We recently had internal discussions on the use of local admin and how to mitigate it. During this, Richard Diver, a Premier Field Engineer in APAC, wrote a great article how to do it. I wanted to make sure, you can see this as well. So, this is a guest blog.
General Goals of Strategic Desktop Deployment
the core function of a managed desktop is to take an operating system such as Windows 7 Enterprise, configure it to ensure maximum usability, package it with productivity software, and deploy it to laptops, desktops and virtual machines.
- An “Optimised Desktop” is something the IT department can retain control over to ensure security compliancy, user productivity, system health and correct licensing of software.
- The “unmanaged” desktop then is a user’s personal computer, something the user has full control over to install software, change settings, override administrative control etc.
Some companies will have a mixed environment, and others will have a full implementation of either approach. Both options require a review and implementation of a strategy we refer to as Defence in Depth
- With the implementation of Windows 7 Enterprise, a company can implement an effective Defence in Depth strategy to provide the ability to control and manage risks through the use of built-in features such as Bitlocker, Applocker, Direct Access etc.
- Introduce the advanced capabilities of MDOP to gain the ability to extend controllability and manageability of the platform, through assets such as MED-V, DEM, APP-V et al..
- In addition to managing the individual client, an enterprise also needs to consider the wider impact on network and server security. Endpoint client protect, Network Access Protocol, Unified Gateways and Threat Management gateways are some of the components that make up a fortified infrastructure to protect the internal network as well as managing threats from external entities.
So what are the risks of allowing users to run with local administrative rights on their PC?
Firstly, how this is implemented is a cause for concern. I have seen some companies implement this as a standard policy across the board for all employees using either a tool to edit local settings, or domain group membership. These methods of implementation however enables any employee to gain local admin rights on any PC. This is wide spread, unrestricted access and could have the potential for unlimited damage.
Here are a few of the potential risks that companies run, along with some ideas of how these could be mitigated
|Security||Malicious Software infections on the client. If a user has local administrative rights they are able to disable the security enhancements that protect them (Firewall, Bitlocker, Antimalware etc.).||Educate users on the safety aspects of administering a computer, especially around installation of software, downloading anything from the internet, and the potential threats such as phishing scams and internet fraud. Similar to a home users PC, if security cannot be enforced then it is the responsibility of the end user.Utilise application blacklisting to restrict users from installing software that has been identified as adding to high risk to the user experience, (Applocker)Ensure applications are not modifying the core system by implementing control using AD Group Policy Management – Windows Server 2008 R2 with Windows 7 clients provides the most extensive set of policies.
Ensure the Windows Firewall is enabled and policies are controlled by Group Policy. Configure User Account Control (UAC) to alert end users to the changes being made to the system. Educating the users about this functionality will prevent several scenarios that can lead to infection by malware.
