Cindy Meinke of Coretek Services wrote about application virtualization with User Account Control (UAC) challenges.  Cindy mentions that Viewfinity Privilege Management is one solution to handle the UAC prompt challenge.

With the migration to Windows 7 the introduction of UAC prompts can be somewhat of a disruption to end users.  Viewfinity helps IT admins manage UAC prompts by suppressing or customizing the UAC dialog. This solution to handle UAC prompts available through Viewfinity Privilege Management provides for a critical requirement by customers—a better user experience.

Here’s a more technical explanation that is tied to the issues presented in the Coretek article.  While it is true that application virtualization may simplify the issue of managing UAC and elevated rights, not all applications and tasks can be effectively virtualized. For example, applications with embedded manifest “requestedExecutionLevel” containing admin rights or browser based ActiveX controls cannot be virtualized. UAC and the management of general Windows administrative tasks is a separate issue which cannot be easily addressed without third party tools such as Viewfinity Privilege Management product.

Here are just a few examples of administrative tasks that will cause a UAC prompt:

• Installing and uninstalling applications
• Installing device drivers
• Installing ActiveX controls
• Changing settings for Windows Firewall
• Configuring Windows Update (XP)
• Adding or removing user accounts
• Changing a user’s account type
• Running Task Scheduler
• Restoring backed-up system files
• Viewing or changing another user’s folders and files
• Running Disk Defragmenter

Drilling into the Viewfinity Privilege Management product, it not only elevates privileges and/or reduces permissions on individual applications, admin tasks, or ActiveX controls, but also provides a policy automation workflow that automatically generates policies based on approved applications or on-demand self-elevation.  Viewfinity Privilege Management fully integrated with UAC management can suppress UAC prompts and/or replace it with a Viewfinity justification dialog box.  The dialog box is where the end user can submit his justification for requesting elevated rights. Bringing it full circle, our audit report feature captures events with UAC usage stats and collects important information for security audits such as the use of unauthorized credentials in UAC and which actions were performed as result of unauthorized activity.

A project to remove administrative rights with the minimal amount of disruption to your end users, when done properly, requires extensive analysis to determine user needs and prepare the environment.  As organizations work to heighten IT security by moving to least privileges, Viewfinity provides a non-disruptive, automated method for moving to least privileges via an end-to-end best practice approach that helps enterprises prepare the environment before privileges are revoked.  

Preliminary Preparation:  Pre-Discover Applications Requiring Elevated Permissions

Our Application Admin Rights Analysis silently gathers information and monitors which applications, processes, and administrative actions will require administrative permission before users are removed from the local admin group. This information is based on end user activity and is collected over a period of time to ensure all events are captured. Once the collection and analysis is completed, policies to elevate privileges can be automatically created and prepared in advance so that when administrative rights are removed, the policies are in place to ensure a non-disruptive move to least privileges.As part of this process, Viewfinity has a Local Admin Rights Usage Statistic dashboard.  This is a graphical “readiness indicator” of where an organization stands in terms of determining the optimal point in which they are prepared to remove administrator rights.   

Here is an example of a completed Application Admin Rights Analysis presented in the Local Admin Rights Usage Statistic dashboard graph:

This report shows the following:

·         Events marked in Green represent events which have been identified from user activities on previous days.

·         Events marked in Red represent newly discovered events that require Admin rights.

·         Readiness indicator:  when the discovery bar is mostly green, the system has collected the majority of events requiring administrative permissions. This indicates you are ready to use the Viewfinity Policy Automation Approval feature and automatically build policies based on the events discovered.

Read more about our end-to-end process here: http://www.viewfinity.com/Whats-New/Default.aspx

The Ramnit worm is more dangerous than originally thought and is becoming a huge threat vector for the banking industry according to the article, “Ramnit worm variant now dangerous banking malware,” written by Robert Westervelt of Searchsecurity.com.  The capabilities of the Ramnit Worm are more serious than before because cybercriminals have transformed it into “financial-focused malware capable of draining bank accounts.”  The Ramnit Worm infects Microsoft Windows executable files and it made it to Microsoft’s Top 25 Infections list.

