Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Is System Lockdown the Secret Weapon?



 By: Andrew Garcia
2005-11-28
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Is System Lockdown the Secret Weapon?
  2. ' Lockdown Takes a Team '

Rate This Article:
Poor Best
Is System Lockdown the Secret Weapon?
( Page 1 of 2 )

Tech Analysis: Locking down users' computers isn't always easy, but it's a powerful protection against the tide of security threats.

In the ongoing battle to fight internal and external threats on the corporate desktop, IT staffers may be forgetting one very potent weapon in their arsenal—system lockdown.

As corporate IT managers evaluate products and technologies designed to protect corporate Windows-based computers against the ever-present tide of spyware, worms and Trojans, they should also consider a more proactive solution—locking down end-user computers by restricting rights and permissions and, consequently, users ability to compromise their systems.

Malware comes in many forms, but, for the most part, malware strains are applications—albeit unwanted ones. While some malware may use operating system or application vulnerabilities to gain a foothold on a users computer, the vast majority of strains require some level of user interaction and acceptance.

Sonys root-kit/DRM (digital rights management) software—discovered, to many users horror, last month—needed administrative control over the local desktop to install, yet security researchers estimate that as many as a half-million networks are infected with this unwanted application.

Barring users from gaining administrative access—and thus restricting their ability to install such unwanted or malicious software—will automatically tighten security and will garner other benefits as well.

During a recent Web conference presenting Webroot Software Inc.s latest State of Spyware report, Richard Stiennon, Webroots vice president of threat research, postulated that the average administrator spends 2 hours trying to clean a spyware infection before reimaging the affected machine.

Resource Library:

According to the report, 48 percent of enterprise computers play host to some form of adware, while 8 percent contain a security-threatening Trojan or system monitor. This all adds up to a large, and largely avoidable, waste of time for administrators attempting to recover from infections.

As made abundantly clear during a meeting of eWEEKs Corporate Partner Advisory Board, pressure to improve the security posture of the end-user computing environment comes from both external and internal sources.

User privileges, malware and the Sony rootkit debacle: Click here to read more.

Auditors checking for compliance with either governmental or industry-specific regulations may recommend locked-down end-user computers as a line of defense against intrusions.

Indeed, when asked what was driving his companys interest in system lockdown, Corporate Partner Sam Inks, director of IT at Aerojet-General Corp., in Gainesville, Va., said simply, "Sarbanes-Oxley."

IT staffs may also drive the initiative toward system lockdown in an effort to ease their support burden: Reducing the configuration variability of workstations will reduce the amount of testing that needs to be performed before rolling out a patch or application.

eWEEK Corporate Partner Frank Calabrese, manager of global desktop strategy and support at Bose Corp., said locking down systems has helped create efficiencies among his support staff.

"We set up [system lockdown many years ago] as a way of optimizing our support resources," said Calabrese, in Framingham, Mass. "It reaped quite a few anticipated and unanticipated results, including our ability to do patch management and software distribution easier and with more integrity because we know what our target looks like."

Fight for (fewer) rights

In its most basic form, system lockdown can be accomplished by changing a users membership in Windows built-in local groups.

Because many applications for Windows still require elevated privileges to work correctly, many organizations assign users local Administrator or Power User rights that also allow users to install software and configure the system as desired—actions that wouldnt be possible for those assigned to the rights-limited User group.

Any gains that an organization may realize by giving its users Administrator or Power User rights are quickly offset by problems, as these rights enable users to make what are often bad decisions.

eWEEK Labs performed a series of tests to gauge the differences in the severity of spyware infection among users with different local permissions.

Using fully patched Windows 2000 Professional and Windows XP Professional clients, we visited a series of less-than-savory Web sites in an effort to install various types of adware and spyware bundlers.

We performed the same tests on separate but identical virtual machines, varying only the users group membership—with users representing Administrators, Power Users and Users.

After attempting to install the various applications, we rebooted the client, logged in with an approved Administrator account and installed anti-spyware software.

Using this software, Sunbelt Software Inc.s CounterSpy 1.5, we scanned each system, totaling the number of threats found as well as the grand total of threat instances detected.

We found a vast degree of difference among the three user memberships. On our Windows 2000 Professional client with User permissions only, none of the malware installed completely and two threats actually warned that the user had insufficient privileges.

Click here to read the good news and bad news about adware and spyware.

A third loaded a malicious process into memory, but the threat did not reappear after reboot. The Sunbelt scan performed after the reboot could find only a single threat, which consisted of one file in the browser cache.

The systems managed by Administrators were not nearly as fortunate: On the Windows 2000-based system, CounterSpy found 19 threats consisting of three memory processes, 503 files and 2,500 registry keys—all of which had installed.

