For now, make sure you read up on What’s new in Privilege Guard 3.0

We at Avecto pride ourselves on being a dynamic, agile software house, and for listening to and working closely with our customers. Collaboration is key to maintaining Privilege Guard’s position as the leading solution for delivering least risk desktops and servers, and my thanks go to everyone who contributed to version 3.0.

Special thanks of course must go to our development and QA teams for delivering high quality, innovative software, on time, and to specification. A great start to a very exciting 2012!

You can download Privilege Guard 3.0 by visiting the downloads page. If you aren’t already a customer, make sure you register for a free evaluation. As always, we are keen to hear your thoughts!

A critical component of any privilege management solution is the audit trail, which can be used to generate compliance reports and fine tune policies. Privilege Guard logs a variety of events to the local application event log on each endpoint and these events can then be centrally collected using Microsoft Event Forwarding.

Event Forwarding uses Windows Remote Management (WinRM) and enables you to collect events from remote computers and store them in the forwarded event log of a central event collector server. It is an extremely scalable architecture, which is why the Privilege Guard Reporting Pack has been built around this technology. The new Privilege Guard Event Collector software is simply installed on one or more event collector servers and it will automatically aggregate Privilege Guard events and upload them to a SQL Server.

The Privilege Guard Reporting Pack includes a rich set of preconfigured dashboards and reports for executed applications, elevated applications, blocked applications and discovered applications. The latter gives you a breakdown of the applications in your environment that require admin rights to run and those that only require standard user rights. The dashboards and reports all utilize SQL Reporting Services, which allows you to access the reports from a web browser.

Each dashboard provides information on the top 10 applications, a breakdown of applications by publisher and an activity timeline. The timeframe for a dashboard can be switched between 24 hours, 7 days, 30 days and 12 months, to allow recent activity or trends to be displayed. You can drilldown on the graphs within each dashboard to view detailed application reports. Reports can further be filtered on event type, user, computer, application details and date ranges.

Privilege Guard Reporting Dashboard

A rather distraught software developer was accused of stealing data from his previous employers. The company claimed he circumvented the USB monitoring system when copying files to a flash drive because IT couldn’t find any evidence in the logs that the files had been transferred to the removable drive. As a software developer, he had admin rights on his PC and the company is now threatening legal action.

I don’t know whether the company has any legal basis on which to make such threats, but as has been said many times before, giving users administrative rights unleashes the potential to override Group Policy, Windows security and any other defensive measures you decide to put in place on your systems.

It’s in everyone’s interest to work with the minimum privileges required to carry out the job at hand, especially if users want to avoid being held responsible for a major security incident. The likelihood of inadvertently causing a devastating virus outbreak, installing unlicensed software or otherwise circumventing security policy is significantly greater if running with admin rights. As the risks are not usually taken seriously, it can help to illustrate what the consequences of a virus attack or other security incident might be, not only for the company but also the employee.

Someone who pressures the IT department to run with admin rights without good reason and then infects the network with a virus, not only causes downtime for themselves, but makes extra work for the IT department and frequently the consequences are felt by other employees, who see their own machines infected or network services become unavailable. You could compare it to calling the doctor when the symptoms are nothing more than a minor sniffle, wasting valuable resources and denying those who are really ill the vital help they need.

It’s important to communicate the effect that computer misadventures can have. Pose the question: Do you really want to be responsible for downtime that brings the organization to a standstill? Teach users to be good corporate citizens by giving real-life analogies of IT security problems and examples of the possible consequences should something go awry.

First up is Privilege Guard 3.0, with a new look management console that is both striking to look at and wonderfully intuitive. As you move beyond the obvious visual enhancements, you will find full search capabilities, which allow you to quickly locate policy items and navigate to them with ease.

Privilege Guard 3.0 Management Console

Privilege Guard 3.0 Search

As you dig deeper you will find many improvements to the core product. The new policy filters section makes it possible to restrict policies based on any combination of users and groups, computer names and IP addresses (including the ability to check remote desktop connections), time of day and expiry time.

