In the ongoing battle to fight internal and external threats on the corporate desktop, IT staffers may be forgetting one very potent weapon in their arsenal—system lockdown.
As corporate IT managers evaluate products and technologies designed to protect corporate Windows-based computers against the ever-present tide of spyware, worms and Trojans, they should also consider a more proactive solution—locking down end-user computers by restricting rights and permissions and, consequently, users ability to compromise their systems.
Malware comes in many forms, but, for the most part, malware strains are applications—albeit unwanted ones. While some malware may use operating system or application vulnerabilities to gain a foothold on a users computer, the vast majority of strains require some level of user interaction and acceptance.
Sonys root-kit/DRM (digital rights management) software—discovered, to many users horror, last month—needed administrative control over the local desktop to install, yet security researchers estimate that as many as a half-million networks are infected with this unwanted application.
Barring users from gaining administrative access—and thus restricting their ability to install such unwanted or malicious software—will automatically tighten security and will garner other benefits as well.
During a recent Web conference presenting Webroot Software Inc.s latest State of Spyware report, Richard Stiennon, Webroots vice president of threat research, postulated that the average administrator spends 2 hours trying to clean a spyware infection before reimaging the affected machine.
According to the report, 48 percent of enterprise computers play host to some form of adware, while 8 percent contain a security-threatening Trojan or system monitor. This all adds up to a large, and largely avoidable, waste of time for administrators attempting to recover from infections.
As made abundantly clear during a meeting of eWEEKs Corporate Partner Advisory Board, pressure to improve the security posture of the end-user computing environment comes from both external and internal sources.
Auditors checking for compliance with either governmental or industry-specific regulations may recommend locked-down end-user computers as a line of defense against intrusions.
Indeed, when asked what was driving his companys interest in system lockdown, Corporate Partner Sam Inks, director of IT at Aerojet-General Corp., in Gainesville, Va., said simply, "Sarbanes-Oxley."
IT staffs may also drive the initiative toward system lockdown in an effort to ease their support burden: Reducing the configuration variability of workstations will reduce the amount of testing that needs to be performed before rolling out a patch or application.
eWEEK Corporate Partner Frank Calabrese, manager of global desktop strategy and support at Bose Corp., said locking down systems has helped create efficiencies among his support staff.
"We set up [system lockdown many years ago] as a way of optimizing our support resources," said Calabrese, in Framingham, Mass. "It reaped quite a few anticipated and unanticipated results, including our ability to do patch management and software distribution easier and with more integrity because we know what our target looks like."
Fight for (fewer) rights
In its most basic form, system lockdown can be accomplished by changing a users membership in Windows built-in local groups.
Because many applications for Windows still require elevated privileges to work correctly, many organizations assign users local Administrator or Power User rights that also allow users to install software and configure the system as desired—actions that wouldnt be possible for those assigned to the rights-limited User group.
Any gains that an organization may realize by giving its users Administrator or Power User rights are quickly offset by problems, as these rights enable users to make what are often bad decisions.
eWEEK Labs performed a series of tests to gauge the differences in the severity of spyware infection among users with different local permissions.
Using fully patched Windows 2000 Professional and Windows XP Professional clients, we visited a series of less-than-savory Web sites in an effort to install various types of adware and spyware bundlers.
We performed the same tests on separate but identical virtual machines, varying only the users group membership—with users representing Administrators, Power Users and Users.
After attempting to install the various applications, we rebooted the client, logged in with an approved Administrator account and installed anti-spyware software.
Using this software, Sunbelt Software Inc.s CounterSpy 1.5, we scanned each system, totaling the number of threats found as well as the grand total of threat instances detected.
We found a vast degree of difference among the three user memberships. On our Windows 2000 Professional client with User permissions only, none of the malware installed completely and two threats actually warned that the user had insufficient privileges.
A third loaded a malicious process into memory, but the threat did not reappear after reboot. The Sunbelt scan performed after the reboot could find only a single threat, which consisted of one file in the browser cache.
The systems managed by Administrators were not nearly as fortunate: On the Windows 2000-based system, CounterSpy found 19 threats consisting of three memory processes, 503 files and 2,500 registry keys—all of which had installed.
Corporations thinking they have found middle ground with Power User mode will be sorely disappointed. In our tests, the Power User computer registered 19 threats (three memory processes, 503 files and 2,278 registry keys)—nearly identical results to what we found on the Administrators system.
Only one Layered Service Provider-based threat failed to install on the system with Power User rights.