A recent survey commissioned by Lumension doesn’t reveal many surprising results, but one interesting point was that only 44% of those surveyed thought that application whitelisting was an effective technology.
Maybe those surveyed are expecting too much. It’s not a replacement for antivirus, but even in its own right is very effective at preventing malicious software from running, especially when used in conjunction with a standard user account.
Here’s a good example of why implementing standard user accounts isn’t enough to secure your desktop systems. Occasionally bugs are found in Windows that allow privilege escalation – or in other words, permit a standard user to elevate to a higher set of privileges.
One such flaw has recently been disclosed and is outlined by Sophos on their Naked Security blog. Additional layers of security, such as application whitelisting and antivirus should help to mitigate the threat, or alternatively you can implement the workaround outlined in the blog post.
Hopefully it won’t be too long before Microsoft provides a patch. Looking at the workaround outlined by Sophos, it looks like this hole should be relatively trivial to plug.
Security Adviser columnist, Roger Grimes, has another article on Least Privilege Security at InfoWorld. Not only does he speak about standard user accounts, but also about the advantages of application whitelisting software.
Roger also mentions that Least Privilege Security can help reduce support costs on desktop computers:
Locked-down desktops have few support issues since users aren't installing buggy, unapproved apps, slowing down their systems, and throwing up blue screens all the time. Plus, they require less troubleshooting and fewer rebuilds.
I would also concur with the following statement:
Of course good, updated antimalware defenses are needed. I may not be a huge fan of the increasingly less-accurate antivirus software, but it's worth installing and using in most scenarios. They may not be 100 percent accurate, but they catch bad elements.
AV software should not be your first line of defence, it’s simply not effective enough to protect users in today’s threat environment.
Something I’ve also written about myself at Windows IT Professional in the past is domain isolation. Desktops shouldn’t need to talk to other desktops for instance, and creating security domains can help to prevent the spread of malware in the case of an outbreak:
I am a strong advocate of security-domain isolation, restricting workstations and servers so that they connect to only what they need. It can be accomplished using myriad methods, including routers, firewalls, VLANs, IPSec, and other avenues of logical separation.
Not much fanfare accompanying the latest update to Flash Player (version 10.1.102.64), which includes a security fix, so make sure that your systems are patched as quickly as possible.
The MSI version can be downloaded here for deployment using Group Policy or SCCM.
While Microsoft has its own solutions for running IE6 apps on Windows 7, see their whitepaper Solutions for Virtualizing Internet Explorer, they can be somewhat overkill and expensive to manage.
Dependence on IE6 for legacy web applications is often cited as a reason preventing an upgrade from XP to Windows 7, which provides improved security and easier implementation of least privilege.
Unibrows, currently in beta, is a product that runs as an add-in for IE8 and is triggered automatically according to rules configured by a system administrator in Group Policy to use IE6 code and display the page in the current tab.
Unibrows will cost $5 per user a year and is due for release at the end of November. Definitely a solution worth looking at if you want to upgrade to Windows 7 but can’t relinquish support for IE6.
While I’m on the subject of free solutions for elevating processes to run with administrative privilege under a standard user account, BeyondTrust have recently rebranded their Privilege Manager product, now called PowerBroker Desktops, and have released a free version of the software.
The product differs from a fully licensed version in that your own custom rules cannot be deployed centrally using Active Directory Group Policy. All rules can be deployed via local GPOs, and template rules, i.e. those built-in to PowerBroker to allow system administrators to quickly grant rights for specific Windows features, can be deployed using Active Directory Group Policy. So central management using AD Group Policy Objects, isn’t as complete as ScriptLogic’s free solution, Privilege Authority.
On the flip side, PowerBroker Desktops Free Edition is more fully featured than Privilege Authority and integrated properly with Group Policy and the Group Policy Management Console (GPMC). PowerBroker is definitely worth checking out for smaller organizations that are looking to implement least privilege security on the desktop.
I recently discovered a free offering from ScriptLogic that allows system administrators to grant standard users administrative rights for specified processes, in much the same way as commercial products. ScriptLogic doesn’t support Privilege Authority, although there is a community support forum which is active at http://privilegeauthority.com, so it may not be suitable for use in large organizations that would depend on the software as part of their mission critical infrastructure.
Privilege Authority has its own server console for administering Group Policy settings, and before use, you have to provide an email address. When configuring new settings to deploy to clients, there is a list of standard rules for common applications, and rules can also be imported from the Rules Exchange on the community forum. User defined rules, can of course, also be created and exported.
While not as fully featured or elegant as products from the main players, Avecto and BeyondTrust, Privilege Authority provides a potential alternative for smaller organizations that cannot get funding to deploy a commercial solution.