There are ways your company can reduce the exposure to the malicious Ramnit Worm.  One method is to limit user privileges on the computer by removing administrator rights.  The worm infects executable files in order to remain undetectable.  According to Microsoft Win32/Ramnit, it is a family of multi-component malware that infects Windows executable files, Microsoft Office files and HTML files. Win32/Ramnit spreads to removable drives, steals sensitive information such as saved FTP credentials and browser cookies. The malware may also open a backdoor to await instructions from a remote attacker. When run, it copies itself using a hard-coded name or in some cases to a random folder and file name, for example:

%ProgramFiles%\Microsoft\watermark.exe

%ProgramFiles%\Microsoft\desktoplayer.exe

%ProgramFiles%\blvvcvww\jonimvgn.exe

What this means is if users have local admin rights the probability of getting the virus is higher. However, if administrator rights are removed, permissions would be required to write to protected areas of Windows.  For example, if an end user  is working on the Windows 7 OS without admin rights, and the process tries to copy files in the mentioned folder, a UAC ( if enabled) dialog box will prompt for an administrator password to perform the function.  The removal of administrator rights from end users is very effective in this scenario.  According to Microsoft, multiple steps should be taken to help prevent infection on your computer including Limiting user privileges on the computer.

View a recorded webcast from MVP, Greg Shields, on “Eliminating Admin Rights as Another Layer of Protection Against Malware,” and learn about other use cases related to the removal of administrator rights is when it comes to reducing the threat of malware.

“Security gaps leave patient records exposed,” reported Ricardo Alonso-Zaldivar of Associated Press.

In the article, the inspector General of the Health and Human Services released two reports that find that the drive to connect hospitals and doctors so they can share patient data electronically is being layered on a system that already has glaring privacy problems. Connecting it up could open new pathways for hackers.  This report resulted from an audit performed by the Government of seven hospitals that resulted in a staggering 151 security vulnerability weaknesses.

“The list of vulnerabilities read like a road map for hackers,” said Ricardo Alonso-Zaldivar.  Some of the vulnerabilities include inadequate password requirements, computers that did not automatically log off inactive users, unencrypted laptops that contained patient data, problems with wireless access that included the inability to detect unauthorized intrusion, lack of continuous monitoring, and even the absence of a firewall separating wireless from other internal networks.  A very common problem amongst the seven hospitals was the slow updating of their computer software to defeat known security bugs.

The full article can be read at: http://on.msnbc.com/lK4by2

The seriousness of protecting online records has come to light in recent reports such as the two released by the inspector General of the Health and Human Services.  Why would anyone want to get a hold of patient data? Just like any other record out there, there is valuable information such as names, date of birth, address, and social security numbers.  This information makes it possible for any hacker to steal a patient’s identity and expose sensitive information.

Implementing best practices through multiple layers of security protection helps to protect online records.  One such practices is to implement a least privileges environment, where administrator rights are removed from the end users, and policies and application level processes are managed using a privilege management solution. Viewfinity Privilege Management has helped EagleMed LLC manage administrator rights at the endpoint – for both in-house PCs and mobile laptops.  EagleMed LLC takes protecting patient data seriously.  According to Ryan Kane, Systems Engineer for EagleMed LLC, “The bigger gain was the ability to lock down our PCs and use Viewfinity Privilege Management to manage administrator rights. By locking down the machines, we prevent the sharing of patient data and we’re also mitigating the security risks introduced through malware.  This will have a very positive impact with the auditors. From an IT perspective, staff now only has access to do what they’re required to do.”

Read the full EagleMed Case Study.

Viewfinity’s Privilege Management solution integrates directly with SCCM to provide extended visibility into privilege management policy usage status and information regarding privilege requests from end users. 

Many organizations use Microsoft SCCM for centralized PC life cycle management (deployment, inventory, and software management functions) but SCCM features do not provide application level privilege elevation controls, which are required in locked down environments.   

Viewfinity recognized the need to close the gap between desktop management and endpoint security through policy management.  Desktop administrators that are already using SCCM for desktop and systems management functions are able to leverage their existing SCCM infrastructure for privilege management reporting from one management console.  Using Viewfinity, IT Administrators are able to create detailed policies that control when and how least privilege users access applications and desktop functions. The integration allows IT Administrators to monitor the privilege policies in addition to the base configuration management features that are provided in SCCM. These SCCM reporting capabilities are beneficial for tracking which policies are active, which applications are running with elevated rights, which are blocked, and for applications that users are requesting additional permissions. 

Viewfinity’s Privilege Management solution integrates directly with SCCM to provide extended visibility into privilege management policy usage status and information regarding privilege requests from end users. 

Read more on the solution by following the link below:

http://www.viewfinity.com/Products/PrivilegeManagement/SCCM.aspx

Download the software for evaluation and testing in your environment.