Viewfinity Takes the Pain out of Privilege Management

Review: Managing user privileges is one of the first steps in securing desktops from unauthorized use. However, privilege management can be a complex and difficult process. Viewfinity removes much of that complexity and should be useful for regulatory compliance.

By: Frank Ohlhorst dnu

Data breaches have become a common occurrence, especially for organizations that give unfettered access rights to end users. What's more, data leakage has become a growing problem across enterprises. Although some breaches are intentional, most fall under the realm of mistakes made by end users. However, those breaches all share a common denominator-the endpoint (desktop PC, laptop, thin client)-and are often very easy to prevent; all it takes is a little bit of control and a dose of common sense.

Version 3.0 of Viewfinity's privilege management suite bolsters administrators' ability to control user privileges on corporate desktops, helping to eliminate one of the biggest security holes on today's enterprise networks: risky activities on corporate desktops that occur inside the firewall. Viewfinity is a suite of integrated management tools that simplify the processes involved in privilege management, enabling administrators to more effectively protect PCs from unauthorized use and providing granular control over who can do what on servers and endpoints across the enterprise.

In the past, administrators looking to lock down PCs and servers had to rely on complex, difficult-to-audit schemes that used policies driven by a directory service, such as Microsoft's Active Directory. That approach involved the creation of granular policies using native operating system tools that proved tedious at best, unenforceable at worst.

I took Viewfinity through its paces to see if the product offers real value to the corporate IT security manager and I was not disappointed. Viewfinity offers all of the key elements that are needed to successfully control privileges across endpoints on a network. A resilient client completes the picture and keeps the management console up-to-date on inventory issues and access events. For administrators using Active Directory, better integration with directory services would be a worthwhile improvement; however, tight integration could make Viewfinity less usable in other network environments, such as Linux, Unix and Solaris implementations.

Viewfinity in the lab

For my tests, I used a Windows Server 2008 R2-based network that consisted of three servers connected to eight Windows workstations (two running Windows XP Service Pack 3, three running Windows Vista Business and three running Windows 7 Ultimate 64-Bit), using a Netgear ProSafe FSM7226RS managed switch, with Internet connectivity provided by a Cisco Systems (Linksys) broadband VPN router.

Viewfinity uses a client/server approach to policy distribution and control. The Viewfinity operations and management engine runs on a central server, while managed endpoints use a small client application to communicate with the server and receive policy updates to control privileges.

In practice, administrators will define policies using wizards on the Viewfinity management console and then assign those policies to users, groups or other organizational units. The policies are then distributed based upon the administrator's selections and pushed down to each client device, where the Viewfinity agent handles enforcement and auditing of the policies. That process brings several questions to mind, namely how difficult it is to accomplish the process and how effective the process is at securing an endpoint.