Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Is System Lockdown the Secret Weapon?



 By: Andrew Garcia
2005-11-28
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Is System Lockdown the Secret Weapon?
  2. ' Lockdown Takes a Team '

Rate This Article:
Poor Best
Is System Lockdown the Secret Weapon?
( Page 1 of 2 )

Tech Analysis: Locking down users' computers isn't always easy, but it's a powerful protection against the tide of security threats.

In the ongoing battle to fight internal and external threats on the corporate desktop, IT staffers may be forgetting one very potent weapon in their arsenal—system lockdown.

As corporate IT managers evaluate products and technologies designed to protect corporate Windows-based computers against the ever-present tide of spyware, worms and Trojans, they should also consider a more proactive solution—locking down end-user computers by restricting rights and permissions and, consequently, users ability to compromise their systems.

Malware comes in many forms, but, for the most part, malware strains are applications—albeit unwanted ones. While some malware may use operating system or application vulnerabilities to gain a foothold on a users computer, the vast majority of strains require some level of user interaction and acceptance.

Sonys root-kit/DRM (digital rights management) software—discovered, to many users horror, last month—needed administrative control over the local desktop to install, yet security researchers estimate that as many as a half-million networks are infected with this unwanted application.

Barring users from gaining administrative access—and thus restricting their ability to install such unwanted or malicious software—will automatically tighten security and will garner other benefits as well.

During a recent Web conference presenting Webroot Software Inc.s latest State of Spyware report, Richard Stiennon, Webroots vice president of threat research, postulated that the average administrator spends 2 hours trying to clean a spyware infection before reimaging the affected machine.

Resource Library:

According to the report, 48 percent of enterprise computers play host to some form of adware, while 8 percent contain a security-threatening Trojan or system monitor. This all adds up to a large, and largely avoidable, waste of time for administrators attempting to recover from infections.

As made abundantly clear during a meeting of eWEEKs Corporate Partner Advisory Board, pressure to improve the security posture of the end-user computing environment comes from both external and internal sources.

User privileges, malware and the Sony rootkit debacle: Click here to read more.

Auditors checking for compliance with either governmental or industry-specific regulations may recommend locked-down end-user computers as a line of defense against intrusions.

Indeed, when asked what was driving his companys interest in system lockdown, Corporate Partner Sam Inks, director of IT at Aerojet-General Corp., in Gainesville, Va., said simply, "Sarbanes-Oxley."

IT staffs may also drive the initiative toward system lockdown in an effort to ease their support burden: Reducing the configuration variability of workstations will reduce the amount of testing that needs to be performed before rolling out a patch or application.

eWEEK Corporate Partner Frank Calabrese, manager of global desktop strategy and support at Bose Corp., said locking down systems has helped create efficiencies among his support staff.

"We set up [system lockdown many years ago] as a way of optimizing our support resources," said Calabrese, in Framingham, Mass. "It reaped quite a few anticipated and unanticipated results, including our ability to do patch management and software distribution easier and with more integrity because we know what our target looks like."

Fight for (fewer) rights

In its most basic form, system lockdown can be accomplished by changing a users membership in Windows built-in local groups.

Because many applications for Windows still require elevated privileges to work correctly, many organizations assign users local Administrator or Power User rights that also allow users to install software and configure the system as desired—actions that wouldnt be possible for those assigned to the rights-limited User group.

Any gains that an organization may realize by giving its users Administrator or Power User rights are quickly offset by problems, as these rights enable users to make what are often bad decisions.

eWEEK Labs performed a series of tests to gauge the differences in the severity of spyware infection among users with different local permissions.

Using fully patched Windows 2000 Professional and Windows XP Professional clients, we visited a series of less-than-savory Web sites in an effort to install various types of adware and spyware bundlers.

We performed the same tests on separate but identical virtual machines, varying only the users group membership—with users representing Administrators, Power Users and Users.

After attempting to install the various applications, we rebooted the client, logged in with an approved Administrator account and installed anti-spyware software.

Using this software, Sunbelt Software Inc.s CounterSpy 1.5, we scanned each system, totaling the number of threats found as well as the grand total of threat instances detected.

We found a vast degree of difference among the three user memberships. On our Windows 2000 Professional client with User permissions only, none of the malware installed completely and two threats actually warned that the user had insufficient privileges.

Click here to read the good news and bad news about adware and spyware.

A third loaded a malicious process into memory, but the threat did not reappear after reboot. The Sunbelt scan performed after the reboot could find only a single threat, which consisted of one file in the browser cache.

