Here's a continuation of the Top 10 Windows Desktop Lockdown Tips & Tricks recently written by Darren Mar-Elia in WindowsITPro:

#2 Elevate as needed: As a corollary to No. 1, sometimes you need to elevate user privileges to allow them to get their jobs done, especially if they are mobile users. Look for third-party products that let you selectively elevate on a per-application or task basis to let users do what they need. This is an important capability because, as you move to least privilege, help desk calls from users who can no longer perform certain tasks will increase. Having a solution that lets you elevate specific tasks can reduce these calls while ensuring security.

Learn how one Viewfinity CIO customer, Lathrop & Gage, is using our Privilege Management product to move from its Wild Wild West environment to more of a least privileges operation.

Managing desktops and laptops in a distributed environment is a top challenge for IT departments.  Current industry research shows that the most urgent and pressing issues are clear: 

• Providing better support and management for your mobile workforce
• Securing your environment through desktop lockdown without simply causing a shift in the type of help desk calls
• Deploying software versions and patch updates easily and with extended reach to mobile workers
• Resolving help desk calls faster

Yet, many solutions that exist on the market today to help alleviate these issues become a burden themselves.  With some legacy systems, in 50% of the implementations, the time to roll the system out takes over six months.  And for every 5,000 desktops an organization must manage, they must have at least one full-time employee on staff to simple tend to the administration of the systems management servers. 

What if there were a solution that allowed you to focus on managing computers for end-users and their business needs and not the administering of the management platform? What if in four easy steps and in less than ten minutes, the software can be installed and ready for evaluation? 

We'd like to hear from you - what are some of the  systems management challenges you are dealing with in your organization?  Are they the same issues as noted above, or do you have an entirely different set of challenges?

Elevating security rights to administrative levels on a per application basis

An important and challenging problem for IT Administrators to maneuver around is managing administrative privileges on the desktop. Many applications that are developed in-house as well as some commercial products, such as Visual Studio, require running the application as an administrator. If the user doesn't have administrative privileges, the application components will not function or even worse, the application will not run at all. A typical situation facing IT administrators is where an end user needs to run such an application and must either grant full local administrative rights to the user account or utilize the native Windows command "RunAS" and provide the administrator password. Allowing users to have administrative rights or exposing the administrator password is risky and creates a less secure environment, which opens the door for desktop problems to occur.

This problem is especially challenging for IT Administrators working for the government as the recent US Government Federal Desktop Core Configuration (FDCC) mandate stipulates that administrative rights cannot be granted to end users and may not be made available on federal desktops and laptops.

Granting administrator rights at the application level and removing privileges from end users is the best approach for optimum desktop security. With this approach, the desktop operates within the least privileges mode except for applications flagged for elevated privileges.

Here's a 70 second video clip demonstrating Viewfinity Elevate Privileges. Feedback is welcome.

Darren Mar-Elia recently published his Top 10 Windows Desktop Lockdown Tips & Tricks in WindowsITPro magazine.  We thought we'd share these with you.  Below is tip #1.  Stay tuned, more to come.

1.  Least privilege is the best privilege:  The single biggest thing you can do to ensure your desktop security is to run your desktops using a least privilege model.  This means not making your users Administrators or Power Users on their desktops.  While this can be challenging to accomplish, with users as administrators, you have no control over what they can do on their systems.

The chart below was taken from data gathered from a recent systems management survey run with Redmond Magazine's audience.  It reveals that while 2/3 of organizations agree with Darren's #1 tip, most have taken an all or nothing approach to lockdown.  Are you hesitant to move to a locked down desktop environment?  If so, why is that?

There is a fair amount of pressure to resolve desktop and laptop problems instantly, over the phone, as the end user waits anxiously on the other end. For example, I got a call from my boss, who was at the airport having problems trying to run Outlook. Outlook was taking a very long time to start and when it finally started, he got a message related to a corrupted file. I launched into my standard troubleshooting methodology:

1. Information Gathering — What changes were made to the computer recently? What new applications have been installed? When was the last time the application worked properly? Usually I get mixed responses, with more details coming from technical users and less from business users. Most end users won't always "recall" exactly what they did.
2. Error Analyzing — Use typical tools including application event log, log files, user groups and application knowledge bases.
3. Invoke Remote Terminal — Establish remote control session with problematic PC. Try to recreate the problem and then take corrective action.
4. Execute Fix — This depends on what information is available from steps 1-3. In some cases the problem can be fixed by applying the latest patch, modifying the registry or other settings. Sometimes it's faster to just reinstall the application, although all user settings need to be recorded and reset (location of all PST data files, account settings such as email signature, etc.).

Viewfinity offers a feature, Activity Recording, that shows me, step by step, exactly what events were executed on the PC. I then simply undo the event that caused the problem. How much time would be saved and aggravation avoided in a day? A month? How much in a year?!

Business Need
Is it possible to setup and manage white listed only applications versus having to maintain a list and block all unapproved software?