Corporations thinking they have found middle ground with Power User mode will be sorely disappointed. In our tests, the Power User computer registered 19 threats (three memory processes, 503 files and 2,278 registry keys)—nearly identical results to what we found on the Administrators system.

Only one Layered Service Provider-based threat failed to install on the system with Power User rights.

Next Page: Lockdown takes a team effort.





  Reader Comments: Is System Lockdown the Secret Weapon?
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Andrew Garcia
 


xvH(VC6}]5BH]P .3ePY,P[HIE:/qLݸڳOWm2#3"#"#### OD.mM7 ܤpf\zoHR^??f\/2]L.CF4=Gz]3U͌S7S?`[;{;Y|!ǹD%h1Qe3_眾ڏό3!X]~j 1 hjN`Qƞdn ڭ` ~5a ٷ]v4#N%ӞߜIؓIthleD`IR3<L'C1;Mۅ)KTa3cmf54x%y5@c[R z!1IᙑI5O֟GBS Mg;a(Ӈ#vpme[#]65]nsK?!s|3}gjǜH.]׼)W_v5߰-2u鸚Ȳgu{34FwYȼ;UBs|XWNCt3 kv#{nTm~w+*U:uu7unm!yCi7ny\u?./-N6|'k;?;0Q&*(b>:3AhjAG',{BrM7Jar+q%S5Cv),f5< 3+i3*,gY)?[ZWM"V:GYvf0R**CA=.]iȏƈzUy}y4[ۍVY=w 'VsCp3;'^=zLrO]jll\.T$%fr"Sj]:l7HF|C&EsI 黚-4S[W }>k#EX V%?V3z5 t@}:%[ɌSHu tZY^uMJR᭱B'aliJ5!`F} 0snW3 fMU3,eg0UAM)41k 3!RB;>?or@@j\~V )EB.goF". wzTB(pHqbFNTIRe1\<಺yp!zYZ5'JtaiEוi ].}׶&V$U:^S/3G#вnZKÒZ*V"JJObN @8ʍ/;ՙm!SK2A S:ksjܟ <0F;mF_sgT7P@= M/}@˥vahj>'ݰäp V8=4fuӹ {>Щ}cF=Q+`I[E 6z]LRmbt9 HhS0\`w0[3街#Yӽ[:?a="0.ZMyG@e^~m¢P׵mG3<՘5Ԇ &R}>~u(~9-RO^b|NҵEEKy3@ $h`z6-mb?I^IHX)ǭBP(=!ԑtiOR(|-̈́=*%nqR%f 930ٛ4{~F7rB.G Ÿ-]uwVy6 g5_LB ybJR)9 ґ/yu&aS3,rH:sxp9tpD'HwHSJzLa.U>95#Z|' 6MTs-2)Ln>4EWL?==Т܃M@ffxPLAqמ1h jdzw`בiM]ΞspL(> }Y9&__ gYA3'| @]8>+WuPÃ"`"+42[!! = PȬ-T w^!;= #5Wb³&#@ť`j(mgѹ+>q^uiz$~R4ʭ%֊fSTؽp@r6‘y2KmGg@xC X{+}a DA n29fX6X.]4^`Na<*)Ϳ3 l {8`OAuĽvKQ"*UG,M#\PsjTU+qrcܱK(N$.%m$mMK6("=#r;|6O7m?}..NH1 `;SۋФ0V2PaI*eE]33R%Td\4&L Ğ.F K\C˕EeUJWu)jd>i'[A͓S.hfh:6LyDLR^) {0k4k鷳a+JDElq-Z`bۦi?S]WҸq AKq!Hǰ> KMv΍!u׋PRBY4s `kWAܣn[N" w.Bā&h,puf Tl{bRIB(m|.W1C)Xk±&,FSyiYW>Pap‘"=jmA461|,W%ˈ`ˁV/( 7]4@.