Microsoft has recently changed its licensing to help organizations adopt virtualization technologies. The new Windows Virtual Desktop Access (VDA) licenses are a Software Assurance benefit, or can be purchased for $100 per desktop a year. VDAs provide users of Windows PCs the right to install Windows XP, Vista or 7 in up to 4 VMs. If you’re the primary user of a device covered by VDA, Extended Roaming Rights (ERR) allow you to access a VM from devices not licensed under Software Assurance or VDA, providing that they’re located offsite and don’t belong to the company.

To further help the take-up rate for virtualization, Microsoft has 2 licensing suites that package licences for accessing remote desktop servers, the Microsoft Desktop Optimization Pack (MDOP), System Center Configuration Manager (SCCM), Operation Manager (SCOM) and Virtual Machine Manager.

With the flexibility that VDIs provide, licenses for your line-of-business applications need to be monitored more carefully. While Microsoft’s AppLocker application whitelisting technology for Windows 7 is a security feature, preventing users launching untrusted applications and executables, Privilege Guard’s application control not only provides a unified administration interface for Windows 7, Vista and XP, but is also more flexible than AppLocker. Moving beyond security, Privilege Guard application control can also whitelist or blacklist applications by device, using a hostname or IP address.

Privilege Guard allows organizations to add a whitelist of device names to application control policies to prevent users launching programs installed on VMs or physical PCs, which is especially pertinent for VDIs where devices may greatly outnumber users, and organizations can quickly fall out of compliance with a shortfall of licences.

As licensing can be one of the biggest costs for Windows shops, ensuring that you procure only the number necessary is crucial to keep costs low. Virtualization technologies promise to reduce costs by allowing organizations to dynamically provision desktops to users without the high total cost of ownership traditionally associated with desktop PCs. But your efforts to reduce costs could be in vain if software licensing is not kept in check, and this is where Privilege Guard’s superior application control technology can help.

Although you can authorize individual software packages with Privilege Guard, it may be more appropriate to allow a group of users to install software from a network share, as this is extremely simple to setup and maintain. The users should only be given read and execute access to this share, enabling them to launch any software packages that are made available by the IT department. A couple of simple rules can be added to Privilege Guard to automatically elevate any executables or installer packages that reside in the shared folder.

Approved Software Application Definition

You could easily extend this principle to be more granular, such as creating a set of folders within this share for different roles and then ensuring that the software installers are only elevated for the relevant groups of users.

Blocked Software Installation

This can be taken a stage further by blocking software installers for those users who should not have access to them. You can achieve this by adding a simple “catch all” policy to block all installations from the software share, which should be placed at the end of the policies and applied to all users (policy precedence will ensure that this policy will only match if a higher precedence policy has not matched first). A suitable message should be displayed to the user, with instructions on gaining access to the software, assuming they have a legitimate business purpose. You may optionally allow the user to email a request for an application or you can provide a
hyper-link in the message that directs the user to an appropriate web site, such as a help desk portal.

Software Publisher and Product Information

You may need to allow some users to install authorized software directly from the internet. The recommend way to define policies for this purpose is to make use of the publisher rule, as opposed to the filename rule, and then combine this with other product rules, as required. For instance, we could allow the user to install all software signed by a particular vendor.

You could extend this rule to make it specific to a particular product by using the product name or product description, and you can optionally include a check for specific versions of the product or a minimum version.

In addition to elevating installation packages you can also specify rules to block the installation of software that you do not want users installing, as some software packages do not require administrative rights to be installed, as they install within the user’s profile.

On Demand Software Installation

For users with more flexible requirements, you can create an “on demand” policy where users are trusted to make their own decisions on software installations. This should be configured with a custom message, to warn the user of their actions and ask them for a reason, which is then audited. You may optionally force a user to re-authenticate before installing the software to ensure that they self-approved the installation.

Even with an on demand policy you can still prevent these users from installing certain software packages, by creating a higher precedence policy that blocks the installation of any unauthorized software. Alternatively, you can delegate the on-demand installation of software to an appropriate group of staff, such as departmental heads, who would need to authorize the installation on the user’s behalf.

Blocked ActiveX Installation

Privilege Guard can also handle the installation of ActiveX controls. For ActiveX controls, the primary rule to match on is the URL of the codebase. The URL can point to a specific codebase or a more general URL can be used to match multiple ActiveX controls hosted on a site. It’s a good idea to insert a catch all rule for ActiveX controls that blocks access to any ActiveX controls that have not been defined in the policy. This will provide the user with a corporate message and instructions on how they should request access to the blocked ActiveX control if they have a legitimate business reason for installing it.

On Demand ActiveX Installation

As with “on demand” software installation, users with more flexible requirements can be authorized to install any ActiveX control. This should be configured with a custom message and audit trail, to ensure that the user is warned of their actions, and you may optionally force the user to re-authenticate. Remember that you can still block access to unauthorized ActiveX controls with a higher precedence policy.

The end user experience is a crucial element when allowing users to self-provision software, whether you are asking a user to justify their actions before proceeding, or blocking the installation of a software package and giving the user meaningful feedback and direction. Small touches, like strong corporate branding in end user messages, ensure that users pay more attention than when presented with a standard Windows message. You can define any number of end user messages in Privilege Guard, with corporate branding, multi-lingual configuration of all text elements and control over many other aspects, such as re-authentication and asking for justification before proceeding. It is always better to display a message that is relevant to a user’s actions, as opposed to a broad generic message, as this will lead to an improved end user experience and a reduction in help desk calls.

Coviello’s comments – citing the Bob Dylan track, `the times, they are a changin’ – are bang on the money, especially when he recommends that IT security now needs to be a board level discussion.

This coincides with our thoughts here at Avecto, as the involvement of a board level discussion on security will help IT security managers to determine the `sweet spot’ where the organization has invested in sufficient security to say it has carried out what any reasonable company would do to defend its digital assets.

And in today’s security governance-rich environment, the expensive cost of reaching that sweet spot can be lowered by adopting a multi-layered approach to IT security and so help to ensure that the advantages of one type of security can offset the disadvantage – namely the weak spots – of another system.

At the risk of sounding like an accountant, this all comes down to the risk/reward balancing game which Coviello hints at in his column, but with the additional factor of cost entering the equation.

The EMC/RSA chief is, of course, quite correct in his assertion that the security world is changing, but our belief is that it’s not just about balancing risk with security, it’s also about balancing the cost of the security against the reward in terms of the level of security assurance that the expenditure will generate for a typical company.

And whilst there is no such thing as absolute IT security in today’s multi-vectored threat landscape, it is clear that multiple layers of defence can often produce a better overall return on investment curve than if just one or two layers of security are involved.

Our experience suggests that treating the governance levels of, for example, the PCI Security Standards Council as a starting point in security terms and working upwards – depending on the risk/cost/reward stance your organisation is prepared to invest in – is the best way forward.

And when you factor in Coviello’s sound advice that you need to continue to evolve your organisation’s thinking about security – working on the premise that shared knowledge is a powerful advantage – you realise that adding extra layers of defenses – such as a Windows privileged account management system that lowers your security risk profile – can help tremendously in the risk/cost/reward stakes.

The ideal solution is to apply least privilege principles to as many users as possible, with specific members of staff having limited access to admin facilities and, even then, only on the specific applications they need access to on a regular basis.

Our approach with Windows privilege management is to give users only the access and privileges they need to complete the task at hand. In most cases this will be for specific applications, tasks or scripts, and by assigning specific rights to those applications, you no longer need to give them to users. As Windows security expert Russell Smith, explains in his book ‘Least Privilege Security for Windows7, Vista and XP’, taking away user privileges can be similar to taking a toy away from a small child. Bottom line is that user expectations have a real impact on the security of any organization, so empowering them to perform their role without compromising the integrity or security of their systems makes good financial sense.

As Coviello says in his column, as cyber threats escalate, we must invest in building a cybersecurity workforce with the requisite skills to defend enterprises, governments, and critical infrastructures.

And whilst – again as the EMC/RSA chief against observes – these individuals need a 360-degree view of security that combines computer science, risk assessment, analytics, digital forensics, and human behaviour – it should also be clear that the addition of multiple layers of security can only enhance the risk/cost/reward ratios.

Even if you’re not a board level professional, that should still make you smile.

For more on Art Coviello’s words of wisdom: http://onforb.es/yk5f32

Windows member servers – i.e. those joined to an Active Directory (AD) domain – and workstations depend on domain controllers (DCs) to manage certain aspects of their security. This is a necessary dependency where a less important device relies on a more critical system.

Unwanted security dependencies tend to appear on networks unexpectedly. For instance, a PC becomes infected with a virus because the user was tricked into running a malicious executable, and an unpatched vulnerability is exploited. As a result, the Exchange Server is also infected and subsequently shut down by the virus. Though we can argue both the PC and server should have been patched, in this situation the server was unlikely to have been infected if the PC had remained secure.

I was recently reminded about the DNS Changer trojan that first appeared in 2008 and mutated into various different forms. The virus attempts to change a PC’s DNS settings to redirect internet traffic, and failing that, scans the local network in an effort to discover the admin credentials and change the DNS configuration of gateway routers. This is an unfortunate example of where a critical network device becomes dependent on a PC for its security, in turn compromising the integrity of all devices connected to the router. Another variant of the trojan sets up a DHCP server on infected PCs and attempts to intercept DHCP requests on the local network and respond with bogus DNS settings to devices looking for valid DNS configuration.