The systems managed by Administrators were not nearly as fortunate: On the Windows 2000-based system, CounterSpy found 19 threats consisting of three memory processes, 503 files and 2,500 registry keys—all of which had installed.

Corporations thinking they have found middle ground with Power User mode will be sorely disappointed. In our tests, the Power User computer registered 19 threats (three memory processes, 503 files and 2,278 registry keys)—nearly identical results to what we found on the Administrators system.

Only one Layered Service Provider-based threat failed to install on the system with Power User rights.

Next Page: Lockdown takes a team effort.





  Reader Comments: Is System Lockdown the Secret Weapon?
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Andrew Garcia
 


x}v89hN;/ۑrdY5-ēݣC6ErHʎw^b|g_bq -|Ėp)BP(@goOD0 pE1>yΤ>? !dߛF0TEK Ϡ^=ȈZ#}wu9{#|69?w A:|@D)5'Ӡ5ޙ Q}_6g2z9o0 fE63F6IE9JDq֥qϊJ|2#8,>v@ߩ:ADL&;M"x<&j>wl=ݣw23X]~j4Lߵ!Zpj9:N`QFdnڭaㅰH A=c9p<^- G,gs'9"QcO$ա%Uq˝LJ^tXF>D>8zvGx09ry j5jfL {n_%z0sw6O)L|@AGc"S9ˡ,Fp氢,sti #M-jZUQ bkG{Q>oچs[=jR3{;o>;Wʪ)Jw9ʑGA nnp[J^׵V贮i\v? 9NNַ߉QT"*rp4KI hjCG'${@B oVS+ZVH+(H.գQZzO`%pbQUriO'SK߾ڤn_wڧH>߉ekby 1=b Jg3Fz3G_/:nNOn.9n:'ݛ9^NCR=BgCjBmiqmU_[v<-/mx_gl M GiTj{Ir&j]}:>HNBKO'gs`HmDi[ܾ̑\ yǛk+R(y#0ri4(.ߦAfw[ atBjmҔ )B!aF`usns-fIs(,eg{AN)61tkM`3R˼IK2_VJ-ɿEh+dԌө$ɛ!"ˆG9xW,ʹc䁉1SUҽT7ws 9tipv^nVVՉ:YXYufjZnY?iQw9qn?]OH{⧋vІ%F ,I!e޴%VG%UGRŪc*%(YRS*& rO [ԖA-ò˄A ~}?fNQ}a|V궝H Yq"|euXy=j.33GS4@!>F&Ma;^h>[ -9H_,}TaPsF}jI t"v|scмy&na13fC?J{7t( u4/f{@`^@Z8`88ʬE8sB7}՜t҇*Qc>~u C|'s\(Lw^"2(%E2 DEMi@(P!$5ar/lb(O$^I-TbDJOq$;gJ_KEs㕰TL飲B ^/_ 2[3CE外ɴh4Z*?ȉ#"09X 5'j h%ּ fiZ\OG4iMhȄ-Gn]]ye&l`a DPCb;.'t+AP9o@C`(^\IIbЙn!@ )zզjl.>3-ʭE֊eS{_Fo6ҁveZZ @-Ui -؋7VX6otjQtV0&T emځfZG(J]D.1~aҵ(_KpSw{K5ǰ^\큢S*+lS#V-iVװYϚe; T 24 0`"wab\Z1OaNvP=| =r38G8{<=ZjbqTS4 ˀQU5qZ}Ä끄_ǂeK,|o2tj:b暺9쟯l {}aWlJsWs8Ģ4Q}(Mքi&.