Viewfinity Privilege Management Integration with Microsoft System Center Configuration Manager. By Dwain Kinghorn

Transcription

1 4 0 0 T o t t e n P o n d R o a d W a l t h a m, M A w w w. v i e w f i n i t y. c o m Viewfinity Privilege Management Integration with Microsoft System Center Configuration Manager By Dwain Kinghorn

2 TABLE OF CONTENTS Desktop Configuration and Privilege Management. 3 Principle of Least Privilege and Windows Desktops... 3 Benefits for Organizations that use Privilege Management.. 3 Lower Cost of Ownership.. 3 Better Protection Against Malware.. 3 Tighter Control on Software Installations 4 Compliance with Regulatory Mandates and Industry Best Practices 4 Increased Data Security 4 Deploying and Using Viewfinity Privilege Management. 4 Conclusion.. 8 About the Author

3 Desktop Configuration and Management Studies have shown that a locked down environment is more cost effective to support because the end users are less likely to make unnecessary changes to the core system configuration. Systems are less vulnerable to malware and less prone to have inappropriate configuration settings when users do not have administrative rights. Implementing privilege management is also key in complying with various regulatory and compliance initiatives. Microsoft s System Center Configuration Manager (SCCM) is used by many organizations worldwide for centralized PC lifecycle management. SCCM features do not include privilege management. However SCCM does provide mechanisms to add additional data to the SCCM database. Viewfinity Privilege Management uses these mechanisms to store summary privilege management feedback data in the SCCM database. This additional privilege management data is then available for the context of SCCM endpoint configuration management operations such as patch management and software delivery. SCCM customers can leverage their SCCM infrastructure in conjunction with Viewfinity Privilege Management for a more secure endpoint by combining the benefits of privilege management with PC lifecycle management. Principle of Least Privilege and Windows Desktops The principle of least privilege means that a module in a computing environment such as a user account should only have access to information and resources that are necessary to its legitimate purpose. (see ) Viewfinity Privilege Management allows administrators to define granular controls on a per application or per function basis. Non administrator users can be given the rights to perform certain functions such as installing a set of approved applications, using legacy applications that require administrative rights, and running utilities such as hardware installation and disk management. This whitepaper highlights some of the key benefits to an organization when the users do not have local administrator rights. The paper then outlines how these privilege management features can be leveraged in the context of the SCCM console and database. Benefits For Organizations that use Privilege Management There are a number of benefits to organizations that implement privilege management. These benefits include: Lower Cost of Ownership When end users are not able to make ad-hoc changes to their system, the system is more stable. This results in a more stable computing environment on the endpoint. This stability leads to fewer support incidents which is directly associated with lowering total cost of ownership. Better Protection Against Malware When the locally logged on user does not have local administrative rights, the programs and processes that the user runs do not have rights to modify core operating system files and settings. This reduces the surface area of an attack from malware. Malware that runs on the system in the context of the logged on user is not able to change core system settings. 3

4 Tighter Control on Software Installations When users do not have local administrative rights, it becomes more difficult for the users to directly install unauthorized software. Setup programs that modify core system files and registry settings cannot successfully complete if the user doesn t have the proper rights. Compliance with Regulatory Mandates and Industry Best Practices Another reason to implement the principle of least privilege is to comply with various regulatory mandates. For example, the US Federal Government s Federal Desktop Core Configuration (FDCC) regulation requires users should not have administrator rights. Hospitals, clinics, and other health-care organizations are privy to more of a person's sensitive information than almost any other kind of organization. However, analysts report that over the last several years, data security breaches have exposed the names and information related to more than 1.5 million patients. IT departments are responsible for ensuring HIPAA regulations are followed and one method for enforcing this is to restrict administrative privileges at the desktop level. Increased Data Security When unauthorized software is installed or unauthorized changes are made to the system configuration, then it is more likely that additional ports maybe opened on the system, firewall and anti-virus settings can be changed, access control settings can be changed, etc. These changes increases the risk of data being made accessible to people or processes that should not have access to such data. When users have fewer rights on a desktop the information that is accessed on that system is more protected. Viewfinity Privilege Management allows the administrator to create detailed policies that provide the abovementioned benefits. Administrators define policies that control when and how applications and their features are accessed. SCCM provides deployment, inventory, and software management functions. SCCM does not provide process level privilege controls. Thus the privilege policies are used in addition to the base configuration management features that are provided in SCCM. Deploying and Using Viewfinity Privilege Management Viewfinity Privilege Management customers create the privilege policies through the Group Policy Management Editor. (Note: There is also an option for a standalone Viewfinity console to create and deploy policies independent of GPOs and SCCM environment. As this paper is focused on SCCM environments where GPOs are more likely to be used as the deployment method, the examples are based upon GPOs.) Through the group policy editor console, the administrator is able to configure the details in the privilege policy such as: What applications and processes the policy applies to What specific rights are granted to the application When the policy should be enabled The list of computers or users that the policy applies to 4

