Cindy Meinke of Coretek Services wrote about application virtualization with User Account Control (UAC) challenges.  Cindy mentions that Viewfinity Privilege Management is one solution to handle the UAC prompt challenge.

With the migration to Windows 7 the introduction of UAC prompts can be somewhat of a disruption to end users.  Viewfinity helps IT admins manage UAC prompts by suppressing or customizing the UAC dialog. This solution to handle UAC prompts available through Viewfinity Privilege Management provides for a critical requirement by customers—a better user experience.

Here’s a more technical explanation that is tied to the issues presented in the Coretek article.  While it is true that application virtualization may simplify the issue of managing UAC and elevated rights, not all applications and tasks can be effectively virtualized. For example, applications with embedded manifest “requestedExecutionLevel” containing admin rights or browser based ActiveX controls cannot be virtualized. UAC and the management of general Windows administrative tasks is a separate issue which cannot be easily addressed without third party tools such as Viewfinity Privilege Management product.

Here are just a few examples of administrative tasks that will cause a UAC prompt:

• Installing and uninstalling applications
• Installing device drivers
• Installing ActiveX controls
• Changing settings for Windows Firewall
• Configuring Windows Update (XP)
• Adding or removing user accounts
• Changing a user’s account type
• Running Task Scheduler
• Restoring backed-up system files
• Viewing or changing another user’s folders and files
• Running Disk Defragmenter

Drilling into the Viewfinity Privilege Management product, it not only elevates privileges and/or reduces permissions on individual applications, admin tasks, or ActiveX controls, but also provides a policy automation workflow that automatically generates policies based on approved applications or on-demand self-elevation.  Viewfinity Privilege Management fully integrated with UAC management can suppress UAC prompts and/or replace it with a Viewfinity justification dialog box.  The dialog box is where the end user can submit his justification for requesting elevated rights. Bringing it full circle, our audit report feature captures events with UAC usage stats and collects important information for security audits such as the use of unauthorized credentials in UAC and which actions were performed as result of unauthorized activity.

The Ramnit worm is more dangerous than originally thought and is becoming a huge threat vector for the banking industry according to the article, “Ramnit worm variant now dangerous banking malware,” written by Robert Westervelt of Searchsecurity.com.  The capabilities of the Ramnit Worm are more serious than before because cybercriminals have transformed it into “financial-focused malware capable of draining bank accounts.”  The Ramnit Worm infects Microsoft Windows executable files and it made it to Microsoft’s Top 25 Infections list.

There are ways your company can reduce the exposure to the malicious Ramnit Worm.  One method is to limit user privileges on the computer by removing administrator rights.  The worm infects executable files in order to remain undetectable.  According to Microsoft Win32/Ramnit, it is a family of multi-component malware that infects Windows executable files, Microsoft Office files and HTML files. Win32/Ramnit spreads to removable drives, steals sensitive information such as saved FTP credentials and browser cookies. The malware may also open a backdoor to await instructions from a remote attacker. When run, it copies itself using a hard-coded name or in some cases to a random folder and file name, for example:

%ProgramFiles%\Microsoft\watermark.exe

%ProgramFiles%\Microsoft\desktoplayer.exe

%ProgramFiles%\blvvcvww\jonimvgn.exe

What this means is if users have local admin rights the probability of getting the virus is higher. However, if administrator rights are removed, permissions would be required to write to protected areas of Windows.  For example, if an end user  is working on the Windows 7 OS without admin rights, and the process tries to copy files in the mentioned folder, a UAC ( if enabled) dialog box will prompt for an administrator password to perform the function.  The removal of administrator rights from end users is very effective in this scenario.  According to Microsoft, multiple steps should be taken to help prevent infection on your computer including Limiting user privileges on the computer.

View a recorded webcast from MVP, Greg Shields, on “Eliminating Admin Rights as Another Layer of Protection Against Malware,” and learn about other use cases related to the removal of administrator rights is when it comes to reducing the threat of malware.