To change DNS configuration on Windows, administrative rights are required; so a standard user account stops DNS Changer dead in its tracks. Secondly, with application whitelisting in place, DNS Changer wouldn’t be able to run at all, preventing it from scanning the network for vulnerable devices.

While SANS Internet Storm Center issued reactive advice at the time to block traffic to IP addresses known to host the malicious DNS servers, a proactive approach to prevent PCs being infected in the first place is always preferable. Antivirus should also be capable of stopping DNS Changer, but why rely solely on AV to protect your systems, especially with the speed at which malware mutates and sophisticated techniques used to evade detection.

Users often think that what happens on their network-connected PC or other device cannot affect the security of other systems, let alone critical servers and network hardware. But as you’ve read in this blog post, users and management should understand that once a device is connected to the network it does not exist in isolation, and least privilege security and application whitelisting technologies, such as those provided by Avecto Privilege Guard, are needed to protect the IT infrastructure at large.

1. Granular targeting is now a lot more intuitive in terms of applying combinations of Policy Filters.
2. It is now a lot easier for us to add additional filters to Privilege Guard.

The new Computer Filter allows you to target Privilege Guard Policies based on the hostname or the IP Address of the endpoint. This can be used as an alternative to, or in combination with, Group Policy based computer targeting.

Policy Filters in 3.0

Hostnames can be defined as an explicit list in each Computer Policy or, if you use a naming convention within your infrastructure, you can use wildcards to target a wider scope of computers.

If you prefer to use IP Addresses, then these can also be defined as explicit lists. You can also add wild cards and ranges to any octet in the IP Address, for example:

Apply IP Address Filters using Wildcards

In addition to local computers, Privilege Guard Policies can also target privileges based on remote clients connecting via Remote Desktop Services. This means that privileges can be granted or revoked depending on the relative location of the user.

For example, you can now grant admin rights for an application, script or task to a user who is connecting from within the corporate network (based on IP Address), but prohibit admin rights to the same user if they are connecting through a tunnelled VPN.

Used in combination with application whitelisting, the Computer Filter can also be used to restrict access to corporate applications licensed under volume license and client license agreements.

We will be adding more filters to Privilege Guard throughout 2012, so make sure you subscribe to our blog and keep up to date with new developments from Avecto!

If you operate a hotdesk or other shared workstation environment then there’s a good chance your users are regularly experiencing this problem, and historically there were three solutions:

1. Call IT Support and ask them to ‘unlock’ the desktop for you (local administrators are the only users who can force the logged-on session to logoff).
2. Hard reset the desktop (which can lead to data corruption, data loss, etc).
3. Grant computer users local admin rights.

None of these solutions were ideal, as they all came at a cost – either through increased helpdesk calls, or the hidden costs of users possessing excessive rights.

A new feature added to Privilege Guard 3.0, Shared Workstation Unlock, allows you to set policy on which end users are able to unlock a shared workstation or who is not allowed to unlock a workstation. So as well as empowering standard users, you can also restrict local administrators.

Shared Workstation Unlock is driven by Privilege Guard Policies, and leverages the flexible filtering rules that define when and where policy is applied. So granting or revoking Shared Workstation Unlock privileges can be based on any combination of:

• User name and user group membership
• Computer name or IP Address
• Date and time range
• Time expiry date

Configuring Shared Workstation Unlock is easy, and anyone accustomed with Group Policy settings should find the logic familiar. For any Privilege Guard Policy, open the Policy Options dialog and you will find a tri-state option under Workstation:

• Not Configured – Privilege Guard will ignore this policy and move on to the next policy.
• User can unlock a shared workstation – Privilege Guard will allow the user to unlock the shared workstation.
• User cannot unlock a shared workstation – Privilege Guard will prevent the user from unlocking the shared workstation.

Shared Workstation Unlock significantly reduces support costs by allowing standard users to unlock desktops in shared workstation environments without having to grant local admin rights.

One of the many key differences that set Privilege Guard apart from the rest of the field is our UI and how policies are configured. Not being one to rest on our laurels, we’ve listened a lot to our customers, and injected a lot of innovation onto the 3.0 UI. I hope you’ll agree that the results are impressive!

We have a diverse range of customers, including large corporations managing hundreds of thousands of desktops. The Privilege Guard policies for such large rollouts, as you can imagine, are quite complex, so it’s important to understand how we can continue to simplify their initial creation and on-going maintenance.

The entire console has been given an overhaul, and here are just a few of the highlights…

Summary Views
This is a feature we introduced to Application groups in V2.8. The positive feedback we got led to the rollout of summary views to the rest of the management console. I’ll let the pictures do the talking.

