Microsoft has recently changed its licensing to help organizations adopt virtualization technologies. The new Windows Virtual Desktop Access (VDA) licenses are a Software Assurance benefit, or can be purchased for $100 per desktop a year. VDAs provide users of Windows PCs the right to install Windows XP, Vista or 7 in up to 4 VMs. If you’re the primary user of a device covered by VDA, Extended Roaming Rights (ERR) allow you to access a VM from devices not licensed under Software Assurance or VDA, providing that they’re located offsite and don’t belong to the company.

To further help the take-up rate for virtualization, Microsoft has 2 licensing suites that package licences for accessing remote desktop servers, the Microsoft Desktop Optimization Pack (MDOP), System Center Configuration Manager (SCCM), Operation Manager (SCOM) and Virtual Machine Manager.

With the flexibility that VDIs provide, licenses for your line-of-business applications need to be monitored more carefully. While Microsoft’s AppLocker application whitelisting technology for Windows 7 is a security feature, preventing users launching untrusted applications and executables, Privilege Guard’s application control not only provides a unified administration interface for Windows 7, Vista and XP, but is also more flexible than AppLocker. Moving beyond security, Privilege Guard application control can also whitelist or blacklist applications by device, using a hostname or IP address.

Privilege Guard allows organizations to add a whitelist of device names to application control policies to prevent users launching programs installed on VMs or physical PCs, which is especially pertinent for VDIs where devices may greatly outnumber users, and organizations can quickly fall out of compliance with a shortfall of licences.

As licensing can be one of the biggest costs for Windows shops, ensuring that you procure only the number necessary is crucial to keep costs low. Virtualization technologies promise to reduce costs by allowing organizations to dynamically provision desktops to users without the high total cost of ownership traditionally associated with desktop PCs. But your efforts to reduce costs could be in vain if software licensing is not kept in check, and this is where Privilege Guard’s superior application control technology can help.

One of the biggest steps that can be taken to mitigate malware threats is to implement a least privilege approach. The most dangerous and persistent threats often look to bury themselves deep inside the operating system, using root-kits and other kernel level techniques. Once malware operates at this level it can cloak itself from security solutions, making subsequent detection and removal extremely difficult.

In order for malware to infect the kernel it must run in a privileged context or gain access to a privileged account, such as a local administrator or SYSTEM account. If a user logs on with a local administrator account then malware can gain access to a privileged context with ease, whereas if a user logs on with a standard user account it becomes much more difficult for the malware to gain privileged access to the system. It’s no surprise that over 90% of Microsoft’s critical vulnerabilities state that users who log on to systems with fewer privileges will be less impacted.

So if least privilege is such a good way to mitigate malware threats then why do so many users still log on with local administrator accounts?

The answer is the age-old problem of getting the right balance between security and usability. The more a system is locked down the more secure it becomes, but usability starts to suffer. Taking this to the extreme, if you were to remove the Internet connection and disallow removal storage devices then an endpoint would become extremely secure, but it would become unusable in the interconnected world we live in today. The removal of local administrator rights from a user may not seem quite so extreme, but many users will simply struggle to perform their role or at best will be faced with frequent over-the-shoulder administration, leading to frustration and a loss of productivity.

A privilege management solution is required to strike the balance between the two extremes of standard user and local administrator rights. Instead of assigning privileges to a user’s account, the necessary privileges are assigned directly to the applications that actually require them, based on centrally managed policies. This approach ensures that malware will find it extremely difficult to gain access to a privileged account, because all users log on with standard user accounts. More over only the applications that require elevated privileges are granted them, which significantly reduces the application attack surface.

In addition to increasing the risk of malware infection, users who log on with local administrator accounts will significantly reduce the effectiveness of many security solutions, as they are more likely to be compromised, although few vendors will point this out.

Embracing least privilege will not only increase the security posture of the endpoint, it will also lead to reduced desktop operating costs, as under-locked or over-locked desktops are more costly to support. So now you have two very good reasons to implement least privilege – reduced malware threats and reduced operating costs. Improved security doesn’t have to come at a price – with a well managed least privilege solution you can save money and improve user satisfaction too!