Shionogi, a Japanese pharmaceutical company, was recently hacked by a former disgruntled IT administrator as reported by Fahmida Y. Rashid in the Latest Anonymous Havoc, Resurgent Spam Lead Week's Security News from eWeek.com.  The former employee hacked the system via free WiFi in a local McDonald’s after having been laid off by Shionogi.

“During his intrusion, he deleted the company's virtual infrastructure, equivalent to 88 physical servers, and brought the company to a standstill as it tried to recover data,” this alone shows proper procedures were not in place with the termination of employment, especially under the circumstances that the employee had access to sensitive passwords to the server infrastructure.  In addition to best practices in account identity management there should have been another layer of security protection of a least privileged approach and segregation of duties.

This case points out how important it is to ensure that IT administrator have permissions to only what is necessary for their specific job role.  For instance, administrators who are responsible for daily operations such as patch management may automatically be granted full administrative rights or often times, administrators who are responsible for managing applications can also request full administrative rights to the entire server in order to support applications.   In reality, administrator rights can be elevated to perform only the necessary functions, such as approved software installations, disk management, or to manage specific applications.  In some scenarios, IT may want to restrict administrators functions, such as removing/reducing the ability to modify members of the local admin group, install server roles, etc.  This segregation of duties for administrators can be achieved by implementing granular privilege management policies and following best practices related to separation of duties.  Following basic best practices, such as having the proper procedures in place after the termination of an employee (including those steps for “privileged” users), operating in a least privilege environment, and establishing separation of duties policies can ensure your organization is less vulnerable to internal and external attacks.

Viewfinity 3.6 – GA July 25, 2011

Viewfinity’s End-to-End Non-Disruptive Move to Least Privileges process encompasses the following automated steps:

1. Discovers user accounts and groups that are members of the local “Administrators” built-in user group on computers in your Windows domain.
2. Silently discovers applications requiring administrative rights prior to revoking privileges.
3. Provides “Readiness Statistics” based on end user activity that is collected over a period of time to ensure all events requiring administrator rights are captured.
4. Once the collection and analysis has completed, policies to elevate privileges are automatically created and prepared in advance so that when administrative rights are removed, the policies are in place to ensure a non-disruptive move to least privileges.
5. Supports future needs, exceptions and maintenance. Viewfinity:

• Collects user requests with corresponding business justification
• Provides a policy authorization workflow management & approval process

6.     Ongoing auditing and reporting for compliance validation

For a detailed description on all feature updates and enhancements for this release, please review our 3.6 Release Notes.

Blog: Analogies & The Principle of Least Privilege

VMWare v-Shield does a great job at providing an additional layer of security at the network layer. In addition to applying the least privilege principle at the network level, another important element for securing endpoint environments is applying this same principle on endpoints.  Typically, owners of datacenter applications request full administrative rights in order to manage applications. But this level of access provides permissions to OS elements outside of the scope of specific applications. For instance, an application administrator for a server application needs to manage database and web applications and thus possesses full administrative rights.  As a result, having full control of the server may cause unintentional damage or open it up to malicious attacks.  By having administrator privileges on an endpoint, the user has full rights to take a server out of domain or unintentionally apply untested updates to drivers, which can damage the OS. Third party privilege management products that provide granular level control to physical and virtual desktops and servers should be considered so the least privilege principle can be applied on the level of an application or process.  Applications can raise permissions only for a required task or application in the context of a logged on user account instead of granting full admin rights or using the context of another administrative account. If you need to provide access for developers to a production server, there is no need to open full access to entire server, instead just elevate permissions to specific action and utilize various auditing and reporting features.  Look for vendors who partner with VMware as they’ve already worked to integrate their products with VMware virtualization software.

