By: Frank Ohlhorst dnu
Data breaches have become a common occurrence, especially for organizations that give unfettered access rights to end users. What’s more, data leakage has become a growing problem across enterprises. Although some breaches are intentional, most fall under the realm of mistakes made by end users. However, those breaches all share a common denominator-the endpoint (desktop PC, laptop, thin client)-and are often very easy to prevent; all it takes is a little bit of control and a dose of common sense.
Version 3.0 of Viewfinity’s privilege management suite bolsters administrators’ ability to control user privileges on corporate desktops, helping to eliminate one of the biggest security holes on today’s enterprise networks: risky activities on corporate desktops that occur inside the firewall. Viewfinity is a suite of integrated management tools that simplify the processes involved in privilege management, enabling administrators to more effectively protect PCs from unauthorized use and providing granular control over who can do what on servers and endpoints across the enterprise.
In the past, administrators looking to lock down PCs and servers had to rely on complex, difficult-to-audit schemes that used policies driven by a directory service, such as Microsoft’s Active Directory. That approach involved the creation of granular policies using native operating system tools that proved tedious at best, unenforceable at worst.
I took Viewfinity through its paces to see if the product offers real value to the corporate IT security manager and I was not disappointed. Viewfinity offers all of the key elements that are needed to successfully control privileges across endpoints on a network. A resilient client completes the picture and keeps the management console up-to-date on inventory issues and access events. For administrators using Active Directory, better integration with directory services would be a worthwhile improvement; however, tight integration could make Viewfinity less usable in other network environments, such as Linux, Unix and Solaris implementations.
Viewfinity in the lab
For my tests, I used a Windows Server 2008 R2-based network that consisted of three servers connected to eight Windows workstations (two running Windows XP Service Pack 3, three running Windows Vista Business and three running Windows 7 Ultimate 64-Bit), using a Netgear ProSafe FSM7226RS managed switch, with Internet connectivity provided by a Cisco Systems (Linksys) broadband VPN router.
Viewfinity uses a client/server approach to policy distribution and control. The Viewfinity operations and management engine runs on a central server, while managed endpoints use a small client application to communicate with the server and receive policy updates to control privileges.
In practice, administrators will define policies using wizards on the Viewfinity management console and then assign those policies to users, groups or other organizational units. The policies are then distributed based upon the administrator’s selections and pushed down to each client device, where the Viewfinity agent handles enforcement and auditing of the policies. That process brings several questions to mind, namely how difficult it is to accomplish the process and how effective the process is at securing an endpoint.
I found that Viewfinity offers an easy-to-use, Web-based management console, which is laid out in dashboard fashion. Here, it was pretty easy to determine what to do. For example, if I wanted to control administrative privileges for a group of PCs or users, I could simply select from the “Policies” menu and then select “Create policy,” which would offer me some choices, such as “Elevate privileges,” “Application policy” or “Computer policy.” With “Elevate privileges” I was presented with choices from which to create rules for the privilege set, such as “Run application with administrative privileges” or “Permit ActiveX control installation,” and so on.
The rule selection can get very granular, allowing administrators to fine-tune access and control policies. Administrators also have the option of creating policies based upon specific applications or specific computers. Application policies that control privileges can be very useful. Take for example a situation that requires an application to have access to certain low-level OS functions. Let’s say it is an application that uses an ActiveX control-normally, you may want to lock down access to that control to prevent a breach. With Viewfinity, you can grant temporary privileges to the application, allowing access to the normally locked-down ActiveX control, so the application can function properly, while the level of security remains high.
That granularity fits well with the preferred security concept of locking everything down and only allowing access to what is required. Viewfinity offers a plethora of policy controls that can be combined, grouped and assigned in multiple fashions. That level of flexibility allows administrators to create complex policies that span several administrative privileges on a PC. That bodes well for those trying to meet regulatory compliance requirements, such as HIPAA (Health Insurance Portability and Accountability Act), FDCC, PCI or the Sarbanes-Oxley Act, which encompass access controls and the control of sensitive information.
Ideally, an administrator can fully lock down a PC or server and create policies that allow users to accomplish tasks that relate directly to their business functions, eliminating possible breaches. However, most administrators have eschewed the complete lockdown approach in favor of leaving everything open and closing down access to critical functions or applications-why? Simply because it is much easier to use that approach and avoid the complexity of OS native policy creation utilities. For administrators, leaving things open may be easier, but it is an invitation to a security breach. Therein lies the biggest value of Viewfinity, which offers an effective methodology for locking down PCs and servers, without creating an administrative nightmare.
Of course, there is a lot more to privilege management than policy creation; there are also enforcement, auditing and asset management elements. Viewfinity addresses each of those in a unique fashion. First and foremost is enforcement. Viewfinity relies on an installed client application to handle enforcement, a methodology that creates some questions-such as whether that client application can be disabled or tricked. Viewfinity has designed its client application to run persistently and prevent anyone lacking full administrative privileges from making any changes to the client.
Viewfinity also offers comprehensive auditing reporting, which lets administrators create full audit reports identifying who has what privileges. Auditing goes one step further to record activity, access attempts and dependencies required by applications and processes.
Viewfinity further simplifies management with a comprehensive inventory component, which automatically discovers attached systems and inventories the operating systems, applications, settings and most other elements associated with a PC or server. That information is used to populate many of the policy definition tables, so that administrators are always working with the latest software environment on a subject system. Inventory information is also used to populate reports, define relationships and track changes, allowing Viewfinity to fit into a change management solution for managed PCs and servers on the network.