5 A Viewfinity agent that resides on each endpoint interprets and enforces these policies. The agent receives the policy configuration information through standard Microsoft group policy mechanisms and enforces the policies. SCCM software installation processes can easily be used to deploy the Viewfinity agent on each of the target endpoints. The Viewfinity agent monitors all the applications and processes that run on an endpoint. At application initialization time, the agent adjusts the privileges of the application per the details defined in the policy. The Viewfinity agent uses the WMI service on the Windows machine as the location to store feedback and log information. The information that is logged includes information on which policies have been enforced on the endpoint. In addition to what policies have been applied, the logs in WMI include information on operations that the user has performed on the machine that need to have additional rights to be able to work. The full list of information collected includes: Failed executable processes that need additional privileges to run Failed script a scrip that needs to have additional privileges to run Failed installation a setup program that needs additional privileges to run Failed administrative task this includes operations such as defragment, change time, and adding new hardware drivers Failed ActiveX installation in Internet Explorer ActiveX controls need elevated rights to be able to be installed Executable started from Explorer extension - run with elevated privileges menu item 5

6 Users are also able to request permissions to perform operations that require elevated rights. This information is also logged into WMI. The SCCM administrator is able to control which WMI information is collected as part of a standard SCCM inventory collection cycle. As the Viewfinity information is in WMI, the SCCM administrator can configure the system so that this WMI information is collected by the SCCM inventory scanning process. The details on how to manage these SCCM settings are configured as part of the Viewfinity installation process on the SCCM server. Once the SCCM agent collects the Viewfinity data, the data is forwarded to the SCCM server. The SCCM server automatically creates the necessary database tables to store this information. Once the data is in the database, the information is available to be leveraged by all standard SCCM items such as collections and reports. SCCM includes a number of features to help the administrator create filters and queries that are used in collections and reports. Because the Viewfinity data is added to the SCCM database via the SCCM inventory processes, the Viewfinity data is available for use just like all the standard Microsoft collected data. The SCCM administrator is easily able to view the Viewfinity data in the SCCM Resource Explorer. An administrator can create a collection of all computers that have run a particular process with elevated rights over the last month by creating a filter from a query on the data classes that contain the Viewfinity data. This collection can then be used for any other SCCM policies such as software delivery updates. SCCM also has a full-featured set of reporting capabilities. Reports based upon Viewfinity data can be created and shared in the same way that administrators use standard Microsoft data to create reports. 6

7 Viewfinity provides reports that highlight the privilege management data. These reports are installed on the SCCM server and are accessed like all other SCCM reports. 7

8 Conclusion In summary, desktop administrators that are already using SCCM for PC lifecycle management functions are able to leverage their existing infrastructure for privilege management features. Viewfinity Privilege Management provides a number of benefits that allow administrators to better implement least privilege features. Viewfinity uses Microsoft defined methods to integrate privilege management with the SCCM agent and server resulting in a more secure and a better managed endpoint. Organizations of all sizes have more secure and stable desktops when users do not have local administrative rights on their desktops because lockdown provides an added layer of protection that helps mitigate security risks. Integrating SCCM and Viewfinity Privilege Management helps IT administrators by providing general system management tasks and privilege access activity from one management console. 8

9 About the Author Dwain Kinghorn - Partner at SageCreek Dwain s focus is to help companies align their product portfolio with their go to market and business requirements. Prior to SageCreek, Dwain was Vice President at Symantec Corporation and was in charge of the collaboration architecture to ensure multiple Symantec products work together. He was instrumental in the successful adoption of the Altiris platform at Symantec. Dwain served as the CTO at Altiris from 2000 through the Symantec acquisition in 2007 and oversaw a development team that grew to over 500 people and an engineering budget in excess of $50M. Dwain knows how to work with diverse teams across the world. He has a strong background in how to manage teams that consist of both employees and outsourced resources across the world. His leadership of the product teams was instrumental in Altiris products receiving a large number of industry awards. Dwain was instrumental in evaluating acquisition targets and has had a key role in the M&A process for many transactions. Dwain is a successful entrepreneur having started Computing Edge in Each year for 6 years Computing Edge experienced greater than 40% growth and each year the operation was profitable. Computing Edge was the recognized leader in solutions that extended Microsoft s systems management platform. Prior to Computing Edge, Dwain worked at Microsoft in the Operating System division as one of the initial 3 members of the System Center Configuration Manager (formerly SMS) team. Dwain graduated summa cum laude with a degree in Electrical and Computer Engineering. 9