The steady adoption of cloud services over the last few years has allowed Symantec to collect information from its own Symantec.cloud platform to give some insight into the proportion of attacks targeted specifically at SMEs, and it may be surprising to know that 40 per cent of attacks are aimed at small businesses, compared to just 28 per cent at large corporations.

The days when malware was distributed in the hope of randomly gaining access to any organization’s systems are gradually passing in favour of targeted attacks. Hackers design malware to target a specific person, group, business or industry with the aim of phishing valuable data, sometimes known as spear phishing in the context of targeted attacks.

One of the most common types of targeted attack is to send a document in an email that looks as if it’s intended specifically for the recipient with some relevant content. The document exploits an unpatched operating system or application vulnerability on the recipient’s PC, so if the document is opened, a backdoor Trojan is dropped onto the PC to gain further access to the company’s systems.

SMEs provide hackers with a low-risk alternative to corporations, and tend to be easier to attack as they don’t have the same amount of resources available to protect their systems. Larger corporations and government agencies often have the additional advantage of forensic systems that collect data which can later be used as evidence should their systems be compromised. While many corporations are already hacked – or owned – but don’t know it, when it does eventually come to light that there’s been a security breach, there’s more likely to be some data available that can be used to identify the source of the hack.

However large corporations shouldn’t rest on their laurels, as Shawn Henry, outgoing chief cyber security official at the FBI, says:

“Too many companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking – or the costs they may have already suffered unknowingly—by operating vulnerable networks.”

Companies can bolster security by protecting end points. In addition to installing and keeping antivirus software up-to-date, removing administrative privileges from users significantly reduces the attack surface and damage that malware can inflict should a PC be infected. Application whitelisting can further lower the risk by ensuring that employees are only allowed to run authorized programs. Patching the operating system and applications is equally important to stop malware leveraging known vulnerabilities.

Symantec’s SMB Threat Awareness Poll can be downloaded here: http://www.symantec.com/about/news/release/article.jsp?prid=20111116_01

Although you can authorize individual software packages with Privilege Guard, it may be more appropriate to allow a group of users to install software from a network share, as this is extremely simple to setup and maintain. The users should only be given read and execute access to this share, enabling them to launch any software packages that are made available by the IT department. A couple of simple rules can be added to Privilege Guard to automatically elevate any executables or installer packages that reside in the shared folder.

Approved Software Application Definition

You could easily extend this principle to be more granular, such as creating a set of folders within this share for different roles and then ensuring that the software installers are only elevated for the relevant groups of users.

Blocked Software Installation

This can be taken a stage further by blocking software installers for those users who should not have access to them. You can achieve this by adding a simple “catch all” policy to block all installations from the software share, which should be placed at the end of the policies and applied to all users (policy precedence will ensure that this policy will only match if a higher precedence policy has not matched first). A suitable message should be displayed to the user, with instructions on gaining access to the software, assuming they have a legitimate business purpose. You may optionally allow the user to email a request for an application or you can provide a
hyper-link in the message that directs the user to an appropriate web site, such as a help desk portal.

Software Publisher and Product Information

You may need to allow some users to install authorized software directly from the internet. The recommend way to define policies for this purpose is to make use of the publisher rule, as opposed to the filename rule, and then combine this with other product rules, as required. For instance, we could allow the user to install all software signed by a particular vendor.

You could extend this rule to make it specific to a particular product by using the product name or product description, and you can optionally include a check for specific versions of the product or a minimum version.

In addition to elevating installation packages you can also specify rules to block the installation of software that you do not want users installing, as some software packages do not require administrative rights to be installed, as they install within the user’s profile.

On Demand Software Installation

For users with more flexible requirements, you can create an “on demand” policy where users are trusted to make their own decisions on software installations. This should be configured with a custom message, to warn the user of their actions and ask them for a reason, which is then audited. You may optionally force a user to re-authenticate before installing the software to ensure that they self-approved the installation.

Even with an on demand policy you can still prevent these users from installing certain software packages, by creating a higher precedence policy that blocks the installation of any unauthorized software. Alternatively, you can delegate the on-demand installation of software to an appropriate group of staff, such as departmental heads, who would need to authorize the installation on the user’s behalf.