&XӞ?DNEk]W9*# ߛhho=^Hʥr>_.EpC-*JtzJ%̠Jνwq)4CG)bs`֙:oh`պ>{K2 `3|xekmK-ދ)c.Z$ c?`7dF6_гUl5¦8PzU0圪( ?V8w|,@? v:" C\4!<`S4pfmWq>YJ+J8Nw 򅄟`Zgw~mܷԻC X{E |.ÿ㸲 E Lkop(Dk~dU13~FU5>FU:Jr^a߯yYXZ :ڇHRi3b 9&~rpߎ3XAm9k+sD ü z33Jјljl6&hX>s'}&-njvJt#.soZ75_(6t8݄`gv/W e056u 2 \z ϴܑ0@dsrW2~ z:Ω1-a`;' ٸnZ~jAy̧cb3╊Z)|,64Df6Dv-T|]l7a|wۭ\!W,,BT9HÞ1=Mmy6w5hT i,mSQr<h93$sAj]K>a51r:l\#i&&lldǶ[e7M#32pTn7n-KEeT37|y\Y)lz(9rC5E 3q5GM42Q7HG!I(u(Ǡy[g%z$ :̫Y+(#t+Z~imD<9[E 1wQ^b%SW,>wD<5Ϩx=}Nb4PF Ff q iv< XLdkYyVum4tX"5Jѝ`.S˒/%$: *)U7OWMݩhc0.[L2}m&[x!K SD16dxߋ]8^כa.[ BV@qD*g~p:+%F{O青UK:^{zdW', YG# B4.[FSLo2YGRY?ֈ49FD/!B*.ݛf3 T/Us>V\zB_,49Fπa6(FѨLنk*ٿ+[s 5 Lo 2`!;ǀzB:l/_I%[$C;( `M/)9(+RJ "4FL |ϚFΙ/QN3Rt<~QrڿPq}m3μ3Kڝ{H Ζ$!̗4.נF2+ c>ϳgע\}6y;IzSa64O3)WNEVdQJ$20눴Qtl~˸l+Vu{v,3x]S<<L3,D14'~ԯ/@ ̯> H tDoޞ7۰.xʜ(=~!K7&oYq>sF9ڭ÷jn's77I:CAw,;Ujy J=~N t6D(Y[b{wCVȊ̅Szr.s >&Yp2&iulځ{W-3x;[#|WQ=-TxsS(e15?kW=dp w.# #zK[i-tC.qWG[wWcE K)Fo>\FK*W4$1g1_K + q/G޾&@L'.^[/j!Ӡ+$'$/oiM[`Z*j"7689yA`I²>?z"SؐX`ÚrBXx|JZfI2~VQ7,ovCQ{ڞ[̤K :eR_c[H%< osxᜐG8 bʆ"^ED5rܩgmbׅި\ARI-Q&+>_]"Q# ]"L{.q?!(}B8W7B>*k_[tA,I9E-KKmn10LL~vKR\̻h rȡ2`Z@ܝҳ[{“nCI: fTigtc{l"HG Iu'*Ickk/^Ř vɰ$}70Ӗ%1lDxU&8bmreIU6;n mp| 0Y\*N=+l+YH=xPWj?3Ӆi73 HDE VdxPq3 ;:AcW^fX3sJ{:դZ)* Lv#*_UC;ϳ6mԥԀշ%L <°k.^,nOjڶIJ^9.n:aY*0,0 K)gK/\=^'ؑ1W̎'Aݗn&IZ FnP1 ߭% kCMؾ#R{tٜ^ܹimcN`l|G+Ꭵa7}mj[r|_&W3\'E"n;~0>߉ɞP1=6ߑՊmC_^^h*ڠՌ6'>96̢LlFYz)Ow$"XsSe? ;Zx%.zIW x$G<㙆ף1DK T=ꎜU~G̓w@7ýCDA:$%h: VX}vk[wv.C܁C^&:ޅvO#-gWa%g"56IU#˪nf/f;ۑm- QV - 3*7ŀM^S.Kԝag.-J&na0kꦹ\ '묒a43k1D+bZGj/Q5G!C?PC;}jٙK͇xA5S{`gIZ9esȓo| ZNIΞCbJ8|&LBt{ȏGpMW[ ʟ#^tA'y{JdYXͦ1a@ކ(oCu&XcrD~RB~ 3M~2fxdN>I5;4OXg'dT?Lrp '{V0au  ÒA'<9Kへ/ft\)FAw9ǶL|^RU~ۘ҉[,uS+p#@YŪ1(HrCq:ٷelXZz~vlǏax};̵Oϲ0I4> x!F%1Md]1PM\{n'?ñ2.).ċ%AXl!cr|DN,?t㍯H*]V|`Z^l?QXvl]Es sM2Ή̉ Y4 K716\RkR\y.iU,VzTdQ wL<_Aֲhֈ1²p*B GEٜArC5Ք U@+ĚsnKaɧ5:@6u~ZŠ+@&[BOk@ROk]J,w3= I<6߅7cXz9ZRE7b;\ٝe5WRJҝ񗘐cLvb/xD"Z}4֡:m 8_.&0oi8,6K&(/HLtxZڋ|Ds$Q860,|\׻5 !