A good article by J. Peter Bruzzese over at Biztech Magazine on the increasing importance of virtualization to provide secure and reliable desktop OSes.
It’s quite common when thinking about virtualization technology to focus on the server side. But moving forward, it’s the client side that will take on a greater role in deploying new operating systems, maintaining those systems, and ensuring their stable and secure use.
Ever wondered how much IT downtime actually costs? Take a look at this Computer Weekly summary of a report by CA Technologies.
The time taken to fix failed IT systems costs the average UK business £208,000 a year in lost revenue, the research revealed.
France tops the league of average losses at £424,000 a year, followed by Germany (£330,000) and Norway (£271,000).
Forrester is currently pushing their Zero Trust model for network security, where they state that hosts on the corporate intranet should be untrusted in the same way as Internet devices. This makes a lot of sense, and can be implemented to various degrees according to the risk to your business. For instance, Windows clients should be isolated from one another using IPSec domain isolation. In most cases, there’s no reason why Windows clients should be talking to anything other than Windows servers.
The Zero Trust model can also be applied on the desktop. In other words Least Privilege Security assumes that the user will eventually do something bad, often by accident and less commonly, maliciously. Using virtualization technologies we can work with the Zero Trust model but still give users the flexibility they need to install applications and experiment with different configurations.
Matthew Clark writes a rational overview of BYOPC on his Confessions of an IT Manager blog, addressing the benefits and concerns of such schemes. One of his concerns is naturally security:
To be clear, there are many possible security issues and implications with BYOPC. These include virus and malware issues, installation of unknown software packages, secure access to business data, and so on. However, I believe all of these issues can ultimately be resolved or mitigated with a well constructed security model.
In conclusion however, Mark writes that the concerns he addresses in the article can be managed and if properly managed, BYOPC could bring advantages in some environments, but is not convinced that BYOPC will necessary reduce costs.
Also in a recent report, Gartner suggests that BYOPC can increase the threat of botnets.
Monday 20th September, AppSense announce the integration of User Rights Management into their user virtualization solution. For more information on URM and the development of User Installed Applications, check out Can You Give Power to Users Responsibly?
Another positive review of the book:
I've been reading through Russell Smith's new book Least Privilege Security for Windows 7, Vista and XP and I've realized it's about time for a book on this subject. I've covered some of the material in the past including in my recent SearchWinIT.com tip Should Windows users have full administrative rights? and I know there's content on this topic scattered across various books, articles, etc. but I've never seen a book dedicated to the subject. Pretty cool.
Need a quick way to deploy software to standard users without SCCM or Group Policy? Take a look at PDQ Deploy from Admin Arsenal. It’s free, can deploy MSI, MSP, MSU, EXE and Batch files and monitors installs until they’re complete. Make sure you test your unattended installs thoroughly before pushing them to multiple machines on your network.
There’s been a lot in the press during the last week about IT consumerisation, and how IT departments might become extinct if they continue a line of ‘command and control’.
In an ideal world, we’d let users buy whatever hardware and software they see fit to do their jobs. In certain environments this may actually work, but I imagine that for the most part, this would be a costly nightmare for the average IT department.
Is there a compromise? I think for the time being, allowing users to choose which software to use to process company data is something only the big players are likely to be able to achieve. If we let users buy their own hardware, you could consider providing a list of authorized devices.
If you don’t want to remove admin rights from a user’s PC, consider deploying a virtual desktop where you can comply with regulations and business needs for securing data. This way, you get the best of both worlds. It doesn’t have to be all or nothing.
Great article over a the New York Times on password security.
“Keeping a keylogger off your machine is about a trillion times more important than the strength of any one of your passwords,” says Cormac Herley, a principal researcher at Microsoft Research who specializes in security-related topics.
Least Privilege Security, as part of a defence-in-depth security strategy, can help to keep keyloggers and other malware off users’ systems.
Herley continues by adding:
Security advice simply offers a bad cost-benefit tradeoff to users.
And according to the research:
“If an account is locked for 24 hours after three unsuccessful attempts,” they write, “a six-digit PIN can withstand 100 years of sustained attack.”
An interesting article over at IT Manager Daily that describes some of the basic security mistakes made by the Russian spy ring. One thing’s for sure, they weren’t using least privilege security…
In addition to clear and enforced security policies, the spy ring could have used some better help desk support. Some laptops took months to troubleshoot, and one spy was so frustrated with her computer that she turned it over to an undercover U.S. agent who promised he could repair it.
All these mistakes go to show that the spies’ targets may not have much to worry about — and that, once again, everybody needs IT.
Another review for Least Privilege Security for Windows 7, Vista and XP has just been published over at TaoSecurity by Richard Bejtlich, Director of Incident Response at General Electric.
