For now, make sure you read up on What’s new in Privilege Guard 3.0

We at Avecto pride ourselves on being a dynamic, agile software house, and for listening to and working closely with our customers. Collaboration is key to maintaining Privilege Guard’s position as the leading solution for delivering least risk desktops and servers, and my thanks go to everyone who contributed to version 3.0.

Special thanks of course must go to our development and QA teams for delivering high quality, innovative software, on time, and to specification. A great start to a very exciting 2012!

You can download Privilege Guard 3.0 by visiting the downloads page. If you aren’t already a customer, make sure you register for a free evaluation. As always, we are keen to hear your thoughts!

A critical component of any privilege management solution is the audit trail, which can be used to generate compliance reports and fine tune policies. Privilege Guard logs a variety of events to the local application event log on each endpoint and these events can then be centrally collected using Microsoft Event Forwarding.

Event Forwarding uses Windows Remote Management (WinRM) and enables you to collect events from remote computers and store them in the forwarded event log of a central event collector server. It is an extremely scalable architecture, which is why the Privilege Guard Reporting Pack has been built around this technology. The new Privilege Guard Event Collector software is simply installed on one or more event collector servers and it will automatically aggregate Privilege Guard events and upload them to a SQL Server.

The Privilege Guard Reporting Pack includes a rich set of preconfigured dashboards and reports for executed applications, elevated applications, blocked applications and discovered applications. The latter gives you a breakdown of the applications in your environment that require admin rights to run and those that only require standard user rights. The dashboards and reports all utilize SQL Reporting Services, which allows you to access the reports from a web browser.

Each dashboard provides information on the top 10 applications, a breakdown of applications by publisher and an activity timeline. The timeframe for a dashboard can be switched between 24 hours, 7 days, 30 days and 12 months, to allow recent activity or trends to be displayed. You can drilldown on the graphs within each dashboard to view detailed application reports. Reports can further be filtered on event type, user, computer, application details and date ranges.

Privilege Guard Reporting Dashboard

First up is Privilege Guard 3.0, with a new look management console that is both striking to look at and wonderfully intuitive. As you move beyond the obvious visual enhancements, you will find full search capabilities, which allow you to quickly locate policy items and navigate to them with ease.

Privilege Guard 3.0 Management Console

Privilege Guard 3.0 Search

As you dig deeper you will find many improvements to the core product. The new policy filters section makes it possible to restrict policies based on any combination of users and groups, computer names and IP addresses (including the ability to check remote desktop connections), time of day and expiry time.

Privilege Guard 3.0 Filters

The comprehensive messaging system has always set the Privilege Guard solution apart from all other privilege management solutions when it comes to the end user experience. With beautifully rendered message previews, a new message designer and even more capabilities, the experience just got even better in version 3.0. You can now let departmental administrators authorize applications for users, or control and audit support desk personnel, who need to gain administrative access to a user’s desktop.

Privilege Guard 3.0 Message Preview

Privilege Guard 3.0 Message Design

We’ve also introduced more application validation options, including parent process checks, and the ability to limit child inheritance to a subset of applications, ensuring that Privilege Guard continues to be the most powerful and flexible privilege management solution on the market.

For shared workstation environments, Privilege Guard can be configured to enable standard users to unlock a workstation, an operation that would usually be restricted to local administrators.

Keep tuned to the Avecto blog over the coming days, as we preview the new Reporting Pack and the new McAfee ePO Integration Pack.

64-bit Windows 7 fares better than its 32-bit counterpart in part due to the inclusion of kernel patch protection, a technology only available in 64-bit Windows 7 that protects the kernel from unauthorized changes. Windows 7 is less likely to be infected overall because of User Account Control (UAC), an umbrella term for a set of technologies that make the OS easier to work with as a standard user or specially protected administrator account (Protected Administrator).

The results reported in SIR v10 for Windows 7 would have been even better if more home users didn’t disable UAC, which is likely what many tech-savvy home and business users do considering the number of articles on the Internet about the evils of UAC and how to turn it off; and hence goes the old adage that people don’t always know what’s good for them. If your users currently run as protected administrators on Windows 7, configure UAC in Group Policy to make it a little harder for them to disable UAC – though it’s worth bearing in mind that if a user has admin rights, Group Policy settings can be circumvented with enough will.

While UAC has some benefits in enterprise computing, it is a user-driven technology. UAC elevation prompts require users to give consent, or provide an admin username and password, to perform administrative tasks, resulting in decisions being made by unqualified staff that affect the integrity and security of the OS.

UAC Protected Administrator accounts provide a lot of flexibility, with a limited degree of security, that wasn’t possible in Windows XP. Once you move to standard user accounts in Windows 7, users can no longer elevate privileges; and all tasks, anticipated or otherwise, must be made to work as a standard user, or IT will have to intervene and provide administrator credentials.

