It’s that time again- Microsoft releasing patch updates or better known as Patch Tuesday or maybe even Black Tuesday. 

Microsoft released 2 Security bulletins today for May’s patch updates, compared to 17 security bulletins in April.  Nonetheless, vulnerabilities that are caused by regular Windows, Internet Explorer, and Microsoft Office patch updates can expose a desktop to harmful malware and other IT threats. These threats can cause major headaches for IT administrator but these headaches can be reduced when a user does not have admin rights on the desktop.  Viewfinity research shows that these vulnerabilities are mitigated when users are running without admin rights but it doesn’t stop here.  Companies must bridge the gap between desktop lockdown and end user productivity and this is why many companies are using Viewfinity’s Privilege Management solution.  This is the only reliable and well sought after solution that balances the rigidity of locking down end points with the needs of user customization. It provides IT security professionals with a method for securing the end-point by elevating privileges for an application or process, or for desktop functions, rather than providing total administrative privileges. Systems are less at risk without sacrificing user productivity or increasing support call volume. 

You can read the full analysis here. 

Take the first step in mitigating the risk of Black Tuesday’s vulnerabilities by detecting which users have admin rights on the Windows domain with Viewfinity’s complimentary Local Admin Discovery Tool.  This tool will allow IT admins to discover and remove users with admin rights that should not have them. 

After removing the admin rights, see how easy it is to bridge the gap between desktop lockdown and managing policies and elevating privileges on the fly with a free evaluation of our product.

Darren Mar-Elia recently published his Top 10 Windows Desktop Lockdown Tips & Tricks in WindowsITPro magazine.  We thought we'd share these with you.  Below is tip #1.  Stay tuned, more to come.

1.  Least privilege is the best privilege:  The single biggest thing you can do to ensure your desktop security is to run your desktops using a least privilege model.  This means not making your users Administrators or Power Users on their desktops.  While this can be challenging to accomplish, with users as administrators, you have no control over what they can do on their systems.

The chart below was taken from data gathered from a recent systems management survey run with Redmond Magazine's audience.  It reveals that while 2/3 of organizations agree with Darren's #1 tip, most have taken an all or nothing approach to lockdown.  Are you hesitant to move to a locked down desktop environment?  If so, why is that?

Since Sarbanes-Oxley, there has been a lot of buzz about "compliance" and the hoops IT must jump through to ensure its adherence. But everybody views it differently. One organization demands all PCs are locked down completely, another one keeps the environment wide open and resets to a golden image when issues occur, and yet another has different policies for laptops and desktops or different polices depending on the end user’s functional role within the organization. Many argue that there is no such thing as privacy on company’s computer, and others insist that there are privacy issues to be considered. Regardless, these policies create tension between IT personnel and end users. And since more and more people are telecommuting, it is very difficult to keep everything as restrictive as management would like. Many enterprise level organizations have conceded the fact that the corporate PC, while primarily a tool to conduct business, is also the same device used for “personal computing” and separating these two uses may not be necessary. This allows employees to use their PC for both business and personal needs. With this approach, however, what should be the role of tech support and how is corporate compliance enforced?

Maintaining "blacklists" or "whitelists" for unauthorized and authorized applications can be time consuming. Since fluctuations between blacklists and whitelists occur frequently, flexible application lockdown rules based upon groups, connectivity status, application, and time of day would best support the needs of the end user, the system administrator and the company. Configurable compliance policy support would help to eliminate critical problems that might occur if, say for example a laptop is stolen. If the laptop isn’t connected to the corporate network, specified data and/or applications cannot be accessed. Or, to disable iTunes or IM during business hours.

So what is the norm today and can an automated method for managing privileges help your company protect itself if complete lockdown is not the ideal approach?