Privilege Guard 3.0 Filters

The comprehensive messaging system has always set the Privilege Guard solution apart from all other privilege management solutions when it comes to the end user experience. With beautifully rendered message previews, a new message designer and even more capabilities, the experience just got even better in version 3.0. You can now let departmental administrators authorize applications for users, or control and audit support desk personnel, who need to gain administrative access to a user’s desktop.

Privilege Guard 3.0 Message Preview

Privilege Guard 3.0 Message Design

We’ve also introduced more application validation options, including parent process checks, and the ability to limit child inheritance to a subset of applications, ensuring that Privilege Guard continues to be the most powerful and flexible privilege management solution on the market.

For shared workstation environments, Privilege Guard can be configured to enable standard users to unlock a workstation, an operation that would usually be restricted to local administrators.

Keep tuned to the Avecto blog over the coming days, as we preview the new Reporting Pack and the new McAfee ePO Integration Pack.

64-bit Windows 7 fares better than its 32-bit counterpart in part due to the inclusion of kernel patch protection, a technology only available in 64-bit Windows 7 that protects the kernel from unauthorized changes. Windows 7 is less likely to be infected overall because of User Account Control (UAC), an umbrella term for a set of technologies that make the OS easier to work with as a standard user or specially protected administrator account (Protected Administrator).

The results reported in SIR v10 for Windows 7 would have been even better if more home users didn’t disable UAC, which is likely what many tech-savvy home and business users do considering the number of articles on the Internet about the evils of UAC and how to turn it off; and hence goes the old adage that people don’t always know what’s good for them. If your users currently run as protected administrators on Windows 7, configure UAC in Group Policy to make it a little harder for them to disable UAC – though it’s worth bearing in mind that if a user has admin rights, Group Policy settings can be circumvented with enough will.

While UAC has some benefits in enterprise computing, it is a user-driven technology. UAC elevation prompts require users to give consent, or provide an admin username and password, to perform administrative tasks, resulting in decisions being made by unqualified staff that affect the integrity and security of the OS.

UAC Protected Administrator accounts provide a lot of flexibility, with a limited degree of security, that wasn’t possible in Windows XP. Once you move to standard user accounts in Windows 7, users can no longer elevate privileges; and all tasks, anticipated or otherwise, must be made to work as a standard user, or IT will have to intervene and provide administrator credentials.

Predicting users’ every move and requirement isn’t possible, so if it’s not acceptable to restrict the computing experience with a standard user account, you’ll either need to leave the default user-driven UAC experience in place or deploy Avecto’s enterprise rights management solution – Privilege Guard.

As well as the ability to assign privileges to individual applications and tasks, Avecto’s software can be configured to allow users to run any process with administrative privileges. UAC prompts can be replaced with custom corporate messages and users can be prompted to provide a valid reason before elevation. An audit trail of privilege elevation events allows administrators to keep track of how privileges are used. Privilege Guard helps companies strike the right balance between the flexibility of user-driven UAC and policy-based IT controls, making Windows 7 more secure and mitigating unnecessary risks.

Running up-to-date anti-virus software, and keeping Windows and other software updated with all of the latest security patches, should prevent infection from most known malware threats. However, the risk of a zero-day attack that includes a kernel-mode rootkit continues to pose the most serious security threat. The ability of a zero-day rootkit to hide itself from security software can make subsequent detection and removal extremely difficult, often resulting in re-imaging of the operating system, assuming that it is even possible to detect the malware infection. The fact that a kernel-mode rootkit could go undetected makes it difficult to fully assess the true scale of the problem.

One important step that can be taken in the fight against zero-day rootkits is to ensure that users log on to their computers with a standard user account. Most kernel-mode rootkits will simply fail to install when the user is logged on with a non-administrator account, as the successful installation of the rootkit will require write access to a secured area of the HKLM hive of the registry. To install under a standard user account the malware would need to discover and then exploit one or more vulnerabilities in the operating system, in order to gain higher privilege levels, making it much more difficult for the malware to infect or spread.

