockeddown environment may result in lowering productivity and creating a shift in the types IT support callscoming into the help desk. An organization may go from dealing with virus attacks to an increase inincidental calls related to printer installation requests and other tasks requiring administrator rights.Non administrative users are more limited in their ability to install applications. Fewer end user installedapplications results in fewer application compatibility issues and better system reliability. Applicationinstability and application conflicts generate a large number of support requests. Fewer unauthorizedapplications results in fewer support incidents and this leads to a lower TCO.When the end user does not have administrative access to the system, programs that end users runs are lesslikely to be able to modify system configuration settings or expose sensitive information that may beavailable on the endpoint.Endpoint Lockdown Requires Privilege Management CapabilitiesThere are a number of use cases where organizations may want end users to be able to perform operationsthat generally require administrative level access to the system.For example, organizations may want to allow users to install certain ActiveX controls. Organizations maywant to allow anyone to be able to install and configure new printers on a system. A traveling user maywant to be able to install certain applications without having to be connected to the corporate network.Mobile remote users may need to perform certain system level tasks on their own. Certain applications mayneed to run with elevated rights to be able to function as expected.In all of these cases, a privilege management system adds value. A privilege management system balancesthe rigidity of locking down systems with the realities of user customization needs on the endpoint. It helpsensure that the right applications run with the proper privilege levels, and provides the system administratorwith the validation to ensure that endpoints match an approved configuration standard.End-to-End Automated and Non-Disruptive Transition to LeastPrivilegesA project of this undertaking requires extensive analysis to determine user needs and prepare theenvironment. As organizations work to heighten IT security by moving to least privileges, our non-disruptive,automated method for moving to a least privileges environment provides an end-to-end best practiceapproach that helps enterprises reduce Advance Persistent Threat risks.Pre-Discover Applications Requiring Elevated PermissionsOur Application Admin Rights Analysis silently gathers information and monitors which applications,processes, and administrative actions will require administrative permission before users are removed fromthe local admin group. This information is based on end user activity and is collected over a period of time toensure all events are captured. Once the collection and analysis is completed, policies to elevate privileges3

can be automatically created and prepared in advance so that when administrative rights are removed, thepolicies are in place to ensure a non-disruptive move to least privileges.Here is an example of a completed Application Admin Rights Analysis presented in the Local Admin RightsUsage Statistic dashboard graph:This report shows the following:Events marked in Green represent events which have been identified from user activities on previousdays.Events marked in Red represent newly discovered events that require Admin rights.Readiness indicator: when the discovery bar is mostly green, the system has collected the majority ofevents requiring administrative permissions. This indicates you are ready to use the Viewfinity PolicyAutomation Approval feature and automatically build policies based on the events discovered.Discover User Accounts that Have Local Administrative RightsViewfinity offers a free Local Admin Discovery tool that discovers user accounts and groups that aremembers of the local “Administrators” built-in user group on computers in your Windows domain. Havingdetailed information related to which users and groups have administrator rights on corporate desktopsallows you to reassess who should have these rights. Once the analysis has been run, IT Administrators cantake action, if needed, by removing the users or suspicious groups from the Administrators group.Policy Automation For Exceptions to User Permission NeedsWhile 90-95% of your privilege management needs and policies will be established and implemented wellahead of time, for those exceptions, and there are always exceptions, Viewfinity offers a method for ITadministrators to streamline privilege elevation requests from end users.Viewfinity’s Policy Automation is the automatic detection and capture of the need for elevated permissions,combined with the ability to create the appropriate policy and authorize the privilege elevation request onthe fly. Automating the privilege elevation request process and creating the appropriate policies on-the-flysaves a great deal of time for both the IT Administrator and end-user.4

Keys To An Effective Privilege Management SystemMicrosoft provides basic functions via group policies and active directory, such as the ability to lockdowndesktops, hide certain desktop settings, apply password policies and other functions. However, it is importantto distinguish that GPO functionality does not offer the robust capabilities provided by a privilegemanagement system. Once the desktop is locked down, active directory does not support elevation ofprivileges for specific applications and processes.Additionally, policies can be applied only to computers that are members of active directory. Group policydelivery directly depends on active directory replication topology. Therefore, computers that are not part ofthe domain, or are not connected to the corporate network, propagating policies is difficult. In someorganizations this might take a significant amount of time depending on geographical allocations of activedirectory infrastructure and users.For granular management of administrator permissions, such as the ability to install ActiveX controls or run/install restricted applications, and automated policy propagation not dependent upon active directory, thirdparty products should be considered.In order to operate in a least privileges mode while supporting the productivity needs of end users, aneffective privilege management system should incorporate a number of features including:Support for mobile and remote usersGranular-level control of privileges and policiesApplication White Listing/BlacklistingPolicy Auditing, Validation and ReportingSupport for compliance initiatives such as FDCC, HIPAA and PCIIntegration with the PC Lifecycle Management (PCLM) platformSupport for Mobile and Remote UsersRemote and mobile users are a significant percentage of the user base in many organizations. Manyendpoints may go for long periods of time without connecting “inside the firewall.” The privilegemanagement policies need to work independent of the connections state of the computer to the corporatenetwork or active directory. An endpoint associated with a remote user may not even be a member of theactive directory.The system should cache the appropriate privilege management policies when the computer is able toconnect to the privilege management policy server and then continually ensure that those policies areenforced at all times, regardless of connectivity status. Appropriate feedback information from the endpointshould be queued up and then sent to the policy server when the endpoint is able to reconnect.A policy server that is accessible anytime the endpoint is connected the Internet provides better support formobile users than requiring a system to establish a VPN connection. The ability to propagate a policy on-theflyand have that policy take effect immediately as soon as an internet connection is established (norebooting) is extremely powerful and offers instant reassurance that the endpoint is protected.5

