Lockdown Takes a Team

By Andrew Garcia  |  Posted 2005-11-28 Print this article Print


Results were similar on machines running Windows XP Professional with Service Pack 2, although the pop-up blocker that comes with Internet Explorer did help thwart one pest.

Group effort

Further lockdown may be accomplished through intelligent use of the Windows Group Policy capabilities, which can severely restrict a users ability to perform certain tasks.

The ability to enforce Group Policy Objects dates back to Windows 2000, but the granularity and variety of controls has been greatly enhanced for clients running Windows XP SP2.

Group Policy has always been an effective way to distribute software packages to targeted groups of users and computers, control password complexity, and limit access to certain applications and functions, but Windows XP SP2 brings even greater flexibility to control user behavior in IE.

With XP SP2, we could easily control ActiveX and Java functionality, limit downloads and control the integrated pop-up blocker—and then apply these rules to IE zones.

High-end audio manufacturer Bose has leveraged Group Policy to supplement user rights and help control what does and doesnt get loaded onto end-user systems.

"We disallow all downloads except from trusted sites," said Dan Gleason, senior desktop architect for Bose. "Were also disallowing any Internet Explorer add-ons. Weve now rolled approximately one-fifth of our population to XP, and were not getting any reports of spyware on those machines at all." Gleason added that Bose administrators waited for SP2 before rolling out Windows XP.

The biggest downside to Group Policy-based security is that an organization needs to be running AD (Active Directory) to really get it to work properly.

Group Policy Objects may be applied at several levels within an AD hierarchy—at the organizational unit, domain or site. However, for devices outside the domain (or for shops that dont run AD at all), policies may be enforced only at the local system (the end-user PC). Unfortunately, applying Group Policy Objects at the local workstation is the least flexible way to manage group policy.

Companies looking to deploy Group Policy to computers without access to an AD environment should turn to third-party tools such as FullArmor Corp.s GPAnywhere, which uses client agents to apply Group Policy Objects to local workstations in non-AD environments while maintaining different rights for different users.

Click here to read eWEEK Labs review of GPAnywhere. Successfully locking down desktop computers across a large network requires that administrators provide a well-designed and highly functional software and patch delivery system that meets the needs of both internal and remote workstations.

Administrators who have relied on users to install their own patches and software must realize that this functionality will be strictly under IT control in a locked-down environment.

By the same token, when users want to download a necessary but noncertified application but do not have the rights to do so, IT must be prepared to do it for them.

As a result, IT staff time spent installing and updating applications may increase, but overall support time should decrease when taking into account all the time wasted manually eradicating malware.

Security vendors are clueless over a rootkit invasion. Click here to read more. Indeed, there are few users who wont have the need to perform some task outside the parameters of their locked-down workstations.

Noncertified programs that are nevertheless deemed necessary can be supported by performing test installation and operation to see what files and registry keys are modified during normal operation and then modifying the users rights to those locations.

A more elegant solution may be to write application wrappers that effectively run an application with higher permissions than the user has, as Bose has done. "We wrote a simple VB [Visual Basic] wrapper for an application that essentially creates a run-as environment for the application, said Boses Gleason. "Instead of clicking directly on the link to the executable, they would click on this, which in turn calls [the application]."

Nelson Ramos, CIO and enterprise IT strategist at Sutter Health, said trade-offs between security and support staff resources must be considered carefully.

"On the one hand, its almost like a Hollywood set—you create a degree of simplicity for the end user, but then on the back end, as far as IT is concerned, it creates another level of support and another knowledge set to build on, so were trying to look at it from both sides," said Ramos in Mather, Calif.

Ramos said he reduces system lockdown complications by offering applications only on an as-needed basis. "[System lockdown] provides us with a means of installing a more basic desktop and then layering on applications as the user needs it," he said.

System lockdown is complex when dealing with internal users, but things get even trickier with remote users—especially the ones who rarely, if ever, are in the main office.

Remote users are the hardest to keep up-to-date, and they are also the most likely to introduce worms or other malware to the corporate network, as they typically reside outside corporate defenses.

Aerojet-Generals Inks acknowledged that remote users put up considerable hurdles in the move to system lockdown.

"A lot of nonlocal people have to have software installed on their systems," Inks said. "We have to send them the stuff and have them install it, so they end up with admin privileges. Its not frequently an easy task to take care of the problem if [IT staffers] have no access to the desktop."

Advanced scan and quarantine solutions can help, as long as the products can both identify and install software automatically.

Many quarantine solutions on the market identify only threats or missing patches, leaving it up to the user to self-medicate. Unfortunately, this procedure is not sufficient for locked-down users, so these products will need to run locally with elevated privileges to update the necessary components.

Administrators may also consider creating dual log-in accounts for remote users—a regular user account that is preconfigured with all applications and necessary connections and an account with higher privileges for performing occasional system maintenance.

The latter option will require significant user retraining, however, and could be a support burden because the amount of credentials will increase somewhat.

The biggest challenge to implementing system lockdown in an organization may be cultural.

Most organizations have highly technical people on staff that will need a certain level of administrative access on the workstation to perform their jobs. Other organizations will need to face the fact that in locking down desktop access, they are removing privileges users are accustomed to having—and wont easily give up.

Administrators will therefore need to establish a procedure to identify and classify users who require elevated privileges. But administrators should not fall into the trap of thinking that Windows permissions need to fall neatly along the lines of Users, Power Users or Administrators. With the new flexibility of Group Policy in XP SP2, a wider variety of options is available.

"One [thing] weve struggled with is the need to give administrative rights if users need to install applications or to facilitate certain application functionality," said Boses Gleason.

"So weve created an environment now where someone can be a local administrator but Group Policies are so restricted that all they can do is application installs, and they cant do any core administration on the machine."

Both Bose and Aetna Inc. require that users complete a needs-assessment form to determine the rights necessary to perform their jobs. Aetna also includes information about system lockdown and why its important in its employee security training.

Corporate Partner Francine Siconolfi, Aetna senior project manager in Blue Bell, Pa., doesnt have the highest system privileges available but has a trouble-free desktop.

"There are different groups [at Aetna]—people doing R&D and product evaluation. They get local administrative rights where others dont," Siconolfi said.

"But, as far as viruses and spyware and spam and all that stuff go, I never have to worry about it. I get zero junk mail or anything on my computer that interferes with my regular workday. I see that as a major benefit."

Technical Analyst Andrew Garcia can be reached at andrew_garcia@ziffdavis.com.

For reader responses to this article, click here. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel