In the ongoing battle to fight internal and external threats on the corporate desktop, IT staffers may be forgetting one very potent weapon in their arsenal—system lockdown.
As corporate IT managers evaluate products and technologies designed to protect corporate Windows-based computers against the ever-present tide of spyware, worms and Trojans, they should also consider a more proactive solution—locking down end-user computers by restricting rights and permissions and, consequently, users ability to compromise their systems.
Malware comes in many forms, but, for the most part, malware strains are applications—albeit unwanted ones. While some malware may use operating system or application vulnerabilities to gain a foothold on a users computer, the vast majority of strains require some level of user interaction and acceptance.
Sonys root-kit/DRM (digital rights management) software—discovered, to many users horror, last month—needed administrative control over the local desktop to install, yet security researchers estimate that as many as a half-million networks are infected with this unwanted application.
Barring users from gaining administrative access—and thus restricting their ability to install such unwanted or malicious software—will automatically tighten security and will garner other benefits as well.
During a recent Web conference presenting Webroot Software Inc.s latest State of Spyware report, Richard Stiennon, Webroots vice president of threat research, postulated that the average administrator spends 2 hours trying to clean a spyware infection before reimaging the affected machine.
According to the report, 48 percent of enterprise computers play host to some form of adware, while 8 percent contain a security-threatening Trojan or system monitor. This all adds up to a large, and largely avoidable, waste of time for administrators attempting to recover from infections.
As made abundantly clear during a meeting of eWEEKs Corporate Partner Advisory Board, pressure to improve the security posture of the end-user computing environment comes from both external and internal sources.
Auditors checking for compliance with either governmental or industry-specific regulations may recommend locked-down end-user computers as a line of defense against intrusions.
Indeed, when asked what was driving his companys interest in system lockdown, Corporate Partner Sam Inks, director of IT at Aerojet-General Corp., in Gainesville, Va., said simply, “Sarbanes-Oxley.”
IT staffs may also drive the initiative toward system lockdown in an effort to ease their support burden: Reducing the configuration variability of workstations will reduce the amount of testing that needs to be performed before rolling out a patch or application.
eWEEK Corporate Partner Frank Calabrese, manager of global desktop strategy and support at Bose Corp., said locking down systems has helped create efficiencies among his support staff.
“We set up [system lockdown many years ago] as a way of optimizing our support resources,” said Calabrese, in Framingham, Mass. “It reaped quite a few anticipated and unanticipated results, including our ability to do patch management and software distribution easier and with more integrity because we know what our target looks like.”
Fight for (fewer) rights
In its most basic form, system lockdown can be accomplished by changing a users membership in Windows built-in local groups.
Because many applications for Windows still require elevated privileges to work correctly, many organizations assign users local Administrator or Power User rights that also allow users to install software and configure the system as desired—actions that wouldnt be possible for those assigned to the rights-limited User group.
Any gains that an organization may realize by giving its users Administrator or Power User rights are quickly offset by problems, as these rights enable users to make what are often bad decisions.
eWEEK Labs performed a series of tests to gauge the differences in the severity of spyware infection among users with different local permissions.
Using fully patched Windows 2000 Professional and Windows XP Professional clients, we visited a series of less-than-savory Web sites in an effort to install various types of adware and spyware bundlers.
We performed the same tests on separate but identical virtual machines, varying only the users group membership—with users representing Administrators, Power Users and Users.
After attempting to install the various applications, we rebooted the client, logged in with an approved Administrator account and installed anti-spyware software.
Using this software, Sunbelt Software Inc.s CounterSpy 1.5, we scanned each system, totaling the number of threats found as well as the grand total of threat instances detected.
We found a vast degree of difference among the three user memberships. On our Windows 2000 Professional client with User permissions only, none of the malware installed completely and two threats actually warned that the user had insufficient privileges.
A third loaded a malicious process into memory, but the threat did not reappear after reboot. The Sunbelt scan performed after the reboot could find only a single threat, which consisted of one file in the browser cache.
The systems managed by Administrators were not nearly as fortunate: On the Windows 2000-based system, CounterSpy found 19 threats consisting of three memory processes, 503 files and 2,500 registry keys—all of which had installed.
Corporations thinking they have found middle ground with Power User mode will be sorely disappointed. In our tests, the Power User computer registered 19 threats (three memory processes, 503 files and 2,278 registry keys)—nearly identical results to what we found on the Administrators system.
Only one Layered Service Provider-based threat failed to install on the system with Power User rights.
Next Page: Lockdown takes a team effort.
Lockdown Takes a Team
Results were similar on machines running Windows XP Professional with Service Pack 2, although the pop-up blocker that comes with Internet Explorer did help thwart one pest.
Further lockdown may be accomplished through intelligent use of the Windows Group Policy capabilities, which can severely restrict a users ability to perform certain tasks.
The ability to enforce Group Policy Objects dates back to Windows 2000, but the granularity and variety of controls has been greatly enhanced for clients running Windows XP SP2.
Group Policy has always been an effective way to distribute software packages to targeted groups of users and computers, control password complexity, and limit access to certain applications and functions, but Windows XP SP2 brings even greater flexibility to control user behavior in IE.
With XP SP2, we could easily control ActiveX and Java functionality, limit downloads and control the integrated pop-up blocker—and then apply these rules to IE zones.
High-end audio manufacturer Bose has leveraged Group Policy to supplement user rights and help control what does and doesnt get loaded onto end-user systems.
