Posted in Application Control, AppLocker, Privilege Guard, Software Installation | Leave a comment

Software Licensing for Virtual Desktop Infrastructures and Terminal Servers

Posted on May 8, 2012 by Russell Smith

Many organizations waste thousands every year on unused software licences. This occurs for a number of reasons, but not least due to the complexity of Microsoft licensing programmes and the need to track license usage across an ever changing IT infrastructure. With the growing popularization of virtual desktop infrastructures (VDIs), monitoring license usage has become more challenging as virtual machines (VMs) can be dynamically created for one-off applications, and software installed on-demand from app stores.

Microsoft has recently changed its licensing to help organizations adopt virtualization technologies. The new Windows Virtual Desktop Access (VDA) licenses are a Software Assurance benefit, or can be purchased for $100 per desktop a year. VDAs provide users of Windows PCs the right to install Windows XP, Vista or 7 in up to 4 VMs. If you’re the primary user of a device covered by VDA, Extended Roaming Rights (ERR) allow you to access a VM from devices not licensed under Software Assurance or VDA, providing that they’re located offsite and don’t belong to the company.

To further help the take-up rate for virtualization, Microsoft has 2 licensing suites that package licences for accessing remote desktop servers, the Microsoft Desktop Optimization Pack (MDOP), System Center Configuration Manager (SCCM), Operation Manager (SCOM) and Virtual Machine Manager.

With the flexibility that VDIs provide, licenses for your line-of-business applications need to be monitored more carefully. While Microsoft’s AppLocker application whitelisting technology for Windows 7 is a security feature, preventing users launching untrusted applications and executables, Privilege Guard’s application control not only provides a unified administration interface for Windows 7, Vista and XP, but is also more flexible than AppLocker. Moving beyond security, Privilege Guard application control can also whitelist or blacklist applications by device, using a hostname or IP address.

Privilege Guard allows organizations to add a whitelist of device names to application control policies to prevent users launching programs installed on VMs or physical PCs, which is especially pertinent for VDIs where devices may greatly outnumber users, and organizations can quickly fall out of compliance with a shortfall of licences.

As licensing can be one of the biggest costs for Windows shops, ensuring that you procure only the number necessary is crucial to keep costs low. Virtualization technologies promise to reduce costs by allowing organizations to dynamically provision desktops to users without the high total cost of ownership traditionally associated with desktop PCs. But your efforts to reduce costs could be in vain if software licensing is not kept in check, and this is where Privilege Guard’s superior application control technology can help.

Posted in Least Privilege | Comments Off

Mitigating Advanced Malware Attacks with Least Privilege

Posted on April 23, 2012 by Mark Austin

Targeted malware attacks and Advanced Persistent Threats (APTs) are making malware detection and removal much more challenging. It is common knowledge that good security requires a defense-in-depth strategy, as no single solution can provide adequate protection from malware. Traditional approaches to malware detection should still be kept in place, to ensure that known threats and applications that exhibit malicious characteristics are quarantined at the earliest possible stage, but these need to be complimented by more advanced methods and best practices to deal with the ever changing threat landscape.

One of the biggest steps that can be taken to mitigate malware threats is to implement a least privilege approach. The most dangerous and persistent threats often look to bury themselves deep inside the operating system, using root-kits and other kernel level techniques. Once malware operates at this level it can cloak itself from security solutions, making subsequent detection and removal extremely difficult. Continue reading

Posted in Application Control, Desktop Lockdown, Least Privilege | Comments Off

SMEs are not immune to targeted hacking

Posted on April 2, 2012 by Russell Smith

Security can be a hard sell, and that’s particularly true in small and medium sized organizations (SMEs). A study of threat awareness, carried out by Symantec in 2011, shows that though some SMEs are aware of the security risks posed to information systems, many don’t consider themselves potential targets because hackers are more interested in large corporations and government agencies.

The steady adoption of cloud services over the last few years has allowed Symantec to collect information from its own Symantec.cloud platform to give some insight into the proportion of attacks targeted specifically at SMEs, and it may be surprising to know that 40 per cent of attacks are aimed at small businesses, compared to just 28 per cent at large corporations. Continue reading

Posted in Application Control, Least Privilege, Privilege Guard, Software Installation | Comments Off

Self-Provisioned Software Installation with Privilege Guard

Posted on March 23, 2012 by Mark Austin

In addition to elevating the rights of privileged applications and administrative tasks, Privilege Guard can empower users to install approved software. Although most organizations will have some form of centralized software distribution in place, packaging every application for distribution is not always economical and often unnecessary. With Privilege Guard you can easily complement your existing software distribution solution to enable standard users to self-provision any corporate approved software or if necessary give some users an even greater level of autonomy and audit their actions. Continue reading

Posted in Desktop Lockdown, Least Privilege, Privilege Guard | Comments Off

Welcome to RSA 2012 – and the world of 2012 cybersecurity defences

Posted on March 1, 2012 by Paul Kenyon

With the RSA Security Conference now upon us in the US – and with a welter of really interesting announcements coming out of the San Francisco event – I was intrigued to read a guest column from Art Coviello, the executive vice president of EMC, the parent company to RSA Security, on Forbes.