Viewfinity is excited to announce the new enhancements made to the Local Admin Discovery Tool.  Many users have downloaded and utilized the tool and Viewfinity is listening…

Based upon feedback from users, we’ve recently made several enhancements to the Viewfinity Local Admin Discovery Tool. This is a great free tool for discovering user accounts that have local administrative rights.   The list of the enhancements and fixes includes:

1.     Fixed special symbols in names.

2.     Support for a very large number of OU’s.

3.     Ability to save a list of computers at the end of a session so it can be used in the next session.

4.     Ability to export list of computers to an external file. 

 5.     Added a new pane to the wizard following the Credentials pane. There are 3 options on this page: Start new AD discovery, use the computers saved in the last session, or import a list of computers from an external text file.

6.     Save color-coded users/groups at the end of the session and automatically use it in the next session.  The menu item “Reset Colors to Default” is always available.

 7.     Added a new report to “organize by Computers” – this is in addition to the report we currently have which organizes by Users/Groups.

8.     Solved the problem with the links in the exported Excel file.

Signature-based anti-malware solutions are losing effectiveness, thus protecting your organization by implementing multiple layers of security is necessary to mitigate risk. 

A smart, effective move for an adding another layer of protection against malware is eliminating administrator rights. You already know that widespread administrator rights are an administrative nightmare for IT. Users with administrator privileges install inappropriate applications, run bad software, change system settings, and crash their computers. That’s a bad thing for IT. But were you aware that widespread administrative privileges are also a huge vector for malware attack? By eliminating administrator rights, you can prevent many forms of malware from completing their mission – all without ever needing to update an anti-virus signature. Even some forms of the dreaded zero-day attack can be prevented, with the right approach such as eliminating administrator rights and managing policies to elevate privileges with a solution such as Viewfinity’s Privilege Management solution.

Sign up for one of our weekly demos on “Getting Started: Removing Administrator Rights & Setting up Policies to Elevate Privileges for Standard Users”

Viewfinity offers 3 types of deployment methodologies: through our SaaS/Cloud platform or via your on-premise servers as a private cloud, or through GPO/Active Directory. The last one is implemented as an extension to Group Policy and managed through standard Group Policy Management tools offered by Microsoft.  Many organizations require more advanced Group Policy management features, for example, if you need to predict the impact of Group Policy changes in an offline environment, or  use advanced GPO planning,  controlling, troubleshooting or reporting on Group Policies. This can be accomplished using third party products such NetIQ Group Policy Administrator and Quest GPOAdmin, which provide the controls necessary to help identify and prevent unplanned, unmanaged, or malicious change—improving the security and overall availability of your IT environment. Organizations that have invested in third party Group Policy management and reporting products can manage Viewfinity policies using existing tools.  There is no need to change any existing business processes or use a separate management console for policy management.

Viewfinity GPO extension is managed using NetIQ Group Policy Administrator

There's been buzz recently about various technology methods for privilege management on Windows PCs.  There isn't any doubt as to the proper architecture method. Viewfinity maintains that managing privileges at the kernel level is the most technologically sound approach for controlling least privileges at the desktop level.  Kernel driver is the industry standard method used by most anti-virus vendors, most DLP products, and is the method which should be used for security products such as privilege elevation management. The technology is complicated, but endorsed and regulated by Microsoft. So called “elevation” of drivers is assigned and maintained by Microsoft.  Software vendors that took a short cut in this advanced field went with a simpler, more amateur approach: user mode hooking technology which  is not officially supported by Microsoft, as clearly stated in the excerpt from Microsoft’s documentation: 

Straight from the README.TXT of API hooking, or the Detours library

4.5. SUPPORT FOR DETECTION OF DETOURED PROCESSES:
=================================================
Detours loads the detoured.dll shared library stub into any process which has
been modified by the insertion of a detour. This allows the Microsoft Customer
Support Services (CSS) and the Microsoft Online Crash Analysis (OCA) teams to
quickly and accurately determine that the behavior of a process has been
altered by a detour. CSS does not provide customer assistance on detoured
products.