}{C%@#P-Wб"FaK鬡aKUѫSOm{hAy-h\>,*oұ@-ODBCizxhm~؇J9C!'PPo?EjPƆVVR娨V*\߬ ,sn1)'@S$f|`g<ڗyw꾿giԛ/Jm@o(@gf!WA'eTe1o0VW#cJI3D# w% ' L-`Gf^=/YQwןlw "9&g}bRjELRG bqe@?@Qž,JV-5yAW܇v1"xሣ5T;N6'O ԪOV )6YS!bW hęf~g˪i몵F!IXy3is}"0%,gn);i-uQby*Am@+r/|fMf2/c>ϣ#W5KHDO"+>uW4AaϘɗZ+UA c Jx}n|U;AS3ѺMsls K393"nLx jZ,tΫ>Q#2! =NR-2SKnV=R.@R\ HǞ1}]>th֏-i l}SUהю"eδɢ(CiB/-9\bvq'CU"[ 1y lSbR/Bփ `AQ*O "U!T>O7(~ (\{C>km {~L>\XS(.>&CUX)TԒ?IXIA#xs< SiΏ{ܜ9ЍzIΝrQӊ 5`JR'00 ƈ{ S@Wt@Fe.EO*'-JP^qg(,'2vBk=ǃǻm I74a!4<~re%[ ir2=kZgapvO+ʬ7A48'o/>CjUeQb-l |* n3$@$Ks?;$Sv/isp;nnt/ +9kw>8{~J^ieԹ~~<:m~71%|˾FIM $ȅ XNpCfOճ"yrҹ ]:layzp0\!9аq^8K%V{ͯe[J:^;Oz<, Y#tBfS L k;d8)0/hdjm\8=`J6 :I :N/Ns:֒TzB_ɾj8ϐa5(FG#FE'k;tu{)-'2}i1/W` eڃ͟*Vrۨ't>!/+4r㿜y^G$M FE]Rqn} zsHaP;PE3pq*h w-gRs$S)Ҥ`BgJȄa{e5)a5R!MLCYOC/%$f;Bڕz{ giMN.m2ϼ3K:vn+W#; ViH_8_`wZp!,G@lb'%hw&Brc7`|xr'fx-e>¸*,SVH;`ұGy~#ѴNxMĉ#*qYBK+: CW ./v6gFȢ&i{?d®%)A/gx9[RsrMδE{OmhG(PESrcW}V7;ʳ/"'=K$DÙ馍CL.I߾&/3 +=F'=g7omT2#|dз*eIeY"KPQbg?KXisK6rt!ܔ'h P򞘨8Mpx"! q@z>ES2团 vllUl-u>7@%IU%6y-^K|vN1cP+v-W$Њ/q}cRx^*JX 4Wt m;F7 Q !'#qx\-ØYb{ K,η&f-X$V$EH'飕"zkJGR`H} Ex"1 bYA<$ xNn"G%Dɣxl͝, ն%s^hj鶤K׎ܚtLbpixAaU䘒: /Ǫۀ#n5*@*Hji[(?qKl\9 %- }Iʥjy+mX"KzmHHxRܖ\*Ϸ~aRmOP,@IEE: m(Շy$a yTTJaIGy d~jFNeCz@+YΞM!>071v߱RfKf` BrwwwwZ/ NSlz#z%Wnt_XHRfY]VӮ)F?AB}r X%CqX=۪Y>}ўf.dVzsrO]DAE"*H"d_ɤ4X\<8egm$hJ9`U c c؉R e OA˛8Ip&" gYXi}0l*J䥑j<ĖlϩsD'"S(4)sϘt}u0ӗn2$ p6b'-*;ډb,Dײ<7'bKU$g"r+m_~l^:li?7P7 |j2 dq-ϛxY~d!3s^oKԝ^-f6XDsp+PKS<#  f"{Q#xt-)jGͿ]`8;6vs?hrK*>!AXDIXsK,{ۏ;Cml]t퇤3~7}7}7}7"[Q-ʯ>)!~GcmLo=<LJjGUcՐUݼ!o=$AF5AX?q9ppGؔ a`͠w]_-搊7Ҥ `aUªQ_f>ɼhÁ><ƃE)^T:^010z>m;=2 uwQGVllU[Bi?JݺOaK9Fg\'8xU%" I@:\޶jѨݪvzc*׼Jukӿjޕ)!B2hsGOl?hێmɍ&0Ax5Rk8\coD_r#7V0pG;I68w&ΠR@.w5 5Ԓ+l&΋?7?pW?剜ׄT'_|mώߚn0a_7 /(B43h~d7i1]^Iͽ=ڶ#l0M#xۀږű6AhxV Wtׅ dE͵8Gg^ 6+&b%Zv%&B(w>[ ozp=W/!4SXubCt$tF87 3ƚy<-Bd "J 1'–./cc &9CS4g槟],Ҷ^8oq_P~״d=I>GI7m"f)Zaz8S[~xz1 B1~/`BCt{39nC~G%C!g ^;P`ڀ/)ZWqi3-Y:'z k'c4$p\{-hbR^XPAft~GD){XQm _LQӬןfPu!