“We disallow all downloads except from trusted sites,” said Dan Gleason, senior desktop architect for Bose. “Were also disallowing any Internet Explorer add-ons. Weve now rolled approximately one-fifth of our population to XP, and were not getting any reports of spyware on those machines at all.” Gleason added that Bose administrators waited for SP2 before rolling out Windows XP.
The biggest downside to Group Policy-based security is that an organization needs to be running AD (Active Directory) to really get it to work properly.
Group Policy Objects may be applied at several levels within an AD hierarchy—at the organizational unit, domain or site. However, for devices outside the domain (or for shops that dont run AD at all), policies may be enforced only at the local system (the end-user PC).
Unfortunately, applying Group Policy Objects at the local workstation is the least flexible way to manage group policy.
Companies looking to deploy Group Policy to computers without access to an AD environment should turn to third-party tools such as FullArmor Corp.s GPAnywhere, which uses client agents to apply Group Policy Objects to local workstations in non-AD environments while maintaining different rights for different users.
Successfully locking down desktop computers across a large network requires that administrators provide a well-designed and highly functional software and patch delivery system that meets the needs of both internal and remote workstations.
Administrators who have relied on users to install their own patches and software must realize that this functionality will be strictly under IT control in a locked-down environment.
By the same token, when users want to download a necessary but noncertified application but do not have the rights to do so, IT must be prepared to do it for them.
As a result, IT staff time spent installing and updating applications may increase, but overall support time should decrease when taking into account all the time wasted manually eradicating malware.
Indeed, there are few users who wont have the need to perform some task outside the parameters of their locked-down workstations.
Noncertified programs that are nevertheless deemed necessary can be supported by performing test installation and operation to see what files and registry keys are modified during normal operation and then modifying the users rights to those locations.
A more elegant solution may be to write application wrappers that effectively run an application with higher permissions than the user has, as Bose has done.
“We wrote a simple VB [Visual Basic] wrapper for an application that essentially creates a run-as environment for the application, said Boses Gleason. “Instead of clicking directly on the link to the executable, they would click on this, which in turn calls [the application].”
Nelson Ramos, CIO and enterprise IT strategist at Sutter Health, said trade-offs between security and support staff resources must be considered carefully.
“On the one hand, its almost like a Hollywood set—you create a degree of simplicity for the end user, but then on the back end, as far as IT is concerned, it creates another level of support and another knowledge set to build on, so were trying to look at it from both sides,” said Ramos in Mather, Calif.
Ramos said he reduces system lockdown complications by offering applications only on an as-needed basis. “[System lockdown] provides us with a means of installing a more basic desktop and then layering on applications as the user needs it,” he said.
System lockdown is complex when dealing with internal users, but things get even trickier with remote users—especially the ones who rarely, if ever, are in the main office.
Remote users are the hardest to keep up-to-date, and they are also the most likely to introduce worms or other malware to the corporate network, as they typically reside outside corporate defenses.
Aerojet-Generals Inks acknowledged that remote users put up considerable hurdles in the move to system lockdown.
“A lot of nonlocal people have to have software installed on their systems,” Inks said. “We have to send them the stuff and have them install it, so they end up with admin privileges. Its not frequently an easy task to take care of the problem if [IT staffers] have no access to the desktop.”
Advanced scan and quarantine solutions can help, as long as the products can both identify and install software automatically.
Many quarantine solutions on the market identify only threats or missing patches, leaving it up to the user to self-medicate. Unfortunately, this procedure is not sufficient for locked-down users, so these products will need to run locally with elevated privileges to update the necessary components.
Administrators may also consider creating dual log-in accounts for remote users—a regular user account that is preconfigured with all applications and necessary connections and an account with higher privileges for performing occasional system maintenance.
The latter option will require significant user retraining, however, and could be a support burden because the amount of credentials will increase somewhat.
The biggest challenge to implementing system lockdown in an organization may be cultural.
Most organizations have highly technical people on staff that will need a certain level of administrative access on the workstation to perform their jobs. Other organizations will need to face the fact that in locking down desktop access, they are removing privileges users are accustomed to having—and wont easily give up.
Administrators will therefore need to establish a procedure to identify and classify users who require elevated privileges.
But administrators should not fall into the trap of thinking that Windows permissions need to fall neatly along the lines of Users, Power Users or Administrators. With the new flexibility of Group Policy in XP SP2, a wider variety of options is available.
“One [thing] weve struggled with is the need to give administrative rights if users need to install applications or to facilitate certain application functionality,” said Boses Gleason.
“So weve created an environment now where someone can be a local administrator but Group Policies are so restricted that all they can do is application installs, and they cant do any core administration on the machine.”
Both Bose and Aetna Inc. require that users complete a needs-assessment form to determine the rights necessary to perform their jobs. Aetna also includes information about system lockdown and why its important in its employee security training.
Corporate Partner Francine Siconolfi, Aetna senior project manager in Blue Bell, Pa., doesnt have the highest system privileges available but has a trouble-free desktop.
“There are different groups [at Aetna]—people doing R&D and product evaluation. They get local administrative rights where others dont,” Siconolfi said.
“But, as far as viruses and spyware and spam and all that stuff go, I never have to worry about it. I get zero junk mail or anything on my computer that interferes with my regular workday. I see that as a major benefit.”
Technical Analyst Andrew Garcia can be reached at firstname.lastname@example.org.