^Z]Y4;XCFÀgDDm'i/m 'iس &/0ڑ]ct 7s>н_&=BjmwW+  S\YrVfRKxfVmmq%]%F&!)tA.4K @X(<DsТ?RJ1𫛨k_fJd'nO5 Qrj,S0,?9`蔝u];-Ƥ|ˈs%1qU&b=ǘ{xaJaN 8ͪM;oP~z*ܟOks Bůj9w4'Y5 bU@Dm8AnI0YvQ=rgtMp! IV.NobHQ ocRi48}A6ڄyi8Y0A3:\d.8<~p;+$΀E!|z['Au}H>Kl1$.c取+623!hHla:Xp,C}IZVߺ顇 Cy|aQ_G<:}GLwڂNp<a  CbO²-dks?wKY– \v6к|t]["m#!kEAH3'T~7n?\r\!W)'pp\`qj@Kd|+2&Bs8559w=￿zLyՌ %‚ 5" |v *.a7sD7c1CLD:% Ewbb0ۄRkD0#۾fbWo@$P`+wdc.l|9k%zW O%.JU@;`'*?--?B5ďbSJDin$|s 27֌S,0v\B<Lh3ԯ>LqWJgCE 3Zz`kP!񖃠j);Y|obLcA~mݜ(8cSB<_D|^Y z;"thWy2{x/@Ka1 ޹R'I]A.aﱢ.+;(^qWBtTg1TH+^@0 CޏyO}c{fڟj,L~}}woHߴZ׸i_p+ah,.6o4k(-Evzzqu&6iXCzytjEvv/N|veIᐆhw5}uR_'M& OD8SH^U+S Lj^+V__;^?l~ߨSw}7=rz&РJy߀ρ>)/ڙE{v3Sk7SC)CL*=Lc/xeKfZ'e|:'vRtR;)w?;)'U W"Rw}'=U^\UuݔwAtSOK7E\\5ԿNs?=__>>ߦM[h6[u2zկqv ,}!S;KBEZS{XB]}V~v¯EX^йK"KԿw2~v2Am_7BX\Jrp+,Wg^fan4vKIA -{}yK֑`˼7bS!8GPryE#.-'ވl]=g\ݓs+z`~\YO%b}+|Une+tžOq2#s"qG#nL _3A06FU "^4{H9o.( }^h#}v0?(GUtKn lxkۇ2%>=#rߴOEv<2kSյښ }3b biL^xݴ_S߭Һ_Z5U쓩->g~3fN,B8#0 ߤH= _0v{:^(t=^iR97&= P#*8T>V7/F&X<gM~ oG2p@,(sT;X^F$lmBC&r{ ϛSo9ǤK4l&%bn1vkO>Г8pО' ? 3ʕB~w{tUޣQ'7âO-3|:A|#͉Dr&߲)tO0'PXŲi!Wؑf;n%c$QUedH2{nY {gpFB8=fŇW4yxaw.C5-xW;&SFEN|Kmk살F`ư:f\cW]av]Me~O ^Of@L V(Y.>'j=hhk$d-$g2x['05:o7BN6"f̯0۟ejqu[ >}-~L4gK\۞@Ƥ]ݏ;y'Հ')$ix9& C5<Hz_t&1\vbixF˲2#0"GMȮkfAjҰ_xQc 6{Nz ̄0Q>:L.~yk-=x= 94Id`Mݱ;:WC۾~rhBr^%JAaH2_ m>R.TùLHK}ۢ1e4"t:쭠D m_3S:SBݾ&=ۜ X?%f&}c,S^@6AՋp0P$=Cf B>^(AR g5uY{N6 )4M뚈βQإֿ&`Nm% 1o)boM^pQ TjYm='>}A5ӟ⭻C"\ j?;7U˞QYɶx jSO~x(o݊[\<>cPΣ^p祈TU|JA1Z<=i;%^]:|? Oe Lt8/o90kn>ʷa$L9ˍt$/ASlk 6- `쎈]y&eV٫DR*,E'f ,~sf6[N稥R!e٢^<:yL㞮E{OfuݏÜ4ZZ2 ]#+b +C>`}R>Ɣ+ ]'[ۧ3й?-}: @׀%V`=HS]+8ǩ=bhuq#b yuke!zȟcto L?V`˟]ݾ7GѦa#Q`_&6Myߩn Q`__<6tcbs|MڙDX<޳s+o3evo~;8KqZ y2 !ʴ^xyu~ҕA)If`:`Qd+(*)ؐ2kO`4bGP1, Qn7}`N*)Asa#Dl {Ap^-m-8Lg4lgL_FTTxAnwI\&x+;TcdX$֬=LE")s0Kγ= >`5>gzCG%݄y& L,&j1Bi>c1`f*0_mkAScLgU`,Lv"V6tshh79N*䘰هl"~h&nL{+ЃTapFK-^P| E>GNDN<<Sf}')VRL_XЛ_,P>I"g\`ʂT>\JRSk8ĸ{cp6]Y3|Yq';f†[hp .bF;f1Բv}0