Granular-Level ControlThere are a wide variety of functions where the system administrator may want to enable the end user tomake changes. For example administrative rights may be granted to a specific application but not to its childprocesses. ActiveX controls from specific signed authorities may be enabled to be installed without requiringthe browser to run in an administrative context. Non administrative users may be granted the privilege to beable to install printers or to run some set of Windows utilities such as management of system time or addingcertain types of new devices.Each of the granular capabilities should be able to be applied to distinct sets of systems based upon the PCLMconfiguration data. The ability to configure multi-dimensional policies based upon any combination ofgroupings, such as by applications, departments, active directory users/groups, connectivity status, time ofday, and more provides the desired level of granularity control needed.Application White Listing / BlockingThere are many harmful applications that can be installed even without administrator rights. There should bea method to manage privileges for such applications, such as the ability to configure a "white list only" modelso that only approved software can be installed and/or executed. The ability to block specific applicationsoffers an added layer of control.Policy Auditing, Validation and ReportingCentralized reports provide the system administrator with the feedback to audit how the privilegemanagement policies are being applied across the enterprise. For example, reports can highlight how oftenapplication privilege levels must be adjusted and how often blacklisted applications are blocked fromrunning. Reports can help system administrators verify that systems meet a defined configuration standardfor regulatory compliance.A good privilege management solution is equipped to provide detailed reporting on all administrator privilegepolicies, including an audit trail report that provides confirmation that a policy has been delivered andactivated on endpoint devices. This includes validation of policy delivery to mobile and remote users, singleor group of computers and/or for a specific application.If the privilege management capabilities are integrated with your PCLM system, the additional configurationdata that is in the PCLM system is used to help filter and scope the analysis of the privilege managementreports.Support for Compliance Initiatives: FDCC, HIPAA, PCIThere are various best practices associated with regulatory compliance that can best be met if the end usersdo not have local administrative control. As outlined above, the privilege management system enables thesystem administrator to lock down the system, as mandated, while still supporting end user productivity byproviding granular control. Couple that with the ability to audit and validate delivery and activation ofpolicies, now the IT administrator can ensure that applications and systems are adhering to compliancemandates.6

PCLM IntegrationPCLM products gather inventory data such as the physical hardware that is on the device and softwareapplications that are installed. Various operating system settings are collected. Contextual information suchas the physical location of the device and links to information in a directory are also typically gathered.Many companies extend the configuration system with information about the cost center, department, andother logical descriptions of the system.The details that are known about the device in the PCLM configuration database provide the context withwhich the system administrator can define appropriate privilege management policies. The scoping ofprivilege management polices is more efficient when it leverages PCLM configuration data for creating themachine and user groups to which the policies are targeted. For example, computer groups can be definedthat include all systems that belong to a specific location or business unit and the system administrator canapply privilege management policies based upon that context.Another way to leverage the PCLM configuration database is to apply privilege management polices toapplications based upon the information known about those applications. For example, with MicrosoftSCCM, applications that have been installed and settings configured through Configuration Manager havesome compliance monitoring but it’s not true for application level control. Thus, SCCM customers shouldlook to enhance Configuration Manager capabilities with a solution that is integrated with SCCM becauseprivilege management application level control is not offered today nor is it planned for any near term SCCMreleases.With a true privilege management product, applications from the PCLM system can be granted a higher levelprivilege than those applications that are not known in the PCLM configuration database. The knowledge ofwhich applications are approved from the configuration database can also be used to help enforce white-listand black-list policies.ConclusionWhile operating a locked down, least privileges environment certainly secures your environment, thefunction of better managing privileges has a measurable and tangible effect by alleviating calls coming intothe support or help desk center. Rather than blindly moving forward with an all or nothing lockdownmethodology, IT Administrators need flexible approach for controlling its corporate desktop and laptopenvironment. With tighter, yet flexible control over the types of applications and privileges your distributedworkforce are allowed, the more stable your desktop environment becomes. With enhanced control overmanaging your environment, the number of end user support calls to the help desk are reduced, not simplyshifted from one type of call to another.7

About the AuthorDwain Kinghorn - Partner at SageCreek PartnersDwain’s focus is to help companies align their product portfolio with their go to marketand business requirements. Prior to SageCreek Partners, Dwain was Vice President atSymantec Corporation and was in charge of the collaboration architecture to ensuremultiple Symantec products work together. He was instrumental in the successfuladoption of the Altiris platform at Symantec.Dwain served as the CTO at Altiris from 2000 through the Symantec acquisition in 2007and oversaw a development team that grew to over 500 people and an engineeringbudget in excess of $50M. Dwain knows how to work with diverse teams across theworld. He has a strong background in how to manage teams that consist of both employees and outsourcedresources across the world. His leadership of the product teams was instrumental in Altiris’ products receivinga large number of industry awards.Dwain was instrumental in evaluating acquisition targets and has had a key role in the M&A process for manytransactions. Dwain is a successful entrepreneur having started Computing Edge in 1994. Each year for 6years Computing Edge experienced greater than 40% growth and each year the operation was profitable.Computing Edge was the recognized leader in solutions that extended Microsoft’s managementplatform.Prior to Computing Edge, Dwain worked at Microsoft in the Operating System division. Dwain graduatedsumma cum laude with a degree in Electrical and Computer Engineering.8