Blocked ActiveX Installation

Privilege Guard can also handle the installation of ActiveX controls. For ActiveX controls, the primary rule to match on is the URL of the codebase. The URL can point to a specific codebase or a more general URL can be used to match multiple ActiveX controls hosted on a site. It’s a good idea to insert a catch all rule for ActiveX controls that blocks access to any ActiveX controls that have not been defined in the policy. This will provide the user with a corporate message and instructions on how they should request access to the blocked ActiveX control if they have a legitimate business reason for installing it.

On Demand ActiveX Installation

As with “on demand” software installation, users with more flexible requirements can be authorized to install any ActiveX control. This should be configured with a custom message and audit trail, to ensure that the user is warned of their actions, and you may optionally force the user to re-authenticate. Remember that you can still block access to unauthorized ActiveX controls with a higher precedence policy.

The end user experience is a crucial element when allowing users to self-provision software, whether you are asking a user to justify their actions before proceeding, or blocking the installation of a software package and giving the user meaningful feedback and direction. Small touches, like strong corporate branding in end user messages, ensure that users pay more attention than when presented with a standard Windows message. You can define any number of end user messages in Privilege Guard, with corporate branding, multi-lingual configuration of all text elements and control over many other aspects, such as re-authentication and asking for justification before proceeding. It is always better to display a message that is relevant to a user’s actions, as opposed to a broad generic message, as this will lead to an improved end user experience and a reduction in help desk calls.

Coviello’s comments – citing the Bob Dylan track, `the times, they are a changin’ – are bang on the money, especially when he recommends that IT security now needs to be a board level discussion.

This coincides with our thoughts here at Avecto, as the involvement of a board level discussion on security will help IT security managers to determine the `sweet spot’ where the organization has invested in sufficient security to say it has carried out what any reasonable company would do to defend its digital assets.

And in today’s security governance-rich environment, the expensive cost of reaching that sweet spot can be lowered by adopting a multi-layered approach to IT security and so help to ensure that the advantages of one type of security can offset the disadvantage – namely the weak spots – of another system.

At the risk of sounding like an accountant, this all comes down to the risk/reward balancing game which Coviello hints at in his column, but with the additional factor of cost entering the equation.

The EMC/RSA chief is, of course, quite correct in his assertion that the security world is changing, but our belief is that it’s not just about balancing risk with security, it’s also about balancing the cost of the security against the reward in terms of the level of security assurance that the expenditure will generate for a typical company.

And whilst there is no such thing as absolute IT security in today’s multi-vectored threat landscape, it is clear that multiple layers of defence can often produce a better overall return on investment curve than if just one or two layers of security are involved.

Our experience suggests that treating the governance levels of, for example, the PCI Security Standards Council as a starting point in security terms and working upwards – depending on the risk/cost/reward stance your organisation is prepared to invest in – is the best way forward.

And when you factor in Coviello’s sound advice that you need to continue to evolve your organisation’s thinking about security – working on the premise that shared knowledge is a powerful advantage – you realise that adding extra layers of defenses – such as a Windows privileged account management system that lowers your security risk profile – can help tremendously in the risk/cost/reward stakes.

The ideal solution is to apply least privilege principles to as many users as possible, with specific members of staff having limited access to admin facilities and, even then, only on the specific applications they need access to on a regular basis.

Our approach with Windows privilege management is to give users only the access and privileges they need to complete the task at hand. In most cases this will be for specific applications, tasks or scripts, and by assigning specific rights to those applications, you no longer need to give them to users. As Windows security expert Russell Smith, explains in his book ‘Least Privilege Security for Windows7, Vista and XP’, taking away user privileges can be similar to taking a toy away from a small child. Bottom line is that user expectations have a real impact on the security of any organization, so empowering them to perform their role without compromising the integrity or security of their systems makes good financial sense.

As Coviello says in his column, as cyber threats escalate, we must invest in building a cybersecurity workforce with the requisite skills to defend enterprises, governments, and critical infrastructures.