Very focused and timely book on an important security topic.
Least Privilege Security for Windows 7, Vista and XP now has it’s own page over at Avecto’s website: http://www.avecto.com/ebook/index.html
Psst: Can You Keep A Secret? over at Biztech Magazine tells the story of a SME that seemed to be relying solely on their antivirus software to provide protection and as a result suffered a devastating virus outbreak.
“Small businesses are definitely more at risk than large businesses with respect to security because if they are attacked and their information is compromised, they can go out of business quickly,” observes Dr. Sushil Jajodia, director of the Center for Secure Information Systems at George Mason University. “As such, there is very little margin for error.”
While there’s no mention of Least Privilege Security, there are some encouraging signs:
MobiTV also customizes domain policies to enforce and lock down different aspects of its Windows and Linux machines and uses monitoring agents that not only report back performance and health statistics but also monitor for security events and patch management gaps.
Another short review of Least Privilege Security for Windows 7, Vista and XP at Ward Vissers:
I have read already some chapters. I think it is a great book to have on your collection.
You have always not enough time thinking about security. This book does it for you.
And here at Anything about IT:
I haven’t read the entire book yet, but from what i have seen thus far, it’s definitely a must have for any IT Pro who working within the Client Desktop management space. I’ll submit further feedback when I have completed the review.
According to an article on Help Net Security, AV vendors detect on average 19% of malware attacks, a recent study by Cyveillance claims that the most popular antivirus products detect less than 19% of new malware threats, and that rate increases only to to 61.7% after 30 days.
Top AV solutions take an average of 11.6 days to catch up to new malware. Since this does not include malware signatures undetected even after 30 days, users should not rely on the AV industry as their only line of defense.
The full report can be downloaded here (registration required).
It’s no surprise that in a recent survey of 488 IT workers, according to IT PRO, two thirds of them claim that security is not mission critical to their company. Tom Gaffney of F-Secure thinks that desktop security is a non-starter:
Gaffney expressed concerns over whether top level executives will ever recognise how important security is.
“I am very skeptical they ever will. That is the reality we have seen already in the desktop world,” he told IT PRO. “I don’t think it will be just one event that will change things.”
Desktop security IS on the agenda for companies that must adhere to regulatory requirements and for others that understand the key to preventing malware is to eliminate administrative privileges.
According to Microsoft’s Crispin Cowan, Vista Paved the Way for Secure Windows. He also notes that:
“If you are running as administrator, security is fairly hopeless," he said. Unfettered administrative rights is what allowed malware and viruses to take control of computers.
He continues:
Vista, featured a total separation between what a user can do on a machine and what an administrator can do, a separation that has always been enforced on Unix distributions. This separation, enforced by UAC, limits the damage that a user can do to a machine.
While I still believe that Internet Explorer 8 is the right choice of browser for business use at the current time, Google has taken one step forward in making its popular Chrome browser enterprise friendly by making available an MSI installer package. Most importantly, unlike the consumer version, the MSI installs Chrome to the protected Program Files directory, making one installation of Chrome available to all users of the same system and easier to update when deployed across enterprise systems. Needless to say, an MSI file is also helpful when using Group Policy Software Installation or other enterprise-class deployment system. Download the Chrome MSI for enterprise deployment here.
You should note that at the time of writing, the MSI version of Chrome is a beta of version 6.
Least Privilege Security for Windows 7,Vista and XP gets its first review here at Group Policy Center.
In quite a lot of chapters Russell goes into detail step by step instructions explain how to use the above technologies. But what I really like is that he also takes the time to talk about how to approach the Cultural and Political challenges in implementing this security model as this is normally the hardest part achieving a secure environment.
The review continues:
I would definitely recommend this book as a reference to anyone in an organisation who is responsible for designing and/or making changes to their Windows environment.
The Windows shortcut vulnerability is generating a lot of interest in the blogosphere, and rightly so. Described in more detail here, attackers can place a malformed shortcut to a malicious executable that will automatically run when the folder is viewed in IE or Windows Explorer. The shortcut and binary can be placed locally, on a USB drive for instance, or hosted on a web server.
Microsoft notes in its advisory, as is often the case, that use of least privilege security can reduce the severity of a successful attack:
What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
While Microsoft doesn’t specifically mention it in the security advisory, it’s also possible that having a whitelist of allowed applications, enforced using Software Restriction Policy or AppLocker, will reduce the likelihood of a successful attack.
In his Techtarget article, Kevin Beaver discusses the need for least privilege security while acknowledging the challenges of implementation.
Personally, I have mixed feelings regarding the scenario. On one hand, I'm for balancing security with usability. Give users what they need and get out of their way. It's one of the least-touted principles of information security, but one that can go a long way to making security work for you rather than against you.
