Viewfinity Privilege Management Integration with Microsoft System Center Configuration Manager. By Dwain Kinghorn

Similar documents
Best Practices for PC Lockdown and Control Policies. By Dwain Kinghorn

Compliance series Guide to meeting requirements of USGCB

Running A Fully Controlled Windows Desktop Environment with Application Whitelisting

Top Desktop Management Pain Points

System Management. What are my options for deploying System Management on remote computers?

Navigating Endpoint Encryption Technologies

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Least Privilege in the Data Center

The Impact of HIPAA and HITECH

SANS Top 20 Critical Controls for Effective Cyber Defense

How To Manage A System Vulnerability Management Program

Managing Windows Environments with Group Policy 50255D; 5 Days, Instructor-led

Regulatory Compliance and Least Privilege Security

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Complete Patch Management

Maintaining Microsoft SCCM Health with Absolute DDS

How To Secure Your System From Cyber Attacks

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

How To Achieve Pca Compliance With Redhat Enterprise Linux

Implementing HIPAA Compliance with ScriptLogic

Industrial Security for Process Automation

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Proven LANDesk Solutions

PCI Data Security Standards (DSS)

System Security Policy Management: Advanced Audit Tasks

ManageEngine Desktop Central Training

Ovation Security Center Data Sheet

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Managing Enterprise Devices and Apps using System Center Configuration Manager

Compliance series Guide to meeting requirements of the UK Government Cyber Essentials Scheme

How To Protect Your Cloud From Attack

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

Symantec Mobile Management 7.1

xassets Hosted Services Microsoft SAM Assist Audits with xassets

Symantec Mobile Security

Host-based Protection for ATM's

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

SANS Institute First Five Quick Wins

Devising a Server Protection Strategy with Trend Micro

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

IBM Endpoint Manager for Core Protection

SmartDraw Installation Guide

Ovation Security Center Data Sheet

JACK LEVY 8609 Misty River Ct. Tampa, FL Home: (813)

Exam Questions

Managed Service Plans

AD Management Survey: Reveals Security as Key Challenge

Easily integrate Mac into Microsoft System Center

6WRUP:DWFK. Policies for Dedicated IIS Web Servers Group. V2.1 policy module to restrict ALL network access

HIPAA Compliance Evaluation Report

Symantec Mobile Management 7.2

Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

CloudCheck Compliance Certification Program

OPAS Prerequisites. Prepared By: This document contains the prerequisites and requirements for setting up OPAS.

How To Buy Nitro Security

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Integrated Threat & Security Management.

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Cybersecurity Health Check At A Glance

Data Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement

Complete Patch Management

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Leaders in Windows Privilege Management. Least Privilege = Least Risk = Least Cost

Windows Operating Systems. Basic Security

Symantec Mobile Management for Configuration Manager 7.2

Managing Windows Environments with Group Policy

Data Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec

FileCloud Security FAQ

Zone Labs Integrity Smarter Enterprise Security

Enterprise Computing Solutions

Devising a Server Protection Strategy with Trend Micro

WHITE PAPER. Best Practices for Securing Remote and Mobile Devices

Complete Patch Management

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Maximizing Configuration Management IT Security Benefits with Puppet

Mitigating Information Security Risks of Virtualization Technologies

AUDIT REPORT WEB PORTAL SECURITY REVIEW FEBRUARY R. D. MacLEAN CITY AUDITOR

Testing Control Systems

California Department of Technology, Office of Technology Services WINDOWS SERVER GUIDELINE

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

Protecting Your Organisation from Targeted Cyber Intrusion

Business Value of Microsoft System Center 2012 Configuration Manager

TECHNICAL WHITE PAPER. Symantec pcanywhere Security Recommendations

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

October Application Control: The PowerBroker for Windows Difference

8 Steps to Holistic Database Security

MS-50255: Managing, Maintaining, and Securing Your Networks Through Group Policy. Course Objectives. Required Exam(s) Price.