Avecto Privilege Guard enables organizations to implement least privilege, by ensuring users log on with standard user accounts and elevating the individual applications that require privileged access. Any zero-day attacks that are not detected by the anti-virus software will run with the user’s standard rights, making it difficult for the malware to compromise the kernel. Although least privilege can’t protect against all malware threats, it is an extremely effective line of defense against stealthy and persistent threats that attack deep inside the operating system.

On a final note, I would like to mention the innovative new technology that our partner McAfee launched at their Focus11 event in Las Vegas. McAfee DeepSAFE, which was jointly developed with Intel, enables McAfee to build hardware assisted security products. The DeepSAFE technology sits below the operating system, allowing it to detect hidden threats, such as stealth rootkits and Advanced Persistent Threats (APTs). McAfee Deep Defender is the first product to utilize the DeepSAFE technology and is managed with McAfee ePO software. McAfee Labs state that the stealthy malware threat is escalating and that they detect 110,000 new unique rootkits each quarter.

Here at Avecto we are delighted to be working closely with McAfee and we will soon be launching our ePO integrated version of Privilege Guard. I believe that the combination of least privilege with Privilege Guard and hardware-level protection with DeepSAFE, provides a major step forward in the fight against kernel-mode rootkits and other stealthy malware.

Technical personnel sometimes require access to domain controllers, maybe to perform maintenance connected to backup, patching or a one-off task. This leaves security administrators with something of a quandary, as most of the work likely to be carried out requires full administrative access to the DC, and in turn the crown jewels – Active Directory.

Let’s make it simple and start off by saying that it’s not possible to separate AD and administrator permissions on a regular DC. If you need to grant a user domain administrator permissions to complete some work on a DC, you must trust that person with full access to the AD domain. Read-only domain controllers (RODCs) do exactly what they say on the tin and host a read-only copy of the Active Directory database. Wherever possible you should deploy RODCs, as any domain user can be given permission to install and manage the server without privileged access to Active Directory.

Windows IT professionals often assume that the built-in Server Operators group in AD gives the equivalent of local administrator access to DCs without elevated rights to Active Directory. This is not strictly true and any kind of administrative permission on a DC can result in the user gaining privileges to AD. All built-in AD groups that end in ‘Operators’ are legacy groups and shouldn’t be populated unless you have an application that requires it. For example, if you need to grant permission to perform backup duties, create a new group and assign rights as necessary.

One approach you could adopt to grant admin privileges to DCs is to issue a unique username and password each time access is requested. The credentials are assigned to a technician for a given period of time and for an agreed piece of work. This information is recorded and permissions revoked at the end of the allotted session. Setting up the user account and recording the necessary logon session details is often done manually, although can be automated. The person requesting access is responsible for anything that happens during their logon session. Nevertheless, you still need to trust that person with Active Directory.

Depending on the type of work being carried out, a 3rd-party solution, such as Avecto Privilege Guard, could be deployed to allow a standard user to run only pre-approved applications with elevated privileges, greatly reducing the risk involved. Even if a technician must perform a task regularly on a DC, think twice before granting permanent permissions to sensitive production systems and always make sure that all actions are audited.

Before we get to “What is the right amount of GPOs”, let’s start off with “Can I have too many GPOs?”

One of the problems with Group Policy, in general, is that there isn’t much “organization” inside the Group Policy Objects node within the GPMC. Simply, you get a flat list of GPO names – listed alphabetically. This isn’t ideal if you have, say, thousands of Group Policy Objects and are looking for one, in particular, needle in a haystack.

So, yes, when I see companies with thousands of GPOs, it’s likely (though not impossible) that means they have “too many GPOs”. If only for the reason that the list is very long and difficult to manage.

But then there’s the flip side to this question: Can I have “too few” GPOs. I’ve seen lots of environments with just this particular problem. Too few GPOs. What does “too few GPOs” look like?