But as we know, giving users full control is also a recipe for disaster:
On the other hand, I understand that users cannot be trusted. Be it malice or ignorance, the average user can and will get themselves, their computers and potentially your network in a bind.
One area where I’d tend to disagree with the article, is that giving users administrative rights doesn’t necessarily reduce helpdesk calls, if system configuration is well planned.
Administrators want their users to have the access and privileges they need because it reduces the number of help desk calls and lightens their own workload.
He concludes by suggesting that you should solve the problem by seeking people with experience and use a mixture of Microsoft and 3rd party solutions:
Get input from others who have experience, research third-party vendors or try to find some workarounds with what Microsoft already gives you.
My recent whitepaper for Avecto is now available at their website with information about the part least privilege security plays in achieving regulatory compliance. The whitepaper discusses the concept of least privilege security for personal computers, why it’s needed to meet requirements set out by regulatory bodies and how to overcome problems in its implementation. Download it here.
58FCH4CHJVCA Just in case you thought your users weren’t trying to outwit you, Lifehacker has reposted a link to their Survive IT Lockdown piece in Top 10 Tips for Surviving Office Life.
Get Around or Work Beyond Lame IT Restrictions
Some companies have a certain set of computer apps they want their employees to work inside, and nothing more. Gina's previously recommended USB thumb drive apps and some other clever tactics to survive IT lockdown, but for those stuck in the browser race with Internet Explorer, we've also offered up our guide to getting Firefox's best features in Internet Explorer.
Coalface Tech Podcast Episode 6 looks at the issues surrounding desktop security and includes plenty of interesting views on dealing with least privilege.
Desktop security - whose responsibility is it anyway? Who cares? What tools? What about the edge?
In Roger A. Grimes’ article Security rule No. 1: Assume you're hacked, he notes that the best way to prevent hacking is to lock down computers and restrict what software can run.
Second, the best way to prevent hacking is to lock down workstations and servers and to allow only pre-approved software run on them. Most IT departments have no idea about what is and isn't running on all the computers under their control. Use a software inventory or an application control program to learn what is running, review each active program, approve what is needed, and prevent the rest from running. If you can't take this step, then it's probably a losing battle -- but there are other lesser successful mitigations.
PACKT have made Chapter 3 - Solving Least Privilege Problems with the
Application Compatibility Toolkit – from Least Privilege Security for Windows 7, Vista and XP available as a free download. Click here to download the sample chapter now.
Packt Special Offer on the hardcopy - £33.29 (save 10%) and £22.09 (save 15%) on the eBook. Click here to buy the book now.
Avecto Privilege Guard and Cyber-Ark Privileged Identity Management Suite provide the perfect partnership for an all-round solution for managing privileged access.
By enhancing Cyber-Ark’s market leading Privileged Identity Management (PIM) Suite with Avecto’s advanced Privilege Guard™ solution, joint customers benefit from the industry’s most comprehensive solution for securing, managing and tracking all privileged and administrative activities across an organization’s entire infrastructure, from Windows desktops and laptops, to servers, databases, hypervisors, network devices and any other system within the organization.
Good news for those trying to implement least-privilege on the desktop. Early 2011 will see the release of Microsoft’s cloud management and security solution for SMBs, Windows InTune. As part of the package, customers will have access to Windows 7 Enterprise upgrade rights ($11/PC monthly), and for an additional dollar, the Microsoft Desktop Optimization Pack (MDOP), which contains several technologies that can ease the transition to least-privilege. InTune is also shaping up to be a good management and security solution for small businesses. For more details see Microsoft’s InTune website.
Give people an inch, and they take a mile. Having a written IT policy and educating users are important steps in ensuring appropriate use of IT systems. But at the end of the day, controls need to be implemented to guarantee compliance. Kevin Beaver has posted a good example of the reactive nature, and unfortunate consequences, to what he describes as ‘disconnected’ policies on his securityonwheels blog.
According to Putting limits on users' privileges, some security experts don’t trust least-privilege products on the basis that rogue users or determined hackers can misuse the products to grant themselves unauthorized escalated privileges. Any additional software installed on a PC increases the chances that a user or hacker might compromise a system, so in high security environments, it makes sense to limit the installed software base to an absolute minimum. For the rest of us, while there’s always the possibility that a least-privilege product could introduce a security vulnerability to our systems, running with administrative privileges is far riskier.
The first book entirely dedicated to the subject of running Least Privilege Security (or standard user accounts) on Windows operating systems in the enterprise, you will learn about the benefits Least Privilege brings organizations in terms of not only security, but regulatory compliance, improved manageability and operational simplicity.