ۿT}fgwQ־sAU2UBS Q?ED̙xnG?/ISaQM:'VDZ" 7c8T?|oqN m7H燾¨X++֜rc[a>\RQձv0~c)M[s+pU nؘ3a"{1"9pѰC LX8~܋}!%KRku+N ߥtc=+5&L|p4ZP:qQ&f>xA32I= o~y@2 rIe+փފ> 3A@:-uĐzL'-cWd"$@>d_f@9l~V =3Gym" <y3]y }tøCq} ,OHʊ\X+ vAm=MXxh x?ra%?Er6Б`5b'r*7/{JM)`=Du2t02*%B%cP5 xE{_{=>I0- ‚5"tT< Lj) P鄗05g+bv1x;قR{D"۹blUo%P`qT83nj=J<|WH5_% :KIE* D "}A=Aa~Nµ!~XRJs% h_ݯf4:^Dәes3})lH 23 {R>ɖCzEQt#?Kg0<*G7;ΥIDZ|xN]ƒ $BѽӜhVP ?2FW׻Ssˈ_`dBc JU(0%T _3ʰLXUK+ʷͲg2q &JZ {AzNrdh{?J ̑~@||6#To9ͫ/{M&Oǽu^yoDa[kN|Sw'_Zݫ/u粟kxSd&E`o{5BJe@!cFkF5_oo5R]f#7N-om?fCF?|O:Ygs~$dC:CL2#^񱗑l?ak\d"c" >" \/2yA@=Mk[I2sWe|:,Y& r hxWYdbd b{Xe?~VP枔u]SRMz.!{%])2-XѦZ}5y^9=U2̉CK}}ZU-s=h603.Ð0[{?[2Fs?`fE@' @8mࡠϻH>?#Ak0.: 7X.[Z|ţ;TumaPcqdmoqކrI'+?u>wxP9xZLԸBGpkQV =<5b3}e\FAz֧N K :!^`,}Uq< 9sQu8 % ~xQV&ƀ;'R?аs3@t=^Rcn ~ܛwJ1Y&:IΝrQӊj~JR'\#aFdQ `FTMVYI0ZY|((R|F!e~mث,95C=b{hǨ[ɖ^+p E щF]W2dy3K`dQKp$vŐbG0~;P`K9؞:z^͇,'rgLߟSd *6V{I[Qg75 'P;SsӄwYADӸ} XGP{wӦP3G)b|337rɈHτ[Vi׿C|S%/M qÎtP=_rm#2Ol5Ul%wB;P'GґeYryѻKdg#X5RǬ?w/ #Cոt'cNF±0Nnp[bb2 rBL/uGI ƍ&F\co]b l&aصToM#^6bRFՏb֠}Q^FD#[#7X[NƄ_ð@o=N7"V9p<`iM ůD|݅_6^{sؖ.?fG˳mbMڮF)\GDEs5 X 9c ?1X3&?coyITǛ]X/?D6^aޟ4ψ#&"5l }_ |n,(?+}CIoლ" #Ǘ ٣(OxͶ/PCD);-{y 0t['cr=%AaL:L =}`ߞsYF%艬G׾cӄ0\8VX"u;WdԢԱQ#tHϱ=8*)Նqf;E/mC 1̅|l)kښu8:\5m$=IKh4O[5b8gKbBNcz%0)%u+ 9م7C.HFSmOV D$$E '߂! h=$N> :!31Q1֒_tI3軱Wx&%mY dv.ycъU$m$HhRݠ_,99"űmPmqBh wKwF:} S q:wa3[_Φ"OǬ2xm~/;v4f SL+4$RxsFZV?`` \}wHv,t>;/uԝ8G# ddi1њ1|'^чeedz%_Ox®~[axs%dm2` G&$߀*0to}wZQڃteRb0yNvCFc ?dDx#b[p.@>PEg*R8WD K^)Ybd㚙'mrΦDOWt2Zy@t[] D peӵx2 WcV|BR}P/(W:NOes{Z %_Hv›*z| X^b 0,:0{8uF앢u.D<@>ƽnݢCZ^s F ' OxH>%B6IryʱтIEr3E~#V+5%ӪrXo4lQ_zc|>۳zw _jPpP9͓z0 _fo~X0~v18Y&|Bc93a?U`2M߿.$ASsDe]dxtCGiEL`$;]+vN%th&PoYs\TFH6c?tftŏ@í]^g"a?#ahCgybSS2w$Yw@ O{r|>&:x~eaW@xT,z/핇f?Pv/is吻T3t[?]?; 5z_ayBcFLl47·V{şnyqu5 Q{}N`!XIC >ֳ/ .N|>Gy6W_1*M4V* wN|VtƢI26pzRSV>{jX~r[)CUk̹D/5V_JB\jh5