Best Practices for PC Lockdown and Control Policies. By Dwain Kinghorn

Transcription

1 4 0 0 T o t t e n P o n d R o a d W a l t h a m, M A w w w. v i e w f i n i t y. c o m Best Practices for PC Lockdown and Control Policies By Dwain Kinghorn

2 TABLE OF CONTENTS Control Endpoint Costs... 3 Endpoint Lockdown Requires Privilege Management Capabilities. 3 End-To-End Automated and Non-disruptive Transition to Least Privileges Pre-discover Applications Requiring Elevated Permissions.. 3 Discover User Accounts that have Local Administrative Rights Policy Automation for Exceptions to User Permission Needs Keys to an Effective Privilege Management System... 5 Support for Mobile and Remote Users... 5 Granular-level Control... 6 Application White Listing / Blocking Policy Auditing, Validation and Reporting.. 6 Support for Compliance Initiatives: FDCC, HIPAA, PCI.. 6 PCLM Integration... 7 Conclusion.. 7 About the Author

3 Control Endpoint Costs End point lockdown is not a new practice. There are a number of advantages when endpoints are locked down so that end users do not have full administrative access on their systems. In general, an environment that is more locked down has less changes and less variation from a known good configuration. This secures the desktop which in turns leaves company less venerable to malware, virus, etc. Yet a completely locked down environment may result in lowering productivity and creating a shift in the types IT support calls coming into the help desk. An organization may go from dealing with virus attacks to an increase in incidental calls related to printer installation requests and other tasks requiring administrator rights. Non administrative users are more limited in their ability to install applications. Fewer end user installed applications results in fewer application compatibility issues and better system reliability. Application instability and application conflicts generate a large number of support requests. Fewer unauthorized applications results in fewer support incidents and this leads to a lower TCO. When the end user does not have administrative access to the system, programs that end users runs are less likely to be able to modify system configuration settings or expose sensitive information that may be available on the endpoint. Endpoint Lockdown Requires Privilege Management Capabilities There are a number of use cases where organizations may want end users to be able to perform operations that generally require administrative level access to the system. For example, organizations may want to allow users to install certain ActiveX controls. Organizations may want to allow anyone to be able to install and configure new printers on a system. A traveling user may want to be able to install certain applications without having to be connected to the corporate network. Mobile remote users may need to perform certain system level tasks on their own. Certain applications may need to run with elevated rights to be able to function as expected. In all of these cases, a privilege management system adds value. A privilege management system balances the rigidity of locking down systems with the realities of user customization needs on the endpoint. It helps ensure that the right applications run with the proper privilege levels, and provides the system administrator with the validation to ensure that endpoints match an approved configuration standard. End-to-End Automated and Non-Disruptive Transition to Least Privileges A project of this undertaking requires extensive analysis to determine user needs and prepare the environment. As organizations work to heighten IT security by moving to least privileges, our non-disruptive, automated method for moving to a least privileges environment provides an end-to-end best practice approach that helps enterprises reduce Advance Persistent Threat risks. Pre-Discover Applications Requiring Elevated Permissions Our Application Admin Rights Analysis silently gathers information and monitors which applications, processes, and administrative actions will require administrative permission before users are removed from the local admin group. This information is based on end user activity and is collected over a period of time to ensure all events are captured. Once the collection and analysis is completed, policies to elevate privileges 3