Nessus Agents. October 2015

Extreme Networks Security Analytics G2 Vulnerability Manager

Transcription:

4 0 0 T o t t e n P o n d R o a d W a l t h a m, M A 0 2 4 5 1 7 8 1. 8 1 0. 4 3 2 0 w w w. v i e w f i n i t y. c o m Viewfinity Privilege Management Integration with Microsoft System Center Configuration Manager By Dwain Kinghorn

TABLE OF CONTENTS Desktop Configuration and Privilege Management. 3 Principle of Least Privilege and Windows Desktops... 3 Benefits for Organizations that use Privilege Management.. 3 Lower Cost of Ownership.. 3 Better Protection Against Malware.. 3 Tighter Control on Software Installations 4 Compliance with Regulatory Mandates and Industry Best Practices 4 Increased Data Security 4 Deploying and Using Viewfinity Privilege Management. 4 Conclusion.. 8 About the Author... 9 2

Desktop Configuration and Management Studies have shown that a locked down environment is more cost effective to support because the end users are less likely to make unnecessary changes to the core system configuration. Systems are less vulnerable to malware and less prone to have inappropriate configuration settings when users do not have administrative rights. Implementing privilege management is also key in complying with various regulatory and compliance initiatives. Microsoft s System Center Configuration Manager (SCCM) is used by many organizations worldwide for centralized PC lifecycle management. SCCM features do not include privilege management. However SCCM does provide mechanisms to add additional data to the SCCM database. Viewfinity Privilege Management uses these mechanisms to store summary privilege management feedback data in the SCCM database. This additional privilege management data is then available for the context of SCCM endpoint configuration management operations such as patch management and software delivery. SCCM customers can leverage their SCCM infrastructure in conjunction with Viewfinity Privilege Management for a more secure endpoint by combining the benefits of privilege management with PC lifecycle management. Principle of Least Privilege and Windows Desktops The principle of least privilege means that a module in a computing environment such as a user account should only have access to information and resources that are necessary to its legitimate purpose. (see http://en.wikipedia.org/wiki/principle_of_least_privilege ) Viewfinity Privilege Management allows administrators to define granular controls on a per application or per function basis. Non administrator users can be given the rights to perform certain functions such as installing a set of approved applications, using legacy applications that require administrative rights, and running utilities such as hardware installation and disk management. This whitepaper highlights some of the key benefits to an organization when the users do not have local administrator rights. The paper then outlines how these privilege management features can be leveraged in the context of the SCCM console and database. Benefits For Organizations that use Privilege Management There are a number of benefits to organizations that implement privilege management. These benefits include: Lower Cost of Ownership When end users are not able to make ad-hoc changes to their system, the system is more stable. This results in a more stable computing environment on the endpoint. This stability leads to fewer support incidents which is directly associated with lowering total cost of ownership. Better Protection Against Malware When the locally logged on user does not have local administrative rights, the programs and processes that the user runs do not have rights to modify core operating system files and settings. This reduces the surface area of an attack from malware. Malware that runs on the system in the context of the logged on user is not able to change core system settings. 3

Tighter Control on Software Installations When users do not have local administrative rights, it becomes more difficult for the users to directly install unauthorized software. Setup programs that modify core system files and registry settings cannot successfully complete if the user doesn t have the proper rights. Compliance with Regulatory Mandates and Industry Best Practices Another reason to implement the principle of least privilege is to comply with various regulatory mandates. For example, the US Federal Government s Federal Desktop Core Configuration (FDCC) regulation requires users should not have administrator rights. Hospitals, clinics, and other health-care organizations are privy to more of a person's sensitive information than almost any other kind of organization. However, analysts report that over the last several years, data security breaches have exposed the names and information related to more than 1.5 million patients. IT departments are responsible for ensuring HIPAA regulations are followed and one method for enforcing this is to restrict administrative privileges at the desktop level. Increased Data Security When unauthorized software is installed or unauthorized changes are made to the system configuration, then it is more likely that additional ports maybe opened on the system, firewall and anti-virus settings can be changed, access control settings can be changed, etc. These changes increases the risk of data being made accessible to people or processes that should not have access to such data. When users have fewer rights on a desktop the information that is accessed on that system is more protected. Viewfinity Privilege Management allows the administrator to create detailed policies that provide the abovementioned benefits. Administrators define policies that control when and how applications and their features are accessed. SCCM provides deployment, inventory, and software management functions. SCCM does not provide process level privilege controls. Thus the privilege policies are used in addition to the base configuration management features that are provided in SCCM. Deploying and Using Viewfinity Privilege Management Viewfinity Privilege Management customers create the privilege policies through the Group Policy Management Editor. (Note: There is also an option for a standalone Viewfinity console to create and deploy policies independent of GPOs and SCCM environment. As this paper is focused on SCCM environments where GPOs are more likely to be used as the deployment method, the examples are based upon GPOs.) Through the group policy editor console, the administrator is able to configure the details in the privilege policy such as: What applications and processes the policy applies to What specific rights are granted to the application When the policy should be enabled The list of computers or users that the policy applies to 4