Predicting users’ every move and requirement isn’t possible, so if it’s not acceptable to restrict the computing experience with a standard user account, you’ll either need to leave the default user-driven UAC experience in place or deploy Avecto’s enterprise rights management solution – Privilege Guard.

As well as the ability to assign privileges to individual applications and tasks, Avecto’s software can be configured to allow users to run any process with administrative privileges. UAC prompts can be replaced with custom corporate messages and users can be prompted to provide a valid reason before elevation. An audit trail of privilege elevation events allows administrators to keep track of how privileges are used. Privilege Guard helps companies strike the right balance between the flexibility of user-driven UAC and policy-based IT controls, making Windows 7 more secure and mitigating unnecessary risks.

Running up-to-date anti-virus software, and keeping Windows and other software updated with all of the latest security patches, should prevent infection from most known malware threats. However, the risk of a zero-day attack that includes a kernel-mode rootkit continues to pose the most serious security threat. The ability of a zero-day rootkit to hide itself from security software can make subsequent detection and removal extremely difficult, often resulting in re-imaging of the operating system, assuming that it is even possible to detect the malware infection. The fact that a kernel-mode rootkit could go undetected makes it difficult to fully assess the true scale of the problem.

One important step that can be taken in the fight against zero-day rootkits is to ensure that users log on to their computers with a standard user account. Most kernel-mode rootkits will simply fail to install when the user is logged on with a non-administrator account, as the successful installation of the rootkit will require write access to a secured area of the HKLM hive of the registry. To install under a standard user account the malware would need to discover and then exploit one or more vulnerabilities in the operating system, in order to gain higher privilege levels, making it much more difficult for the malware to infect or spread.

Avecto Privilege Guard enables organizations to implement least privilege, by ensuring users log on with standard user accounts and elevating the individual applications that require privileged access. Any zero-day attacks that are not detected by the anti-virus software will run with the user’s standard rights, making it difficult for the malware to compromise the kernel. Although least privilege can’t protect against all malware threats, it is an extremely effective line of defense against stealthy and persistent threats that attack deep inside the operating system.

On a final note, I would like to mention the innovative new technology that our partner McAfee launched at their Focus11 event in Las Vegas. McAfee DeepSAFE, which was jointly developed with Intel, enables McAfee to build hardware assisted security products. The DeepSAFE technology sits below the operating system, allowing it to detect hidden threats, such as stealth rootkits and Advanced Persistent Threats (APTs). McAfee Deep Defender is the first product to utilize the DeepSAFE technology and is managed with McAfee ePO software. McAfee Labs state that the stealthy malware threat is escalating and that they detect 110,000 new unique rootkits each quarter.

Here at Avecto we are delighted to be working closely with McAfee and we will soon be launching our ePO integrated version of Privilege Guard. I believe that the combination of least privilege with Privilege Guard and hardware-level protection with DeepSAFE, provides a major step forward in the fight against kernel-mode rootkits and other stealthy malware.

Technical personnel sometimes require access to domain controllers, maybe to perform maintenance connected to backup, patching or a one-off task. This leaves security administrators with something of a quandary, as most of the work likely to be carried out requires full administrative access to the DC, and in turn the crown jewels – Active Directory.

Let’s make it simple and start off by saying that it’s not possible to separate AD and administrator permissions on a regular DC. If you need to grant a user domain administrator permissions to complete some work on a DC, you must trust that person with full access to the AD domain. Read-only domain controllers (RODCs) do exactly what they say on the tin and host a read-only copy of the Active Directory database. Wherever possible you should deploy RODCs, as any domain user can be given permission to install and manage the server without privileged access to Active Directory.

Windows IT professionals often assume that the built-in Server Operators group in AD gives the equivalent of local administrator access to DCs without elevated rights to Active Directory. This is not strictly true and any kind of administrative permission on a DC can result in the user gaining privileges to AD. All built-in AD groups that end in ‘Operators’ are legacy groups and shouldn’t be populated unless you have an application that requires it. For example, if you need to grant permission to perform backup duties, create a new group and assign rights as necessary.

One approach you could adopt to grant admin privileges to DCs is to issue a unique username and password each time access is requested. The credentials are assigned to a technician for a given period of time and for an agreed piece of work. This information is recorded and permissions revoked at the end of the allotted session. Setting up the user account and recording the necessary logon session details is often done manually, although can be automated. The person requesting access is responsible for anything that happens during their logon session. Nevertheless, you still need to trust that person with Active Directory.

Depending on the type of work being carried out, a 3rd-party solution, such as Avecto Privilege Guard, could be deployed to allow a standard user to run only pre-approved applications with elevated privileges, greatly reducing the risk involved. Even if a technician must perform a task regularly on a DC, think twice before granting permanent permissions to sensitive production systems and always make sure that all actions are audited.