First, it could mean that the organization has decided not to utilize Group Policy – a crying shame considering it has 39 “superpowers” in the box ready to deliver and manage your desktops. However, it also frequently means that administrators have tried to cram too many functions into one Group Policy Object. They’re mixing their policies and their preferences. They’re mixing their user side and their computer sides.

In short, they’re trying to cram as much stuff as they can into as few GPOs as possible. Not a good idea.

So, going back to the question of “What is the right amount of GPOs” – the answer will vary for each environment. However, my suggestion is only to put together items which make sense to be together, and create new GPOs for each unrelated set of items.

For instance, creating one GPO which handles “Firewall settings for Sales” could be 30 different settings inside one GPO. That’s a great use of putting things together (which are similar, and headed to manage the same type of resource).

However, creating a GPO which “Deploys WinZip, deletes U: Drive, and secures c:\Temp” is not a suggested way to have one GPO function. Instead break that GPO into different pieces so it becomes easier to troubleshoot if something goes wrong.

So – I tend to suggest more GPOs over less GPOs. The “penalty” might be slower login times if a client is set to receive lots of GPOs, but in my experience, even lots of GPOs applying to a client doesn’t significantly hinder login performance. As always, be sure to test this in your environment as different configurations could yield different results.

Note, that in no case can a client process more than 999 GPOs before the Group Policy engine gives up and dies.

And that’s definitely too many GPOs.

Microsoft provides a free utility which does just this – the Microsoft Baseline Security Analyzer, or MBSA for short.

Choose a type of scan or view previous scan results

The MBSA is designed to highlight potential security risks on endpoints and makes recommendations for remediation of these risks. Access to a local admin account is of course a high risk concern, and so this is one of the things it checks for.

Select your scanning options

It works by scanning each target endpoint for the number of entries in the Local Administrators group, which for any endpoint joined to a domain should only contain the Local Administrator user and the Domain Admins group. So if it detects more than two entries, it flags this in the graphical UI. From here you can drill into the report to display the actual group memberships.

Summary of all endpoint scan results

Summary of the scan results and details of the 'Administrators' test

In summary, you should have a good understanding of which users have admin rights before implementing least privilege. If you don’t already audit this, then MBSA can provide this information for you.

For more information and to download MBSA, visit the MBSA TechNet resource here.

Security is often viewed like an insurance policy – an expense that’s hard to quantify in terms of return on investment. But skimping on well secured endpoints or assuming that antivirus is enough to keep end users out of trouble is a false economy. Even if your company isn’t subject to regulatory compliance, properly secured systems still bring important advantages that shouldn’t be overlooked.

Anyone who’s run Windows Vista or 7 as a standard user will know that these PCs perform consistently, more reliably, are less prone to malware infection and rarely require support from an IT professional if compared to an equivalent system running with administrative privileges. Application whitelisting can further improve this record, significantly reducing problems caused by malware or application conflicts.

In an ideal world, users would be able to install any application in an isolated container without having to worry about the impact on system performance, malware infection or compatibility problems. And while the technology does exist to virtualize applications, it’s not yet mature enough that users can be left to choose what to install without some assistance from IT.

Striking a balance between a curated least privilege desktop, productivity and the ability to install approved applications on demand is the best way to provision fast, responsive and secure systems that enable users to be as productive as possible. Privilege Guard can help IT departments manage the balance between security and flexibility that is crucial in any least privilege deployment, and improvements in Privilege Guard 2.8 make it even easier for IT to manage privileges across multiple desktops.

But user productivity can be difficult to measure and proving that it provides a competitive advantage or positively impacts a company’s end of year results is not always easy. To get management buy-in, analyse the organization’s helpdesk logs, and give users who generate the most support tickets a fresh build of Windows with least privilege enabled from the outset. Once they’ve run with it for a couple of months and any initial problems have been ironed out, make a before and after snapshot of helpdesk calls to show the reduction in IT support costs. Extra uptime for end users can be translated into additional sales or improved customer service. The results will be significant enough to convince management that a secure desktop is less expensive to support and has added productivity benefits for users in exchange for minimal IT administrative effort and cost.