If you would like to read the first part in this article series please go to Enhancing Endpoint Security for Windows Desktops (Part 1).
Introduction
This is the second of two article series describing the methods and options available to enhance your endpoint security for your Windows devices. In our first article we discussed how the firewall and password policy were configured, as well as how you can verify that the settings are correct. It is clear that the password policy protects the computer primarily from local attacks, where an attacker might be guessing the password. The firewall will protect the endpoint from network attacks and other malicious code that might be written to communicate on known insecure ports. In this installment we will discuss how least privilege can help protect the computer from local user attacks, as well as how data leak protection can help protect the corporate assets from being sent illegally and/or inappropriately across the Internet.
Endpoint Security: Least Privilege
When it comes to endpoint security I feel that least privilege is the most important security feature that you can implement. Without least privilege in place the user of the endpoint is typically configured to be a local administrator in order to perform all of their authorized tasks. If the user is granted local administrator to run their authorized tasks, it only makes sense that they can also run nearly any other task they want.
Once a user is granted local administrator privileges there is nothing a network or domain administrator can do to control their behavior on their endpoint. Some examples of what a local administrator can do which a network or domain administrator can’t stop:
- Take the endpoint out of the domain
- Alter IP address settings
- Modify Registry settings
- Install any application locally
These might not seem like devastating alterations of the endpoint, but nearly all of them have consequences which can jeopardize the security of the endpoint and entire network as a whole. Not being able to control the endpoint due to the user being a local administrator is the worst situation a corporation can be in.
If least privilege is so important, then why do most corporations still have endpoints not configured with least privilege? The answer is due to a myriad of issues that come with what users need to do in order to perform their daily tasks. The following are examples of tasks that most corporations want/need their users to perform at their endpoint to be productive:
- Install applications
- Install drivers
- Run business applications
- Install ActiveX Controls
- Run operating system features (defrag, alter clock, etc)
All of these functions, at some level, require local administrative privileges. Even if your endpoints require one of these elevated tasks, there is little that can be done to grant the user privileges over just that one task. So, most organizations grant full computer local administrative privileges so the task can be run.
Solutions to least privilege have been tested and unfortunately most of the attempts have failed. The following is a list of common tested/failed solutions to least privilege.
- Windows XP RunAs
- Windows Vista/7 User Account Control (UAC)
- Altering file/folder/Registry permissions
- Using the local Power Users group
- Whitelisting of applications
- Application Compatibility
Some of these solutions come close, but not one can solve least privilege such that the endpoint is secure. There are, however, other solutions on the market that can solve least privilege. The majority of the least privilege solutions on the market utilize Group Policy to deploy and manage the endpoints. The pioneer of least privilege is a company called BeyondTrust and their product PowerBroker Windows Desktops (www.beyondtrust.com). PowerBroker Windows Desktops, like any least privilege solution you implement, should have the following basic features:
- Force user to be a standard user
- All approved elevated tasks must be discovered automatically
- Least privilege solution needs to integrate into existing Active Directory environment
- All approved tasks can be executed
Endpoint Security: Data Leak Protection
Data leak protection (DLP) is a new form of security which has been crucial for nearly every corporation due to the influx of data leaks over the past months. A data leak is a malicious (sometimes errant) sharing or transfer of data from within the corporation to somewhere outside the corporation. The leak can occur by someone with local administrator privileges or even local standard user privileges. The key aspect of the data leak scenario is that there is little control or monitoring over what users can do with data once they have legitimate access to the data. Least privilege is not a solution to data leak protection, as this only restricts the user’s privilege at the endpoint.
Data leak protection is the concept and technology that provides data control and monitoring to solve data privacy and confidentiality for any IT infrastructure. At a minimum, a state-of-the-art data leak protection solution should provide content-aware data leak protection, device control, e-mail control, Web control, access control to data, at a minimum.
Data leaks have been front page news over the past months, due to the companies that have been attacked, as well as the information that has been leaked. As a sample, the following are examples of data leaks recently:
Sony Corporation – Sony’s PlayStation Network was down for a week, which the company admitted that an unauthorized person had stolen personal information belonging to 77 million account holders.
RSA Security – The RSA was breached recently with the thief stealing information related to the RSA’s SecurID tokens. This RSA two-factor authentication solution is used by millions of users, including government and private sector organizations.
WikiLeaks – The United States Government has tens of thousands of documents leaked out by Pfc. Bradley Manning, who served as an intelligence analyst in Iraq.
HSBC – HSBC had data from over 130,000 clients stolen from the HSBC Holdings Plc’s private bank in Geneva, Switzerland.
Any data leak solution that you implement should be able to defend against the most common leaks. The following are a list of requirements for a DLP solution:
- Preventing Wikileaks Incidents
- Preventing Access to Data on Stolen or Lost Computers
- Controlling Removable Devices
- Restricting Data Access to Specific Applications
- Preventing Data from Being Transferred Outside of the Organization
Summary
Endpoint security is not just setting up a few policies and making sure IE is secure. Endpoint security is a myriad of security features and solutions that protect the key areas where endpoints become an attack vehicle, can be attacked, or become a risk to the entire network. Looking at an all-encompassing endpoint security model means you must look at endpoint firewall, endpoint password policies, least privilege, and DLP. If you implement solutions for all of these areas and ensure that they are all configured to secure the endpoint, your endpoints will be more secure than ever before and nearly rock solid.
If you would like to read the first part in this article series please go to Enhancing Endpoint Security for Windows Desktops (Part 1).
