Best Practices for PC Lockdown and Control Policies

End point lockdown is not a new practice. There are a number of advantages when endpoints are locked down so that end users do not have full administrative access on their systems. In general, an environment that is more locked down has less changes and less variation from a known good configuration. This secures the desktop which in turn leaves the company less venerable to malware, virus, etc. Yet a completely locked down environment may result in lowering productivity and creating a shift in the types IT support calls coming into the help desk. An organization may go from dealing with virus attacks to an increase in incidental calls related to printer installation requests and other tasks requiring administrator rights.

Non administrative users are more limited in their ability to install applications. Fewer end user installed applications results in fewer application compatibility issues and better system reliability. Application instability and application conflicts generate a large number of support requests. Fewer unauthorized applications results in fewer support incidents and this leads to a lower TCO.

When the end user does not have administrative access to the system, programs that end users runs are less likely to be able to modify system configuration settings or expose sensitive information that may be available on the endpoint.

There are a number of use cases where organizations may want end users to be able to perform operations that generally require administrative level access to the system.

For example, organizations may want to allow users to install certain ActiveX controls. Organizations may want to allow anyone to be able to install and configure new printers on a system. A traveling user may want to be able to install certain applications without having to be connected to the corporate network. Mobile remote users may need to perform certain system level tasks on their own. Certain applications may need to run with elevated rights to be able to function as expected.

In all of these cases, a privilege management system adds value. A privilege management system balances the rigidity of locking down systems with the realities of user customization needs on the endpoint. It helps ensure that the right applications run with the proper privilege levels, and provides the system administrator with the validation to ensure that endpoints match an approved configuration standard.

Microsoft provides many functions via group policies and active directory, such as the ability to lockdown desktops, hide certain desktop settings, apply password policies and more. However, once the desktop is locked down, active directory does not support elevation of privileges for specific applications and processes.

Additionally, policies can be applied only to computers that are members of active directory. Group policy delivery directly depends on active directory replication topology. Therefore, for computers that are not part of the domain, or are not connected to the corporate network, propagating policies is difficult. In some organizations this might take a significant amount of time depending on geographical allocations of active directory infrastructure and users.

For granular management of administrator permissions, such as the ability to install ActiveX controls or run/install restricted applications, and automated policy propagation not depended upon active directory, third party products should be considered.

In order to operate in a least privileges mode while supporting the productivity needs of end users, an effective privilege management system should incorporate a number of features including:

• Support for mobile and remote users
• Granular-level control of privileges and policies
• Application White Listing/Blacklisting
• Policy Auditing, Validation and Reporting
• Support for compliance initiatives such as FDCC, HIPAA and PCI
• Integration with the PC Lifecycle Management (PCLM) platform

Remote and mobile users are a significant percentage of the user base in many organizations. Many endpoints may go for long periods of time without connecting “inside the firewall.” The privilege management policies need to work independent of the connection state of the computer to the corporate network or active directory. An endpoint associated with a remote user may not even be a member of the active directory.

The system should cache the appropriate privilege management policies when the computer is able to connect to the privilege management policy server and then continually ensure that those policies are enforced at all times, regardless of connectivity status. Appropriate feedback information from the endpoint should be queued up and then sent to the policy server when the endpoint is able to reconnect.

A policy server that is accessible anytime the endpoint is connected to the Internet provides better support for mobile users than requiring a system to establish a VPN connection. The ability to propagate a policy on-the-fly and have that policy take effect immediately as soon as an internet connection is established (no rebooting) is extremely powerful and offers instant reassurance that the endpoint is protected.

There are a wide variety of functions where the system administrator may want to enable the end user to make changes. For example administrative rights may be granted to a specific application but not to its child processes. ActiveX controls from specific signed authorities may be enabled to be installed without requiring the browser to run in an administrative context. Non administrative users may be granted the privilege to be able to install printers or to run some set of Windows utilities such as management of system time or adding certain types of new devices.

Each of the granular capabilities should be able to be applied to distinct sets of systems based upon the PCLM configuration data. The ability to configure multi-dimensional policies based upon any combination of groupings, such as by applications, departments, active directory users/groups, connectivity status, time of day, and more provides the desired level of granularity control needed.

There are many harmful applications that can be installed even without administrator rights. There should be a method to manage privileges for such applications, such as the ability to configure a "white list only" model so that only approved software can be installed and/or executed. The ability to block specific applications offers an added layer of control.

Centralized reports provide the system administrator with the feedback to audit how the privilege management policies are being applied across the enterprise. For example, reports can highlight how often application privilege levels must be adjusted and how often blacklisted applications are blocked from running. Reports can help system administrators verify that systems meet a defined configuration standard for regulatory compliance.

A good privilege management solution is equipped to provide detailed reporting on all administrator privilege policies, including an audit trail report that provides confirmation that a policy has been delivered and activated on endpoint devices. This includes validation of policy delivery to mobile and remote users, single or group of computers and/or for a specific application.

If the privilege management capabilities are integrated with your PCLM system, the additional configuration data that is in the PCLM system is used to help filter and scope the analysis of the privilege management reports.

There are various best practices associated with regulatory compliance that can best be met if the end users do not have local administrative control. As outlined above, the privilege management system enables the system administrator to lock down the system, as mandated, while still supporting end user productivity by providing granular control. Couple that with the ability to audit and validate delivery and activation of policies, now the IT administrator can ensure that applications and systems are adhering to compliance mandates.

PCLM products gather inventory data such as the physical hardware that is on the device and software applications that are installed. Various operating system settings are collected. Contextual information such as the physical location of the device and links to information in a directory are also typically gathered. Many companies extend the configuration system with information about the cost center, department, and other logical descriptions of the system.

The details that are known about the device in the PCLM configuration database provide the context with which the system administrator can define appropriate privilege management policies. The scoping of privilege management polices is more efficient when it leverages PCLM configuration data for creating the machine and user groups to which the policies are targeted. For example, computer groups can be defined that include all systems that belong to a specific location or business unit and the system administrator can apply privilege management policies based upon that context.

Another way to leverage the PCLM configuration database is to apply privilege management polices to applications based upon the information known about those applications. For example, applications that are known to have been installed from the PCLM system can be granted a higher level privilege that those applications that are not known in the PCLM configuration database. The knowledge of which applications are approved from the configuration database can also be used to help enforce white-list and black-list policies.

While operating a locked down, least privileges environment certainly secures your environment, the function of better managing privileges has a measurable and tangible effect by alleviating calls coming into the support or help desk center. Rather than blindly moving forward with an all or nothing lockdown methodology, IT Administrators need a flexible approach for controlling its corporate desktop and laptop environment. With tighter, yet flexible control over the types of applications and privileges your distributed workforce are allowed, the more stable your desktop environment becomes. With enhanced control over managing your environment, the number of end user support calls to the help desk are reduced, not simply shifted from one type of call to another.