Privilege Access Management

It is in the Security 101 manual that end users (no matter who they are) should not have admin rights on their workstations.  Certain users may be allocated an administrative account for their workstation, but this account must not have internet access or an associated email account and must not be used for normal day to day tasks.  However, in general this is not a recommended approach and also has its share of problems.

The reason for this is simple, admin rights enable applications and processes to execute in the context of a privileged user which in essence means code can get installed or access the system at a low level, in many cases without the user knowing.  Removing admin rights on a Windows workstation will immediately thwart somewhere in the region of 80% of current threats.  It also allows the Domain administrators to take back control of their endpoints.

How often have we heard this from decision makers?

“I don’t mind users having admin rights, they know what they’re doing and don’t click stuff !”

Obviously for those of us who are in the business we know that these kinds of individuals are very hard to convince until they have to pay out tens of thousands to recover from something which could have been avoided for a few thousand pounds…Assuming a recovery is a success.

However, removing admin rights does come with its challenges.

  • Users are unable to install any software
  • Users are unable to install a software update
  • Users cannot manage printers
  • Users cannot change network settings

Plus, many more examples.

There is a solution though, and that is to implement a quality privilege access management solution which gives back the users just enough control on their machines for them to remain efficient, without breaking the security model.

For example:

  • Give access to printer settings allowing users to install and manage queues/
  • Give access to network settings for some users.
  • Being permitted to install and upgrade approved applications from trusted sources
  • Some older applications may require admin privileges to run.  This can be provided whilst the user is still only a standard user type on their system.

There are many solutions out there but one which offers a huge amount of flexibility is DefendPoint by BeyondTrust..  Policies can be as broad or specific are you like right down to different user groups in the Domain having different privileges. 

Comments

Post a Comment

Popular posts from this blog

configuring the zmodo ZP-IBi-13W camera to work with Blue Iris Software.

Image
Off topic.......configuring the zmodo ZP-IBi-13W camera to work with Blue Iris Software. Many people have had issues getting these cameras to display video in any other sotware except the supplied z-viewer.  Here is how I got it working with the Blue Iris Software.  The settings may work with other software but have not been tested. Pre-Requisites First set the camera up using the instructions with the camera using zviewer and zsight software. You will need to find the cameras wireless ip address.   If possible set this statically by connecting to the cameras IP address using internet explorer.   .. http://ip-of-camera.. .   Note it does not work with Firefox of chrome. Once working you need to install Blue Iris Software on a machine which can contact the cameras.   Usually this will be sitting on the same network but it will work over a router network providing   the required ports are allowed Blue Iris Installation Load up the Blue Iris Software and Add a new camer
Read more

Apple MAC Fake Virus Alert

Similar to the windows fake AV alerts, MAC users have now been targeted with a fake AV scam. After visiting an infected site, the software scans the users hard disk and reports on viruses found. Users are then given the opportunity to purchase remedial AV software, thus parting with credit card information. The trick here is that is can masqurade as the legitimate MAC Defender application making the users less suspicious about the warnings. Apple Mac users have been adviced to disable a setting in the Safari browser that allows "safe" files to be automatically installed. Full details on removing and preventing this malware can be found here. Apple MAC Malware Removal
Read more

Evolution

Image
I've just spent some time out watching my favourite comedy movies, the original Pink Panther films. Made over 30 years ago, these films relied on primitive effects which in my opinion made the visual jokes even better. What strikes me is the lack of technology available back in those days. No "real" computers, offices with computerless desks and everything but fancy televisions being the focal point of furnished rooms. I am old enough to remember the days without computers and the thrill of the ZX-81 computer being released, and no google to find out the answer to just about anything. So what am I going on about here.....? Well, in essence it is all about the evolving threats, how we must be open minded and keep up with what is happening around us. Security back in those days was limited to the necessity of keeping information locked up in a secure filing cabinet in a guarded room. A basic security strategy, but one which could be regarded as effective under the c
Read more