All views offer an alternate ‘Detailed’ view, which will show configuration settings in a color coded table format. Whatever your preference is, you can easily set it from the Views drop-down  menu.

Instant Search and Drilldown
Another feature originally introduced in 2.8, instant search in Application Groups, has been expanded across the entire policy. All areas of the console now include an instant search box, from the top level node for policy wide searches, down to searches within specific areas.

As you start typing, the console automatically switches to a results view displaying settings that match your text entry. The more you type, the more refined the results become. The results view will also highlight where the matching property is.

Instant Search in Version 3.0

In this example, I have entered the word ’disk’ into the top level instant search box. You can see that matches have been found within the ‘Admin tasks’ application group, as well as the policies where that group has been used. Instant search will find matches in any area of your settings.

When you have found the setting or property you are looking for, simply double click it to drill down into the actual setting.

Instant Message Previews
Another key advantage of Privilege Guard is powerful end user messaging. Our unique message customization feature allows you to personalize almost every aspect of the message box, from text strings, colors and styles to full corporate branding. You can also define which features and elements are used for each custom message you create.

Message Previews in Version 3.0

To simplify the creation and updating of custom messages, we have added instant preview. So as you are making changes to your message, the preview updates in real-time to help you create the exact look and feel you require. If you want to see the message is action, just click on the instant preview.

So the leading solution for managing privileges has just got a whole lot better looking. Why choose between style and substance, when you can have both!

For now, make sure you read up on What’s new in Privilege Guard 3.0

We at Avecto pride ourselves on being a dynamic, agile software house, and for listening to and working closely with our customers. Collaboration is key to maintaining Privilege Guard’s position as the leading solution for delivering least risk desktops and servers, and my thanks go to everyone who contributed to version 3.0.

Special thanks of course must go to our development and QA teams for delivering high quality, innovative software, on time, and to specification. A great start to a very exciting 2012!

You can download Privilege Guard 3.0 by visiting the downloads page. If you aren’t already a customer, make sure you register for a free evaluation. As always, we are keen to hear your thoughts!

A critical component of any privilege management solution is the audit trail, which can be used to generate compliance reports and fine tune policies. Privilege Guard logs a variety of events to the local application event log on each endpoint and these events can then be centrally collected using Microsoft Event Forwarding.

Event Forwarding uses Windows Remote Management (WinRM) and enables you to collect events from remote computers and store them in the forwarded event log of a central event collector server. It is an extremely scalable architecture, which is why the Privilege Guard Reporting Pack has been built around this technology. The new Privilege Guard Event Collector software is simply installed on one or more event collector servers and it will automatically aggregate Privilege Guard events and upload them to a SQL Server.

The Privilege Guard Reporting Pack includes a rich set of preconfigured dashboards and reports for executed applications, elevated applications, blocked applications and discovered applications. The latter gives you a breakdown of the applications in your environment that require admin rights to run and those that only require standard user rights. The dashboards and reports all utilize SQL Reporting Services, which allows you to access the reports from a web browser.

Each dashboard provides information on the top 10 applications, a breakdown of applications by publisher and an activity timeline. The timeframe for a dashboard can be switched between 24 hours, 7 days, 30 days and 12 months, to allow recent activity or trends to be displayed. You can drilldown on the graphs within each dashboard to view detailed application reports. Reports can further be filtered on event type, user, computer, application details and date ranges.

Privilege Guard Reporting Dashboard

First up is Privilege Guard 3.0, with a new look management console that is both striking to look at and wonderfully intuitive. As you move beyond the obvious visual enhancements, you will find full search capabilities, which allow you to quickly locate policy items and navigate to them with ease.

Privilege Guard 3.0 Management Console

Privilege Guard 3.0 Search

As you dig deeper you will find many improvements to the core product. The new policy filters section makes it possible to restrict policies based on any combination of users and groups, computer names and IP addresses (including the ability to check remote desktop connections), time of day and expiry time.

Privilege Guard 3.0 Filters

The comprehensive messaging system has always set the Privilege Guard solution apart from all other privilege management solutions when it comes to the end user experience. With beautifully rendered message previews, a new message designer and even more capabilities, the experience just got even better in version 3.0. You can now let departmental administrators authorize applications for users, or control and audit support desk personnel, who need to gain administrative access to a user’s desktop.

Privilege Guard 3.0 Message Preview

Privilege Guard 3.0 Message Design

We’ve also introduced more application validation options, including parent process checks, and the ability to limit child inheritance to a subset of applications, ensuring that Privilege Guard continues to be the most powerful and flexible privilege management solution on the market.

For shared workstation environments, Privilege Guard can be configured to enable standard users to unlock a workstation, an operation that would usually be restricted to local administrators.

Keep tuned to the Avecto blog over the coming days, as we preview the new Reporting Pack and the new McAfee ePO Integration Pack.