Empowering Users

Preventing users from making unwanted desktop changes without restricting them from performing their job function continues to pose serious challenges for almost all organizations. Striking a balance between providing users with a degree of control over their desktop configuration and protecting the standard desktop build is difficult, as this control often results in granting admin rights to a user.

Once granted, admin rights give a user control over every aspect of their desktop configuration, a scenario that does not sit well within a corporate environment. Running users with admin rights also carries a greater threat from malware, as payloads are almost always more destructive under a privileged account. The increase in the deployment of laptops only adds to this problem, as laptop users often require an even greater degree of freedom than users with desktops.

The inability of most operating systems to provide the granular control necessary to restrict administrative rights to particular applications is the fundamental barrier to most organizations adopting a least privilege approach, as a user must be granted the rights necessary to perform all of their tasks. Most organizations are forced to place user accounts into the local Administrators group in order to grant users the ability to perform their daily activities. Once this is configured, the IT department has given the end user complete and ultimate control over the desktop.

Request our complimentary whitepaper "Applying the Principle of Least Privilege to Windows 7" by Mark Austin – click here.

Achieving Compliance

The need to adhere to Industry and Government regulatory mandates, such as PCI DSS, FDDC and Government Connect in the UK, are becoming more widespread. Organizations are increasingly being asked to provide IT audit information on privileged activity, to prevent security breaches and implement greater control over users with access to sensitive data.

Payment Card Industry Data Security Standard (PCI DSS) v 1.2

The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

Federal Desktop Core Configuration (FDCC)

The FDCC, an OMB (U.S. Office of Management and Budget) mandate, requires that all Federal Agencies standardize the configuration of approximately 300 settings on each of their Windows XP and Vista Computer. The reason for this standardization is to strengthen Federal IT security by reducing opportunities for hackers to access and exploit government computer systems.

Government Connect (United Kingdom)

Government Connect is a pan-government programme providing an accredited and secure network between central government and every local authority in England and Wales. The Government Connect Secure Extranet (GCSX) is part of the wider Government Secure Intranet (GSi). It provides connectivity to the majority of central departments as well as many other public sector organisations, such as the NHS and police, and accredited commercial organisations. Scottish local authorities are connected to this trusted communications infrastructure via the Government Secure Extranet (GSX).

Sarbanes Oxley (SOX)

The Sarbanes-Oxley Act (SOX) is also known as Public Company Accounting Reform and Investor Protection Act is a US Federal law passed in 2002. The legislation is wide ranging and establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms. To comply with the Sarbanes-Oxley Act, it is expected from the public companies to ensure that the electronic records and systems used by these public companies provide sufficient security in light of potential risk of frauds. Under the compliance of SOX, the majority of internal procedures that have financial imapct have to be verified by internal and external auditors as applicable.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA provides national standards to protect the privacy of personal health information. The U.S. Congress enacted HIPPA of 1996, Public Law 104-191 to improve the efficiency and effectiveness of the health care system, this included "Administrative Simplification" provisions that required HHS to adopt national standards for electronic health care transactions. Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

Request our complimentary whitepaper 'Regulatory Compliance and Least Privilege Security' by Windows Security Expert – Rusell Smith – click here.

Improving Security with Group Policy

Group Policy is the proven way to secure nearly every aspect of a Windows environment, and Microsoft now provides over 5000 Group Policy settings.

Microsoft provides a number of security tools that help organizations deploy security settings to their desktops and servers. Many of these tools are available in the operating system and interface with Group Policy at some level. Using Active Directory Group Policy to secure the desktops brings a number of benefits, including hierarchical management, a strong security model that includes delegated administration, built-in replication, stability and scalability.

Although Group Policy covers many aspects of security, it does not provide policy settings to tackle the implementation of least privilege. This limitation is addressed by Avecto, who have developed Privilege Guard, a policy based approach to application control and privilege management. Privilege Guard is implemented as a Group Policy extension, leveraging all of the benefits provided by Group Policy.

For a more in-depth outline on how to improve security with Group Policy, request our complimentary whitepaper 'Implementing Windows Security with Group Policy' by Derek Melber MCSE, MVP – click here.