Four-part Webcast Series to Focus on Least Privilege Management as a Fundamental Layer of IT Security Protection

The first webinar in the series, "Top 10 tips for Removing Administrator Rights," will be held on Thursday January 26, 2012 at 11 a.m. Pacific / 2 p.m. ET.   This webcast will prevent tips for removing administrator rights on endpoints without impacting user productivity.  The tips will be followed by an actual use case presentation by Monique Sendze, associate director of Information Technology for Douglas County (State), who will share the proactive steps they have taken to secure their computers by removing admin rights and managing privileges for standard users via automated policies.

To register for this webinar, visit the registration page 

Cindy Meinke of Coretek Services wrote about application virtualization with User Account Control (UAC) challenges.  Cindy mentions that Viewfinity Privilege Management is one solution to handle the UAC prompt challenge.

With the migration to Windows 7 the introduction of UAC prompts can be somewhat of a disruption to end users.  Viewfinity helps IT admins manage UAC prompts by suppressing or customizing the UAC dialog. This solution to handle UAC prompts available through Viewfinity Privilege Management provides for a critical requirement by customers—a better user experience.

Here’s a more technical explanation that is tied to the issues presented in the Coretek article.  While it is true that application virtualization may simplify the issue of managing UAC and elevated rights, not all applications and tasks can be effectively virtualized. For example, applications with embedded manifest “requestedExecutionLevel” containing admin rights or browser based ActiveX controls cannot be virtualized. UAC and the management of general Windows administrative tasks is a separate issue which cannot be easily addressed without third party tools such as Viewfinity Privilege Management product.

Here are just a few examples of administrative tasks that will cause a UAC prompt:

• Installing and uninstalling applications
• Installing device drivers
• Installing ActiveX controls
• Changing settings for Windows Firewall
• Configuring Windows Update (XP)
• Adding or removing user accounts
• Changing a user’s account type
• Running Task Scheduler
• Restoring backed-up system files
• Viewing or changing another user’s folders and files
• Running Disk Defragmenter

Drilling into the Viewfinity Privilege Management product, it not only elevates privileges and/or reduces permissions on individual applications, admin tasks, or ActiveX controls, but also provides a policy automation workflow that automatically generates policies based on approved applications or on-demand self-elevation.  Viewfinity Privilege Management fully integrated with UAC management can suppress UAC prompts and/or replace it with a Viewfinity justification dialog box.  The dialog box is where the end user can submit his justification for requesting elevated rights. Bringing it full circle, our audit report feature captures events with UAC usage stats and collects important information for security audits such as the use of unauthorized credentials in UAC and which actions were performed as result of unauthorized activity.

Ericka Chickowski, Contributing editor for Dark Reading published the Top 10 PCI Compliance Mistakes. Ericka outlines the top 10 common mistakes organizations need to avoid when trying to be PCI compliant in 2012.

The number 1 mistake as agreed by Ericka Chickowski and Leonid Shtilman, CEO of Viewfinity is “Not Following Rule of Least Privilege.”

“No More, No Less--- Only the least privileges required,” says Leonid.  This is important because when organizations are making efforts to comply with PCI compliances, they should make sure they are following the rule of least privileges in every step.  Not every user needs to access all data which means they should only be granted administrator rights to those applications and processes needed to accomplish their job.

Last week we caught up with Wayne Rash, Senior Analyst for eWeek Labs, and chatted with him about his article related to basic security measures that companies fail to take, High-Profile Companies Fail to Take Even Basic Security Measures, causing sensitive information to be compromised. Wayne’s outline should be followed by every company, large or small.  We agree with the seven basic security measures outlined by Wayne and most strongly support the #2 security measure:

Employees should never be given administrative access to their computers. They should never be allowed to install software, including updates and applications, on their computers. Ever.

We couldn’t agree more.  Companies shouldn’t hesitate to remove administrator rights from end users.  Nor should this protective measure cause an increase in support calls. With the help of a third party solution like Viewfinity Privilege Management, end user productivity does not have to be sacrificed when administrator rights are removed.  Users are given the necessary privileges to access the applications needed to perform their daily job functions, as well as a mechanism for requesting elevated privileges when they might have a situation that requires administrative permissions.  But permissions are granted to the application, not the user, thus the endpoint is still secured.

Thanks Wayne for raising the importance of this preventative measure.

Get the latest news on IT by following Wayne Rash on Twitter: @wrash

In Q1 2011, not surprisingly there was a lot of attention within the analyst community given to the topic of desktop lockdown and using privilege management and application control as a way to further protect distributed desktop environments. We have more information on these reports on our website, but here are just a few highlights noted in these reports that we felt are relevant: 

“Removing administrator rights from end users is one of the single most-effective ways to improve overall security posture, but it must be well-planned to avoid common pitfalls and a failed project,” said Neil MacDonald and Michael A. Silver from Gartner Research. (Best Practices for Removing End-user Administrator Rights on Windows, March 14, 2011, Neil MacDonald | Michael A. Silver).  Neil MacDonald further elaborates on this topic in his April 8, 2011, blog posting, Even With Windows 7, Privilege Management Tools May be Needed.  In this posting he notes, "One of the top recommendations I made to increase your security “bang for the buck” in 2011 was to increase the percentage of users that run without administrative access."  I recommend reading both the report and the blog article for an independent perspective on how to approach removing administrator rights.

Any security-conscious organization should make locking down user desktops to prevent the installation and execution of unauthorized software a high priority. Without using automated methods to prevent these actions, users can risk the health of legitimate applications. This can result in the diversion of valuable resources from revenue generating tasks and quickly impact the bottom line. As a result, customers could be lost and jobs could disappear. http://bit.ly/fJMBHj

Viewfinity backs this up fully.  Organizations of all sizes have more secure and stable desktops when users do not have local administrative rights on their desktops because lockdown provides an added layer of protection.   Several layers of security protection are needed to reduce the risk of security breaches. Removing Administrative Rights from your PCs is an added layer of protection that will halt breaches that could otherwise occur.   

Next steps:

Download Viewfinity’s Local Admin Discovery tool, which is a free tool that allows you to discover user accounts and groups that are members of the local “Administrators” built-in user group on computers in your Windows domain. Once the analysis has been run, IT Administrators can take action, if needed, by removing the users or suspicious groups from the Administrators group.   

Download Viewfinity’s Local Admin Discovery free tool.  (Link to:  http://www.viewfinity.com/Resources/Discover_Desktops.aspx )

Viewfinity’s Privilege Management Solution was recognized last week for its role in helping government agencies comply with federal mandates, specifically those related to USGCB/FDCC compliance that have been put in place to reduce IT security risks at the desktop level. Viewfinity provides governmental IT security and operations professionals with a cost-effective solution to protect and control your desktops as related to USGCB/FDCC mandates while minimizing the impact on the end user community.  We do this by introducing granularity to desktop permissions and privilege access management by offering solutions to manage and control least management rights based upon segregation of responsibilities.    

Download our brochure that explains more about this solution: 

http://www.viewfinity.com/Resources/Brochures/Viewfinity_USGCB.pdf

Or visit our website for demos, trial evaluation, white papers, and other resources:  http://www.viewfinity.com/Resources/Default.aspx