A Viewfinity agent that resides on each endpoint interprets and enforces these policies. The agent receives the policy configuration information through standard Microsoft group policy mechanisms and enforces the policies. SCCM software installation processes can easily be used to deploy the Viewfinity agent on each of the target endpoints. The Viewfinity agent monitors all the applications and processes that run on an endpoint. At application initialization time, the agent adjusts the privileges of the application per the details defined in the policy. The Viewfinity agent uses the WMI service on the Windows machine as the location to store feedback and log information. The information that is logged includes information on which policies have been enforced on the endpoint. In addition to what policies have been applied, the logs in WMI include information on operations that the user has performed on the machine that need to have additional rights to be able to work. The full list of information collected includes: Failed executable processes that need additional privileges to run Failed script a scrip that needs to have additional privileges to run Failed installation a setup program that needs additional privileges to run Failed administrative task this includes operations such as defragment, change time, and adding new hardware drivers Failed ActiveX installation in Internet Explorer ActiveX controls need elevated rights to be able to be installed Executable started from Explorer extension - run with elevated privileges menu item 5

Users are also able to request permissions to perform operations that require elevated rights. This information is also logged into WMI. The SCCM administrator is able to control which WMI information is collected as part of a standard SCCM inventory collection cycle. As the Viewfinity information is in WMI, the SCCM administrator can configure the system so that this WMI information is collected by the SCCM inventory scanning process. The details on how to manage these SCCM settings are configured as part of the Viewfinity installation process on the SCCM server. Once the SCCM agent collects the Viewfinity data, the data is forwarded to the SCCM server. The SCCM server automatically creates the necessary database tables to store this information. Once the data is in the database, the information is available to be leveraged by all standard SCCM items such as collections and reports. SCCM includes a number of features to help the administrator create filters and queries that are used in collections and reports. Because the Viewfinity data is added to the SCCM database via the SCCM inventory processes, the Viewfinity data is available for use just like all the standard Microsoft collected data. The SCCM administrator is easily able to view the Viewfinity data in the SCCM Resource Explorer. An administrator can create a collection of all computers that have run a particular process with elevated rights over the last month by creating a filter from a query on the data classes that contain the Viewfinity data. This collection can then be used for any other SCCM policies such as software delivery updates. SCCM also has a full-featured set of reporting capabilities. Reports based upon Viewfinity data can be created and shared in the same way that administrators use standard Microsoft data to create reports. 6

Viewfinity provides reports that highlight the privilege management data. These reports are installed on the SCCM server and are accessed like all other SCCM reports. 7

Conclusion In summary, desktop administrators that are already using SCCM for PC lifecycle management functions are able to leverage their existing infrastructure for privilege management features. Viewfinity Privilege Management provides a number of benefits that allow administrators to better implement least privilege features. Viewfinity uses Microsoft defined methods to integrate privilege management with the SCCM agent and server resulting in a more secure and a better managed endpoint. Organizations of all sizes have more secure and stable desktops when users do not have local administrative rights on their desktops because lockdown provides an added layer of protection that helps mitigate security risks. Integrating SCCM and Viewfinity Privilege Management helps IT administrators by providing general system management tasks and privilege access activity from one management console. 8

About the Author Dwain Kinghorn - Partner at SageCreek Dwain s focus is to help companies align their product portfolio with their go to market and business requirements. Prior to SageCreek, Dwain was Vice President at Symantec Corporation and was in charge of the collaboration architecture to ensure multiple Symantec products work together. He was instrumental in the successful adoption of the Altiris platform at Symantec. Dwain served as the CTO at Altiris from 2000 through the Symantec acquisition in 2007 and oversaw a development team that grew to over 500 people and an engineering budget in excess of $50M. Dwain knows how to work with diverse teams across the world. He has a strong background in how to manage teams that consist of both employees and outsourced resources across the world. His leadership of the product teams was instrumental in Altiris products receiving a large number of industry awards. Dwain was instrumental in evaluating acquisition targets and has had a key role in the M&A process for many transactions. Dwain is a successful entrepreneur having started Computing Edge in 1994. Each year for 6 years Computing Edge experienced greater than 40% growth and each year the operation was profitable. Computing Edge was the recognized leader in solutions that extended Microsoft s systems management platform. Prior to Computing Edge, Dwain worked at Microsoft in the Operating System division as one of the initial 3 members of the System Center Configuration Manager (formerly SMS) team. Dwain graduated summa cum laude with a degree in Electrical and Computer Engineering. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information