Coviello’s comments – citing the Bob Dylan track, `the times, they are a changin’ – are bang on the money, especially when he recommends that IT security now needs to be a board level discussion.

This coincides with our thoughts here at Avecto, as the involvement of a board level discussion on security will help IT security managers to determine the `sweet spot’ where the organization has invested in sufficient security to say it has carried out what any reasonable company would do to defend its digital assets. Continue reading

Posted in Active Directory, Application Control, Desktop Lockdown, Least Privilege, Privilege Guard | Comments Off

Unsecured PCs Can Put Your Critical Infrastructure at Risk

Posted on February 21, 2012 by Russell Smith

In an ideal world, critical IT systems should never rely on the security of lesser devices. But in practice, computer networks are complicated and many dependencies exist, some of which are more desirable than others, and eliminating all unwanted dependencies is a difficult task.

Windows member servers – i.e. those joined to an Active Directory (AD) domain – and workstations depend on domain controllers (DCs) to manage certain aspects of their security. This is a necessary dependency where a less important device relies on a more critical system.

Unwanted security dependencies tend to appear on networks unexpectedly. For instance, a PC becomes infected with a virus because the user was tricked into running a malicious executable, and an unpatched vulnerability is exploited. As a result, the Exchange Server is also infected and subsequently shut down by the virus. Though we can argue both the PC and server should have been patched, in this situation the server was unlikely to have been infected if the PC had remained secure. Continue reading

Posted in Privilege Guard | Comments Off

Policy Filtering for Computers and Remote Clients

Posted on February 20, 2012 by Kris Zentek

For version 3.0, we have redesigned the how Policy Filters are configured and applied. Two distinct benefits came out of this.

  1. Granular targeting is now a lot more intuitive in terms of applying combinations of Policy Filters.
  2. It is now a lot easier for us to add additional filters to Privilege Guard.

The new Computer Filter allows you to target Privilege Guard Policies based on the hostname or the IP Address of the endpoint. This can be used as an alternative to, or in combination with, Group Policy based computer targeting. Continue reading

Posted in Desktop Lockdown, Privilege Guard | Comments Off

Allow Standard Users to Unlock Shared Workstations

Posted on February 8, 2012 by Kris Zentek

It is not uncommon for office based computer users to lock their desktop at the end of the working day, instead of shutting it down, maybe just force of habit from bygone days of long logon times. If they are using a Windows domain joined desktop, this poses a problem, because only they can unlock it again and so the desktop is rendered unusable by other users.

If you operate a hotdesk or other shared workstation environment then there’s a good chance your users are regularly experiencing this problem, and historically there were three solutions:

  1. Call IT Support and ask them to ‘unlock’ the desktop for you (local administrators are the only users who can force the logged-on session to logoff).
  2. Hard reset the desktop (which can lead to data corruption, data loss, etc).
  3. Grant computer users local admin rights.

None of these solutions were ideal, as they all came at a cost – either through increased helpdesk calls, or the hidden costs of users possessing excessive rights.

A new feature added to Privilege Guard 3.0, Shared Workstation Unlock, allows you to set policy on which end users are able to unlock a shared workstation or who is not allowed to unlock a workstation. So as well as empowering standard users, you can also restrict local administrators. Continue reading

Posted in Privilege Guard | Comments Off

UI Enhancements in Version 3.0

Posted on February 7, 2012 by Kris Zentek

Time to show off the new Management Console in Privilege Guard 3.0!

One of the many key differences that set Privilege Guard apart from the rest of the field is our UI and how policies are configured. Not being one to rest on our laurels, we’ve listened a lot to our customers, and injected a lot of innovation onto the 3.0 UI. I hope you’ll agree that the results are impressive!

We have a diverse range of customers, including large corporations managing hundreds of thousands of desktops. The Privilege Guard policies for such large rollouts, as you can imagine, are quite complex, so it’s important to understand how we can continue to simplify their initial creation and on-going maintenance.

The entire console has been given an overhaul, and here are just a few of the highlights… Continue reading

Posted in Privilege Guard | Comments Off

Privilege Guard 3.0 is here!

Posted on February 2, 2012 by Kris Zentek

I am pleased to announce that version 3.0 is now available for download. This release is the product of many months of development, and is packed with new features and enhancements. Keep an eye on our blog over the coming days and weeks as we explore them in more detail.

For now, make sure you read up on What’s new in Privilege Guard 3.0

We at Avecto pride ourselves on being a dynamic, agile software house, and for listening to and working closely with our customers. Collaboration is key to maintaining Privilege Guard’s position as the leading solution for delivering least risk desktops and servers, and my thanks go to everyone who contributed to version 3.0. Continue reading