And whilst – again as the EMC/RSA chief against observes – these individuals need a 360-degree view of security that combines computer science, risk assessment, analytics, digital forensics, and human behaviour – it should also be clear that the addition of multiple layers of security can only enhance the risk/cost/reward ratios.

Even if you’re not a board level professional, that should still make you smile.

For more on Art Coviello’s words of wisdom: http://onforb.es/yk5f32

Windows member servers – i.e. those joined to an Active Directory (AD) domain – and workstations depend on domain controllers (DCs) to manage certain aspects of their security. This is a necessary dependency where a less important device relies on a more critical system.

Unwanted security dependencies tend to appear on networks unexpectedly. For instance, a PC becomes infected with a virus because the user was tricked into running a malicious executable, and an unpatched vulnerability is exploited. As a result, the Exchange Server is also infected and subsequently shut down by the virus. Though we can argue both the PC and server should have been patched, in this situation the server was unlikely to have been infected if the PC had remained secure.

I was recently reminded about the DNS Changer trojan that first appeared in 2008 and mutated into various different forms. The virus attempts to change a PC’s DNS settings to redirect internet traffic, and failing that, scans the local network in an effort to discover the admin credentials and change the DNS configuration of gateway routers. This is an unfortunate example of where a critical network device becomes dependent on a PC for its security, in turn compromising the integrity of all devices connected to the router. Another variant of the trojan sets up a DHCP server on infected PCs and attempts to intercept DHCP requests on the local network and respond with bogus DNS settings to devices looking for valid DNS configuration.

To change DNS configuration on Windows, administrative rights are required; so a standard user account stops DNS Changer dead in its tracks. Secondly, with application whitelisting in place, DNS Changer wouldn’t be able to run at all, preventing it from scanning the network for vulnerable devices.

While SANS Internet Storm Center issued reactive advice at the time to block traffic to IP addresses known to host the malicious DNS servers, a proactive approach to prevent PCs being infected in the first place is always preferable. Antivirus should also be capable of stopping DNS Changer, but why rely solely on AV to protect your systems, especially with the speed at which malware mutates and sophisticated techniques used to evade detection.

Users often think that what happens on their network-connected PC or other device cannot affect the security of other systems, let alone critical servers and network hardware. But as you’ve read in this blog post, users and management should understand that once a device is connected to the network it does not exist in isolation, and least privilege security and application whitelisting technologies, such as those provided by Avecto Privilege Guard, are needed to protect the IT infrastructure at large.

1. Granular targeting is now a lot more intuitive in terms of applying combinations of Policy Filters.
2. It is now a lot easier for us to add additional filters to Privilege Guard.

The new Computer Filter allows you to target Privilege Guard Policies based on the hostname or the IP Address of the endpoint. This can be used as an alternative to, or in combination with, Group Policy based computer targeting.

Policy Filters in 3.0

Hostnames can be defined as an explicit list in each Computer Policy or, if you use a naming convention within your infrastructure, you can use wildcards to target a wider scope of computers.

If you prefer to use IP Addresses, then these can also be defined as explicit lists. You can also add wild cards and ranges to any octet in the IP Address, for example:

Apply IP Address Filters using Wildcards

In addition to local computers, Privilege Guard Policies can also target privileges based on remote clients connecting via Remote Desktop Services. This means that privileges can be granted or revoked depending on the relative location of the user.

For example, you can now grant admin rights for an application, script or task to a user who is connecting from within the corporate network (based on IP Address), but prohibit admin rights to the same user if they are connecting through a tunnelled VPN.

Used in combination with application whitelisting, the Computer Filter can also be used to restrict access to corporate applications licensed under volume license and client license agreements.

We will be adding more filters to Privilege Guard throughout 2012, so make sure you subscribe to our blog and keep up to date with new developments from Avecto!

If you operate a hotdesk or other shared workstation environment then there’s a good chance your users are regularly experiencing this problem, and historically there were three solutions:

1. Call IT Support and ask them to ‘unlock’ the desktop for you (local administrators are the only users who can force the logged-on session to logoff).
2. Hard reset the desktop (which can lead to data corruption, data loss, etc).
3. Grant computer users local admin rights.