Signing policies from within the Management Console

Use an exported PFX file to sign a Privilege Guard policy

Delegated Policy Management
Signing policies is achieved through the Privilege Guard Management Console from the right click menu on the ‘Privilege Guard Policies’. Any policies that have previously been signed cannot be edited unless you know the PFX password. This prevents any other domain or local administrators from adding or implementing unwanted policy settings, either within Active Directory or on the local endpoints.

Password must be entered before editing a signed policy

Cached Policy Assurance
The signatures embedded into deployed policies verify that policies stored in the local cache have not been tampered with, adding an extra layer of security on endpoints.

Three Modes of Operation
The Privilege Guard Agent can be installed in one of three operational modes, depending on the level of signed policy enforcement required:

1. Certificate Enforcement Mode – The agent will load correctly signed policies. Unsigned or incorrectly signed policies will not be loaded, and an error will be audited.
2. Certificate Warning Mode – The agent will load correctly signed policies. Unsigned and incorrectly signed policies will also be loaded, but a warning will be audited.
3. Standard Mode – The agent will load both correctly signed and unsigned policies. Incorrectly signed policies will also be loaded, but a warning will be audited.

Policy Auditing
New events have been added which audit all policy activity on the client, including the source, version and security status. Depending on the agent installation mode and state of the policy, the event number and severity will be audited as follows:

New policy auditing events in version 2.8

Signed policies significantly enhance the security of Privilege Guard by restricting which administrators are allowed to modify centrally or locally managed policies, and ensures that cached policies have not been tampered with or overwritten.

– A new application groups view
– A choice of application views
– Inline filtering and highlighting of applications

New Application Groups View

You can now view all application groups in a single view, by selecting the ‘Application Groups’ node in the navigation tree.

Choice of Application Views

There are now three different views for displaying the applications for all application groups or within a particular application group:

1. Summary View – this view shows a summarized description of the matching rules for each application in the group. Only the applied rules are displayed and icons are displayed under each application to show which advanced options have been enabled.

Summary view of all application groups

2. Light View – this view is similar in style to the summary view, but the light view shows only the description of each application within the group.

Light view of all application groups

3. Detailed View – this view shows a detailed list of all application rules and advanced option settings. Color coding is used to clearly indicate which rules and options are being applied.

Detailed view of all application groups

Inline Filtering and Highlighting of Applications

There is now an inline filter control, which allows you to refine the applications being displayed in each view, based on the text you enter into the filter edit box. Only applications that match the text (based on any property) are shown, and the matching text is highlighted.

Instant filtering and highlighted results

The new application group enhancements allow you to quickly locate and identify applications in your policies.

The very nature of a privilege management solution means that it elevates the privileges of processes. In the majority of cases these elevated processes will not provide the user with a way to interfere with the privilege management solution itself. However, in some situations you may want to allow more technical users to elevate command prompts and system management tools, such as the Services console and Registry Editor. At this point, there is a risk that the user could use these tools to tamper with the privilege management solution.

To eliminate this risk, the new anti-tamper mechanism in Privilege Guard dynamically inserts a special protection group into the access tokens of all elevated processes. This protection group is then used to restrict access to the Privilege Guard software, configuration settings and cached policies, relying on native NTFS security to enforce it. In essence, any process that has been elevated by Privilege Guard has no more rights than a standard user if it attempts to interfere with the Privilege Guard solution.

To demonstrate the anti-tamper mechanism in action, let’s see what happens when the user is given access to an elevated command prompt. Although the command prompt below is running with full administrator rights, any attempt to stop the Privilege Guard service, change directory to the Avecto program data directory or tamper with the software binaries, results in an access denied error. Try doing this with any other privilege management solution and don’t be surprised to see a very different result!

Anti-tamper Protection - Command Prompt

Since the anti-tamper mechanism relies on native NTFS security to restrict access based on the special Privilege Guard protection group, it ensures that this protection extends to all elevated applications. For instance, in the screenshots below you will notice that the options to manipulate the Privilege Guard service in the Services console are disabled and any attempt to delete the Avecto registry key in the local machine hive using Registry Editor is denied. Both of these applications are running with full administrative rights, but are incapable of tampering with Privilege Guard.

Anti-tamper Protection - Services Console

Anti-tamper Protection - Registry Editor

As with all other aspects of Privilege Guard messages, both the target URL and the hyperlink text are fully customizable, including multi-lingual support.

Adding hyperlinks to your custom messages is a great way of providing access to additional information or resources for your users, so they understand why they have been presented with the message. This in turn helps to reduce help desk calls and improve the overall end user experience.

You can also use hyperlinks to provide quick access to web based ticketing systems or support desk portals, providing users with one-click access to IT support.

Adding a hyperlink is a simple process of enabling the feature in the relevant message, specifying the URL and defining the display text. You may put a different hyperlink in each message, allowing you to cater for a variety of use cases.