Last week Microsoft & Viewfinity presented a joint webinar entitled:  Windows 7 Migration is the Opportunity to Lockdown Desktops & Manage Standard User Privileges.  During this webinar, Alex Shteynberg, Technology Architect in the New York City Microsoft Technology Center discussed reasons why the desktop refresh fits perfectly into a Windows 7 migration project for securing and managing endpoints.

Next, Alex Shoykhet, VP of Product Management for Viewfinity, discussed how Viewfinity Privilege Management allows IT professionals to remove administrative rights and manage privileges for standard users with zero impact on user productivity. He demonstrated Viewfinity's non-disruptive, automated method for transitioning to a least privileges environment, which is an end-to-end approach that automates the analysis required to determine user needs and prepare your environment.

View Recording

“When users don't have local administrator rights, they can't make changes that destabilize the system, or require extra support to correct the problems they accidentally create. Additionally, a locked-down system is less susceptible to malware,” said Dwain Kinghorn of SageCreek Partners in a recent SC Magazine article.

Dwain makes a valid argument that a “strong privilege management solution is needed to take individual and collective user needs into consideration.”  The risk of virus and malware attacks are greatly reduced with the removal of administrator rights.  To achieve the ideal least privilege environment without impeding on user productivity, it is important to select a reliable, strong privilege management solution that will properly manage user permissions and elevate privileges that users require to perform their daily work. If your company has not removed administrator rights and is planning to migrate to Windows 7, this would be an ideal time to remove admin rights and manage permissions for standard users with a privilege management solution.

In Q1 2011, not surprisingly there was a lot of attention within the analyst community given to the topic of desktop lockdown and using privilege management and application control as a way to further protect distributed desktop environments. We have more information on these reports on our website, but here are just a few highlights noted in these reports that we felt are relevant: 

“Removing administrator rights from end users is one of the single most-effective ways to improve overall security posture, but it must be well-planned to avoid common pitfalls and a failed project,” said Neil MacDonald and Michael A. Silver from Gartner Research. (Best Practices for Removing End-user Administrator Rights on Windows, March 14, 2011, Neil MacDonald | Michael A. Silver).  Neil MacDonald further elaborates on this topic in his April 8, 2011, blog posting, Even With Windows 7, Privilege Management Tools May be Needed.  In this posting he notes, "One of the top recommendations I made to increase your security “bang for the buck” in 2011 was to increase the percentage of users that run without administrative access."  I recommend reading both the report and the blog article for an independent perspective on how to approach removing administrator rights.

by Dwain Kinghorn, SageCreek Partners

Numerous standards have been developed that define how desktops should be configured in regulated industries.  These standards include PCI, HIPPA, and FDCC.   These standards embody numerous best practices that have been developed over many years of experience.  At their core, a number of the best practices help ensure the security and integrity of the information that these desktop system access.

Many organizations do not have to comply with these various standards and are not subject to tight regulation.  However all organizations have business confidential information such as customer lists, internal product plans, and competitive intelligence.
  

While not all information may be deemed as sensitive as credit card numbers, personal health care information, or financial data, all organizational proprietary data is an asset.  Thus the standards and best practices that have been defined for various regulated industries do have applicable principles that apply to just about any corporate computing environment.

One key principle that is part of a variety of standards is the principle of least privileged access.  In an article on “Principle of Least Privilege” on Wikipedia, it states,

“When applied to users, the terms least user access or least-privileged user account (LUA) are also used, referring to the concept that all users at all times should run with as few privileges as possible, and also launch applications with as few privileges as possible…The principle of least privilege is widely recognized as an important design consideration in enhancing the protection of data and functionality from faults (fault tolerance) and malicious behavior (computer security).”  See http://en.wikipedia.org/wiki/Principle_of_least_privilege

Removing local administrative rights from end users is a fundamental part of the principle of least privileged access.  Organizations of all sizes have more secure and stable desktops when users do not have local administrative rights on their desktops.  Systems are less vulnerable to malware and less prone to have inappropriate configuration settings when users do not have administrative rights.   

Experience has shown that just about every organization will have challenges when removing administrator rights from end users.  Some applications simply do not run.   Certain tasks such as installation of approved software may be more difficult, and some tasks such as adding new hardware may no longer work without the user seeing a User Account Control (UAC) prompt.  In order to move to an environment where all users, even remote and mobile users, do not need administrator rights on their systems, an organization will need an effective privilege management solution.   

A good privilege management solution lets organizations adhere to the key principle of least privilege and provide a more robust and secure computing environment for their organization.   The principle of least privilege is a great example of how a standard for a regulated industry applies to just about any organization.

Perspective:
With the Windows XP sunset date fast approaching, plans for Windows 7 migrations are in full swing. This has prompted most organizations to re-assess their approach to PC lockdown. Our survey indicates a 456% jump in demand to implement privilege management software for companies planning to migrate to Windows 7 in the first half of 2011. The data further shows that 63% of survey respondents deem it critical to manage administrative privileges for end users to ensure security and reduce vulnerability.

A smart approach. A privilege management system balances the rigidity of locking down end points with the needs of user customization. It provides security and operations professionals with a method for securing the end-point by elevating privileges at the application level, or for desktop functions, rather than providing total administrative privileges. Systems are less at risk without sacrificing user productivity or increasing support call volume, thereby offering a cost effective approach to providing secure and productive desktop computing environments.

Access the newsletter and resources here.

Many organizations look at the migration to Windows 7 as an opportune time to re-evaluate polices associated with granting local administrator rights to users on Windows system.  There are a number of advantages when end users do not have local administrative rights on their Windows desktops.  These include:

-         Less chance for malware to successfully attack the system.   When the end user doesn’t have local administrator rights, the malware that tries to exploit vulnerabilities in software such as media players, mail clients, and internet browsers is much less likely to succeed.   A locked down desktop doesn’t eliminate the need for firewall, AV, and other security software, however it certainly does provide another layer of defense against malware.

-         Reduce chance for the end user to make unauthorized changes to the system.   When users are not able to make unauthorized changes to their system there is less chance for something to break that will lead to a support call from the user.   The more changes that are made to a system the more chance that there will be system or application errors introduced.  Locking down the desktop results in a more stable and predictable computing environment for the end users.

-         Better control on which applications are installed and used on the system.   When end users do not have local administrator rights there are many applications that they can no longer install.   This helps organizations better ensure compliance with software license counts.  Controlling which applications are installed and run on the desktop also limits the chances for application incompatibility issues.

-         Fewer support calls to the IT helpdesk.   When end users are running in an environment that is more stable from a perspective of system changes and applications that are installed, there are problems that the end user encounters.  This results in fewer calls to the IT helpdesk.   

11 tools for Windows 7 Migrations – Part 10 – Viewfinity User Migration
By Jon Brodkin, Network World, 9/27/2010

These software tools make upgrading to Microsoft's new operating system a lot easier

Product name: Viewfinity User Migration
Manufacturer: Viewfinity
Price: $10 to $25 per desktop

Key features: Viewfinity User Migration is wizard-based software that works with Microsoft’s User State Migration Tool “and adds out-of-the-box automation for multiple-user migration, all from a centralized status and monitoring console,” allowing automatic movement of settings and user data without the need for custom scripting.

http://www.networkworld.com/slideshows/2010/092710-windows-7-migration-tools.html#slide11