Viewfinity Capability
Viewfinity can be configured to support a "white list only" model so that when an end user logs in, his/her desktop is configured to only present and run the applications that are required for them to work. Other standard desktop applications are not available — no games, IM, iTunes, etc. are visible.

See it in several Easy Steps

ROI Considerations

• Reduces end user support and malware incidents
• Improves network and asset utilization by restricting the use of non business-critical applications
• Ensures business-critical applications are meeting corporate configuration standards

Related Viewfinity Usage Areas

• Block Application
• Compliance

Since Sarbanes-Oxley, there has been a lot of buzz about "compliance" and the hoops IT must jump through to ensure its adherence. But everybody views it differently. One organization demands all PCs are locked down completely, another one keeps the environment wide open and resets to a golden image when issues occur, and yet another has different policies for laptops and desktops or different polices depending on the end user’s functional role within the organization. Many argue that there is no such thing as privacy on company’s computer, and others insist that there are privacy issues to be considered. Regardless, these policies create tension between IT personnel and end users. And since more and more people are telecommuting, it is very difficult to keep everything as restrictive as management would like. Many enterprise level organizations have conceded the fact that the corporate PC, while primarily a tool to conduct business, is also the same device used for “personal computing” and separating these two uses may not be necessary. This allows employees to use their PC for both business and personal needs. With this approach, however, what should be the role of tech support and how is corporate compliance enforced?

Maintaining "blacklists" or "whitelists" for unauthorized and authorized applications can be time consuming. Since fluctuations between blacklists and whitelists occur frequently, flexible application lockdown rules based upon groups, connectivity status, application, and time of day would best support the needs of the end user, the system administrator and the company. Configurable compliance policy support would help to eliminate critical problems that might occur if, say for example a laptop is stolen. If the laptop isn’t connected to the corporate network, specified data and/or applications cannot be accessed. Or, to disable iTunes or IM during business hours.

So what is the norm today and can an automated method for managing privileges help your company protect itself if complete lockdown is not the ideal approach?

Have a look at Brian Madden's blog posting, "If Symantec buys a client hypervisor, they could dominate the desktop virtualization market in two years" as it lends itself to what we are doing with the on-the-fly virtualization™ methodology. We agree with his philosophy that the solution to virtualize the other 480 million desktops should not be "hard and game changing" but rather a non-disruptive approach, as noted "without even noticing it."

Desktop virtualization is an evolving technology that has different approaches. Here we compare two methods that focus only on the tactical operation of virtualizing applications and desktops.

Pre-packaging approach
Most application and desktop virtualization solutions require special upfront handling and processes that involve several steps. First, a package creation studio program takes a snapshot of a clean PC, and then the virtualization application is installed. After the installation is completed, another snapshot is taken. The studio compiles a virtualized installation package, and all read/writes are separated from the OS by placing files into virtual bubble — with some vendors this includes a runtime OS environment and registry. This virtualized application package then works separately from the OS and other applications and, if supported, can be streamed from the server. Application packages will need to be re-processed for each new application update and then redeployed.

With this method, to virtualize the majority of a company's desktops, existing applications need to be reinstalled on all desktops/laptops. Not every application is eligible to be virtualized, such as service based applications and those that include drivers, so the PC becomes an unfamiliar mix of virtual and non-virtual applications residing on the desktop. This hybrid environment doesn't always allow for the virtualized applications to interrelate with the non-virtualized applications and can create support issues for IT.

On-the-fly virtualization™
We came up with a method where encapsulation happens on-the-fly and does not require application pre-packaging nor does it change the infrastructure or the desktop usage/environment. We believe this is a much better application and desktop virtualization solution for both the IT administrator and end user. This process works with existing and new deployments, which eliminates the need to clean the PC, install the virtualization layer, prepackage applications and then redeploy to the desktop. Virtualization is in effect immediately, no reboot required. Without any extra steps, our method shares the encapsulated content among different encapsulated applications, allowing applications to interact normally. This flash demo walks you through basic concepts of our method of virtualization.

Viewfinity provides a different approach to laptop and desktop virtualization, based upon our encapsulation technology, which conducts on-the-fly encapsulation of all application, settings and data files associated with an application into Viewfinity Capsules. Because of our unique approach, administrators can install and manage virtualized applications without changes to or investment in the existing IT infrastructure, end user's expected desktop usage or day-to-day IT operations.

The encapsulation process separates applications from the underlying operating system and each application can be managed separately from the interaction between OS and other applications. At the same time, the software has the ability to share part of the encapsulated content among different encapsulated applications (patent pending), allowing applications to interact normally with both the OS and other applications.

Once the encapsulation process is complete, our products introduce a unique set of features that meet the challenges facing IT departments related to managing applications on multiple distributed desktops. We support the five critical areas of laptop and desktop management: Delivery, Support, Maintenance, Compliance, and Migration/Mobility. Viewfinity provides innovative, more powerful and "actionable" capabilities for laptop and desktop maintenance, troubleshooting, and compliance policy management.

Sign up now to participate in our beta program