Leaders in Windows Privilege Management Least Privilege = Least Risk = Least Cost Presented by: Joe L Italien, Tom Moore
Agenda Introductions/desktop environment overview What is Windows privilege management? Customers and Partners What are the benefits of Privilege Guard? Privilege Guard technical overview and demonstration Questions and answers
A Definition of Least Privilege The least privilege principle requires that each subject in a system be granted the most restrictive set of privileges needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error or unauthorized use Department of Defence Trusted Computer System Evaluation Criteria (Orange Book)
Key Benefits of Privilege Management Enables a standardised, compliant desktop for all users Lower cost through:- Fewer help desk calls Stream-lined management of software Simplified management of privilege requests User satisfaction improvements through fewer frustrations associated with lockdown Improved security, auditing and reporting
Customer Examples Banking Government Energy Manufacturing Aerospace/Defence Others
Partnerships System Integrators Technology Partners
Industry Recognition Privilege Guard allows businesses to lock down end-user desktops in a flexible way to reduce support costs and improve security. By applying a principle of least privilege, Privilege Guard eliminates the problems that prevent businesses from applying universal lockdown policies, while sparing end users the negative effects of lockdown. Tim Stammers September 2010
The Least Risk Windows 7 Desktop Maximum risk occurs when users are given admin rights and do not regularly connect to the domain Even when users receive regular group policy updates, have antivirus software, and other controls are in place, the system is at risk because users with admin rights can over-ride these controls Privilege Guard is the most effective way to deliver the least risk Windows 7 desktop because all users operate under a standard user account and application whitelisting further protects the environment. Source: Gartner Making the Most of Windows 7 Security, dated 24th August 2010 Dan Blum
The Challenge All or Nothing Problem Applications Standard Applications Basic Admin Tasks Software Installation Standard Applications Admin User Standard User High Support Costs High Security Risks Compliance Issues High Support Costs Less Productive Users Poor User Experience
The Privilege Guard Solution Standard Admin User Standard Applications Problem Applications Basic Admin Tasks Software Installation Privilege Guard Deploy all users as standard users Assign privileges to individual applications based on user roles and needs Prevent the execution of unauthorized applications Centrally managed through Active Directory Group Policy Detailed auditing and application forensics
Privilege Guard Benefits Reduces Desktop Management Costs Source: Gartner. Desktop Total Cost of Ownership: 2008 Update. ID Number: G00153705
Privilege Guard Benefits Reduces Desktop Management Costs Increases Desktop Security
Privilege Guard Benefits Reduces Desktop Management Costs Increases Desktop Security Helps Achieve Compliance
Privilege Guard Benefits Reduces Desktop Management Costs Increases Desktop Security Helps Achieve Compliance Rich Experience for Locked Down Users Basic Admin Tasks Device Connectivity Approved Software Installation
Leaders in Windows Privilege Management Least Privilege = Least Risk = Least Cost Presented by: Tom Moore
Agenda Privilege Guard Architecture How to elevate applications under a standard user account Dealing with advanced users that need to 'elevate on demand Application control to block unauthorized applications Application discovery and auditing Questions and answers
Privilege Guard Architecture Active Directory Managed Systems Privilege Guard Management Snap-in (MMC) Software Distribution Server e.g. SCCM Privilege Guard Client Installer Centrally managed from Privilege Guard Management Console Configuration settings managed through Active Directory Group Policy Deploy Privilege Guard Client Installer to client computers
Event Centralisation Central Event Collector Central SQL Database Active Directory Privilege Guard clients with WinRM Privilege Guard Reporting Console Windows Event Forwarding support for XP, Vista, Win 7, Server 03/08 Configuration settings managed through Active Directory Group Policy Events are forwarded to central Event Collector Central database of events with details reports and dashboards
Evaluation Approach Preparation Lab Testing Pilot Deployment Review & Recommendations
Implementation Phase 1 App. Identification Stage 1 Requirements Gathering Project Owner No. of Users Use Cases Timescales AD Structure Discovery Scope Success Criteria Stage 2 Privilege Guard Deployment Agent Install Console Install Discovery Policy Deployment Stage 3 Data Analysis & Reporting Data Collect Data Analysis App Report
Implementation Plan Phase 2 Least Privilege Implementation Stage 4 Policy Creation Policy Design Policy Creation Stage 5 Policy Testing Policy Lab Test Policy Revision Stage 6 Internal Comms User Education User Feedback Stage 7 Deployment Policy Deployment Admin Privileges Removal Review Outcome
Joe.litalien@avecto.com