4 can be automatically created and prepared in advance so that when administrative rights are removed, the policies are in place to ensure a non-disruptive move to least privileges. Here is an example of a completed Application Admin Rights Analysis presented in the Local Admin Rights Usage Statistic dashboard graph: This report shows the following: Events marked in Green represent events which have been identified from user activities on previous days. Events marked in Red represent newly discovered events that require Admin rights. Readiness indicator: when the discovery bar is mostly green, the system has collected the majority of events requiring administrative permissions. This indicates you are ready to use the Viewfinity Policy Automation Approval feature and automatically build policies based on the events discovered. Discover User Accounts that Have Local Administrative Rights Viewfinity offers a free Local Admin Discovery tool that discovers user accounts and groups that are members of the local Administrators built-in user group on computers in your Windows domain. Having detailed information related to which users and groups have administrator rights on corporate desktops allows you to reassess who should have these rights. Once the analysis has been run, IT Administrators can take action, if needed, by removing the users or suspicious groups from the Administrators group. Policy Automation For Exceptions to User Permission Needs While 90-95% of your privilege management needs and policies will be established and implemented well ahead of time, for those exceptions, and there are always exceptions, Viewfinity offers a method for IT administrators to streamline privilege elevation requests from end users. Viewfinity s Policy Automation is the automatic detection and capture of the need for elevated permissions, combined with the ability to create the appropriate policy and authorize the privilege elevation request on the fly. Automating the privilege elevation request process and creating the appropriate policies on-the-fly saves a great deal of time for both the IT Administrator and end-user. 4

5 Keys To An Effective Privilege Management System Microsoft provides basic functions via group policies and active directory, such as the ability to lockdown desktops, hide certain desktop settings, apply password policies and other functions. However, it is important to distinguish that GPO functionality does not offer the robust capabilities provided by a privilege management system. Once the desktop is locked down, active directory does not support elevation of privileges for specific applications and processes. Additionally, policies can be applied only to computers that are members of active directory. Group policy delivery directly depends on active directory replication topology. Therefore, computers that are not part of the domain, or are not connected to the corporate network, propagating policies is difficult. In some organizations this might take a significant amount of time depending on geographical allocations of active directory infrastructure and users. For granular management of administrator permissions, such as the ability to install ActiveX controls or run/ install restricted applications, and automated policy propagation not dependent upon active directory, third party products should be considered. In order to operate in a least privileges mode while supporting the productivity needs of end users, an effective privilege management system should incorporate a number of features including: Support for mobile and remote users Granular-level control of privileges and policies Application White Listing/Blacklisting Policy Auditing, Validation and Reporting Support for compliance initiatives such as FDCC, HIPAA and PCI Integration with the PC Lifecycle Management (PCLM) platform Support for Mobile and Remote Users Remote and mobile users are a significant percentage of the user base in many organizations. Many endpoints may go for long periods of time without connecting inside the firewall. The privilege management policies need to work independent of the connections state of the computer to the corporate network or active directory. An endpoint associated with a remote user may not even be a member of the active directory. The system should cache the appropriate privilege management policies when the computer is able to connect to the privilege management policy server and then continually ensure that those policies are enforced at all times, regardless of connectivity status. Appropriate feedback information from the endpoint should be queued up and then sent to the policy server when the endpoint is able to reconnect. A policy server that is accessible anytime the endpoint is connected the Internet provides better support for mobile users than requiring a system to establish a VPN connection. The ability to propagate a policy on-thefly and have that policy take effect immediately as soon as an internet connection is established (no rebooting) is extremely powerful and offers instant reassurance that the endpoint is protected. 5

6 Granular-Level Control There are a wide variety of functions where the system administrator may want to enable the end user to make changes. For example administrative rights may be granted to a specific application but not to its child processes. ActiveX controls from specific signed authorities may be enabled to be installed without requiring the browser to run in an administrative context. Non administrative users may be granted the privilege to be able to install printers or to run some set of Windows utilities such as management of system time or adding certain types of new devices. Each of the granular capabilities should be able to be applied to distinct sets of systems based upon the PCLM configuration data. The ability to configure multi-dimensional policies based upon any combination of groupings, such as by applications, departments, active directory users/groups, connectivity status, time of day, and more provides the desired level of granularity control needed. Application White Listing / Blocking There are many harmful applications that can be installed even without administrator rights. There should be a method to manage privileges for such applications, such as the ability to configure a "white list only" model so that only approved software can be installed and/or executed. The ability to block specific applications offers an added layer of control. Policy Auditing, Validation and Reporting Centralized reports provide the system administrator with the feedback to audit how the privilege management policies are being applied across the enterprise. For example, reports can highlight how often application privilege levels must be adjusted and how often blacklisted applications are blocked from running. Reports can help system administrators verify that systems meet a defined configuration standard for regulatory compliance. A good privilege management solution is equipped to provide detailed reporting on all administrator privilege policies, including an audit trail report that provides confirmation that a policy has been delivered and activated on endpoint devices. This includes validation of policy delivery to mobile and remote users, single or group of computers and/or for a specific application. If the privilege management capabilities are integrated with your PCLM system, the additional configuration data that is in the PCLM system is used to help filter and scope the analysis of the privilege management reports. Support for Compliance Initiatives: FDCC, HIPAA, PCI There are various best practices associated with regulatory compliance that can best be met if the end users do not have local administrative control. As outlined above, the privilege management system enables the system administrator to lock down the system, as mandated, while still supporting end user productivity by providing granular control. Couple that with the ability to audit and validate delivery and activation of policies, now the IT administrator can ensure that applications and systems are adhering to compliance mandates. 6