None of these solutions were ideal, as they all came at a cost – either through increased helpdesk calls, or the hidden costs of users possessing excessive rights.

A new feature added to Privilege Guard 3.0, Shared Workstation Unlock, allows you to set policy on which end users are able to unlock a shared workstation or who is not allowed to unlock a workstation. So as well as empowering standard users, you can also restrict local administrators.

Shared Workstation Unlock is driven by Privilege Guard Policies, and leverages the flexible filtering rules that define when and where policy is applied. So granting or revoking Shared Workstation Unlock privileges can be based on any combination of:

• User name and user group membership
• Computer name or IP Address
• Date and time range
• Time expiry date

Configuring Shared Workstation Unlock is easy, and anyone accustomed with Group Policy settings should find the logic familiar. For any Privilege Guard Policy, open the Policy Options dialog and you will find a tri-state option under Workstation:

• Not Configured – Privilege Guard will ignore this policy and move on to the next policy.
• User can unlock a shared workstation – Privilege Guard will allow the user to unlock the shared workstation.
• User cannot unlock a shared workstation – Privilege Guard will prevent the user from unlocking the shared workstation.

Shared Workstation Unlock significantly reduces support costs by allowing standard users to unlock desktops in shared workstation environments without having to grant local admin rights.

One of the many key differences that set Privilege Guard apart from the rest of the field is our UI and how policies are configured. Not being one to rest on our laurels, we’ve listened a lot to our customers, and injected a lot of innovation onto the 3.0 UI. I hope you’ll agree that the results are impressive!

We have a diverse range of customers, including large corporations managing hundreds of thousands of desktops. The Privilege Guard policies for such large rollouts, as you can imagine, are quite complex, so it’s important to understand how we can continue to simplify their initial creation and on-going maintenance.

The entire console has been given an overhaul, and here are just a few of the highlights…

Summary Views
This is a feature we introduced to Application groups in V2.8. The positive feedback we got led to the rollout of summary views to the rest of the management console. I’ll let the pictures do the talking.

All views offer an alternate ‘Detailed’ view, which will show configuration settings in a color coded table format. Whatever your preference is, you can easily set it from the Views drop-down  menu.

Instant Search and Drilldown
Another feature originally introduced in 2.8, instant search in Application Groups, has been expanded across the entire policy. All areas of the console now include an instant search box, from the top level node for policy wide searches, down to searches within specific areas.

As you start typing, the console automatically switches to a results view displaying settings that match your text entry. The more you type, the more refined the results become. The results view will also highlight where the matching property is.

Instant Search in Version 3.0

In this example, I have entered the word ’disk’ into the top level instant search box. You can see that matches have been found within the ‘Admin tasks’ application group, as well as the policies where that group has been used. Instant search will find matches in any area of your settings.

When you have found the setting or property you are looking for, simply double click it to drill down into the actual setting.

Instant Message Previews
Another key advantage of Privilege Guard is powerful end user messaging. Our unique message customization feature allows you to personalize almost every aspect of the message box, from text strings, colors and styles to full corporate branding. You can also define which features and elements are used for each custom message you create.

Message Previews in Version 3.0

To simplify the creation and updating of custom messages, we have added instant preview. So as you are making changes to your message, the preview updates in real-time to help you create the exact look and feel you require. If you want to see the message is action, just click on the instant preview.

So the leading solution for managing privileges has just got a whole lot better looking. Why choose between style and substance, when you can have both!

For now, make sure you read up on What’s new in Privilege Guard 3.0

We at Avecto pride ourselves on being a dynamic, agile software house, and for listening to and working closely with our customers. Collaboration is key to maintaining Privilege Guard’s position as the leading solution for delivering least risk desktops and servers, and my thanks go to everyone who contributed to version 3.0.

Special thanks of course must go to our development and QA teams for delivering high quality, innovative software, on time, and to specification. A great start to a very exciting 2012!

You can download Privilege Guard 3.0 by visiting the downloads page. If you aren’t already a customer, make sure you register for a free evaluation. As always, we are keen to hear your thoughts!