Myths of Securing Windows Desktops (Part 1)

If you would like to read the next part in this article series please go to Myths of Securing Windows Desktops (Part 2).

Introduction

I have spent the better part of the past 6 years focusing on securing Windows desktops (in addition to the entire Windows enterprise). I have been trying to educate, evangelize, and help organizations and administrators understand what options are possible with Windows operating systems. It has come to my attention that much of the work I have been doing is still not making a large enough impact, so I wanted to continue to stress what different desktop security options are available and what each option provides for you, as an organization. I have always said that security is like a food buffet, you must select the options and features that you feel will give you the best security for your organization, while still allowing users to be functional. After reading this article you will have a much better idea as to what each security buffet item provides, and what it does not provide.

Anti-Virus Protection

Anti-virus protection has gotten a bad rap recently, even by people like me. What I want to do is give anti-virus a fair shake, as it most certainly does have a key role on any computer, especially those that are running within an organization. Anti-virus provides an excellent security blanket for “known” viruses, malware, adware, etc.

One of the biggest benefits of anti-virus protection is that the user and even the administrator has to do very little to get the job done. Anti-virus works on signature files, which contains information about executables, DLLs, and other file hashes which are known to be malicious applications. When the computer is scanned for applications or an application is launched, the anti-virus protection software evaluates what is on the computer and can warn, quarantine, or even remove the malicious applications.

The biggest issue with anti-virus protection is that the protection is only as good as the latest signature file. If there is a virus that is newer than the signature file on the computer, the virus can’t be detected by the anti-virus software. There are also zero-day attacks, which are not even listed on any anti-virus signature file. Zero-day attacks and viruses which morph themselves well make it hard for anti-virus protection to be 100% successful.

The reason you need anti-virus protection is to ensure that if known malicious applications attack a computer, they are detected. Also, if a user were to install or copy a malicious application to their computer, these will also be picked up and alerted by the anti-virus protection software.

The myth is that anti-virus solutions are enough to protect your endpoints. This is not true and to be honest, just an anti-virus solution for your endpoint is not very good security at all.

Privilege Management

One of the most important topics that I evangelize about, is the idea of privilege management for corporate users. Privilege management is the idea that the user on the desktop is not a local administrator, meaning not having membership in the local Administrators group. With this concept of control the privilege for the end user is not new, it is just difficult, if not impossible, to obtain with traditional technologies that come with Windows.

When a user is granted local administrator privileges bad things can, and usually do, occur. It is not to say that the user is malicious, but rather having local administrator privileges is too much for the end user to handle. In most cases the over-privileged user will fall into three categories:

  • Malicious – A user that tries to attack the network or Active Directory by using the elevated privileges on their endpoint.
  • Accidental – Users that are just trying to perform their job tasks, but causes issues along the way without knowing what they are doing is a problem.
  • IT Helper – These are users that know enough to be dangerous, wanting to help the IT staff in securing and configuring their computer, but along the way causes misconfigurations and downtime of their endpoint.

When evaluating your privilege management solution, be sure to consider the desired result of your solution. In most cases, you will want to solve your privilege management issues fully, not just in part. A full privilege management solution will consist of the user remaining a standard user while these tasks can still be performed:

  • Users running all applications, even those requiring local admin privileges
  • Users installing approved applications, even those requiring local admin privileges
  • Users running OS features (clock, defrag, network properties, etc.)
  • Users installing ActiveX Controls
  • Users installing local printers

The complication of solving privilege management is that Microsoft does not provide any technology that allows these activities without the user being an over-privileged local administrator on their endpoint. There are some solutions, which just fail to solve the issue completely:

  • User Account Control
  • Manually modifying file, folder, and Registry permissions
  • AppLocker
  • RunAs
  • Power Users group membership

The only way to solve privilege management, where you have applications and features which require local admin privileges, is with a third party tool, which can tackle the problem at the process level. Solutions like BeyondTrust PowerBroker Desktops (www.beyondtrust.com) works with your existing Active Directory and Group Policy implementation to provide a complete and comprehensive privilege management solution.

The myth for privilege management is that built-in tools and technologies, especially those that come with Windows 7, provide a solution for your privilege management dilemma. There is nothing that comes with any version of Windows that solves privilege management.

Summary

Securing your Windows desktops is not that easy, when you consider the complete list of security settings that you need to solve. In this article we are discussing two of the areas that you will need to solve: Anti-virus and privilege management. AV solutions are typically the first line of defense for an organization to protect their endpoints. AV solutions are common, trusted, and vital to protect a portion of your endpoint security issues. However, AV solutions are only as good as the latest signature file that is associated with it. AV solutions can’t find and stop new viruses, as the signature for these malicious applications are not known. Privilege management is a vital part of your endpoint security. As one of the most effective of all the endpoint security solutions, privilege management improves the overall security of your endpoint more than the other solutions being discussed. The reason is that standard users can’t cause the damage and harm that a privileged user can. Installations, malicious applications, errant configurations, etc. just don’t occur when privilege management is controlled.

If you would like to read the next part in this article series please go to Myths of Securing Windows Desktops (Part 2).

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top