7 PCLM Integration PCLM products gather inventory data such as the physical hardware that is on the device and software applications that are installed. Various operating system settings are collected. Contextual information such as the physical location of the device and links to information in a directory are also typically gathered. Many companies extend the configuration system with information about the cost center, department, and other logical descriptions of the system. The details that are known about the device in the PCLM configuration database provide the context with which the system administrator can define appropriate privilege management policies. The scoping of privilege management polices is more efficient when it leverages PCLM configuration data for creating the machine and user groups to which the policies are targeted. For example, computer groups can be defined that include all systems that belong to a specific location or business unit and the system administrator can apply privilege management policies based upon that context. Another way to leverage the PCLM configuration database is to apply privilege management polices to applications based upon the information known about those applications. For example, with Microsoft SCCM, applications that have been installed and settings configured through Configuration Manager have some compliance monitoring but it s not true for application level control. Thus, SCCM customers should look to enhance Configuration Manager capabilities with a solution that is integrated with SCCM because privilege management application level control is not offered today nor is it planned for any near term SCCM releases. With a true privilege management product, applications from the PCLM system can be granted a higher level privilege than those applications that are not known in the PCLM configuration database. The knowledge of which applications are approved from the configuration database can also be used to help enforce white-list and black-list policies. Conclusion While operating a locked down, least privileges environment certainly secures your environment, the function of better managing privileges has a measurable and tangible effect by alleviating calls coming into the support or help desk center. Rather than blindly moving forward with an all or nothing lockdown methodology, IT Administrators need flexible approach for controlling its corporate desktop and laptop environment. With tighter, yet flexible control over the types of applications and privileges your distributed workforce are allowed, the more stable your desktop environment becomes. With enhanced control over managing your environment, the number of end user support calls to the help desk are reduced, not simply shifted from one type of call to another. 7

8 About the Author Dwain Kinghorn - Partner at SageCreek Partners Dwain s focus is to help companies align their product portfolio with their go to market and business requirements. Prior to SageCreek Partners, Dwain was Vice President at Symantec Corporation and was in charge of the collaboration architecture to ensure multiple Symantec products work together. He was instrumental in the successful adoption of the Altiris platform at Symantec. Dwain served as the CTO at Altiris from 2000 through the Symantec acquisition in 2007 and oversaw a development team that grew to over 500 people and an engineering budget in excess of $50M. Dwain knows how to work with diverse teams across the world. He has a strong background in how to manage teams that consist of both employees and outsourced resources across the world. His leadership of the product teams was instrumental in Altiris products receiving a large number of industry awards. Dwain was instrumental in evaluating acquisition targets and has had a key role in the M&A process for many transactions. Dwain is a successful entrepreneur having started Computing Edge in Each year for 6 years Computing Edge experienced greater than 40% growth and each year the operation was profitable. Computing Edge was the recognized leader in solutions that extended Microsoft s management platform. Prior to Computing Edge, Dwain worked at Microsoft in the Operating System division. Dwain graduated summa cum laude with a degree in Electrical and Computer Engineering. 8