|Data Confidentiality||If implemented incorrectly, it is possible for users to have access to PC’s they should not normally be allowed to. Gaining access to sensitive files such as HR or Financial information.Also the loss of the device or USB sticks can be a major concern for many companies.||Restrict local administrative rights to those users that MUST have this functionality, and then only to their main PC (such as a laptop or regular desktop). Ensure that all devices which contain sensitive information are highly protected with the use of Bitlocker and Bitlocker to Go. These can ensure that any data written to these devices is secured in such a way that if the device is lost or stolen, the information cannot be retrieved unless it is unlocked by the systems administrators (keys backed up in Active Directory).Depending on the threat, Encrypted File System (EFS) may be a better mitigation option to secure files. If Bitlocker is not used, or just disabled, the data on the drive can still be secure.|
|Productivity||Unstable systems causing interrupts to user productivity, increased downtime and more time spent troubleshooting issues.||The concept of a “Standard Operating Environment” is to create a baseline client or server image that can be deployed into the environment to provide the basic functionality. This baseline can then be managed and maintained by a central IT team to ensure the correct software, updates and patches are applied. Along with configuration settings that can improve the user experience, resolve issues, or prevent downtime. Remote access tools and client agents are deployed to enable monitoring and updating of the clients, providing a capability for reporting on the health status of individual or groups of computers.|
|Compatibility||More difficult to standardise, therefore provide new services||If the versions of software being used in the environment are not standardised then it becomes a management nightmare to try to deploy new solutions as the older versions may not support the new functionality. Consider virtualising all application to enable a more fluid and timely delivery mechanism.|
|Licensing||Auditing and compliancy can become an expensive exercise, especially if software can be installed at will. If the correct reporting is not available to discover the assets in use, then it is very difficult to accurately assess the true cost of any software solutions now or in the future.||Asset management is a key component of any medium to large environment. This is something that is simpler to manage when a company is smaller, and more difficult as it grows. Configuring an asset management database with discovery agents to automatically update this is the recommended way to go. It could save the company a lot more money than the initial setup costs.|
To go with this, I think it’s useful to explain the scenarios we see in the various companies we encounter:
The higher up the stack you go the more control you can have over the environment and the higher the integrity of data security can be guaranteed. Implementing an environment like this can be complex and expensive initially, the benefits come once the infrastructure is optimised – including correct processes and procedures. To maintain and environment like this usually takes a team of dedicated professionals that monitors and corrects problems before they impact the user, they also require strict change control procedures before deploying any changes to the environment.
As we move down the stack, the requirements from the infrastructure change in nature. When the control and security of the client is handed over to the end user, the infrastructure needs to become one focused more on self-defence, to protect itself against potentially rogue clients that may be compromised, similar to becoming a service provider to clients on the internet. Data security become more centralised, only allowing access only to specific resources, by specific users and any other limitations required to ensure security.
Windows 7 Enterprise with Enhanced Security Features and Additional Options
Deployment of a new operating system is the best opportunity to correct any bad practices that were followed with the previous release, such as enabling users to run with local administrative rights to their client. With the release of Windows 7 we can now deploy a more secure client out of the box, as long as we don’t disable the key features that enables this such as UAC, IPv6 and the Windows Firewall.
We have identified the need to provide users with local admin rights on their laptops to enable self-support and allow software installations. It is of business benefit to reduce the support calls and lower the administrative overhead of providing a tightly controlled mobile workforce – how can we do this but still ensure adequate security for our environment
Initially our first reaction is to push back on this and find a way to resolve this “need” for users to run as local administrators. Under most usual circumstances I would advocate removing local admin rights and managing the desktop with the usual methods of group policy and software deployment. However, this can’t always be justified as the loss of local rights can cause a bigger surge in helpdesk calls and loss of user productivity if the IT infrastructure is not sufficiently designed to provision these resources rapidly, especially when the majority of the users are mobile with limited networking capabilities, travelling to various customer and other company sites with varying standards of hardware and support capabilities.
I’ve always seen the balance here as being like a sliding scale between Security and Functionality. If you want to allow complete freedom to the user, you have little chance of maintaining the security, and if you make it too secure then the user productivity is affected by the restrictions (as well as the increased overhead of maintaining that environment). So we need to provide some options to enable the scenario and mitigate the risks.
Microsoft, as you might expect, is full of many smart IT users, so it’s fair to say they can be trusted to build their own laptops and manage them well, however we wouldn’t be a secure environment for long, as it only takes one weak link to break the chain.
Therefore, MSIT deploys several methodologies to ensure they are protecting the greater good – deploying a strategy known as Defence in Depth. The following then is a list of recommendations for an environment that is going to allow some or all users to retain local admin rights on their clients
|User education||There is no technical replacement for common sense. The first line of defence is to educate users on the best practices for securing their data and raising awareness of the potential risks involved with public internet access – especially when they have local admin rights to their PC.|
|Client Health||Most enterprise desktops and laptops will start life as a Standard Operating Environment (SOE) – meaning the Operating System has been built a standard specification, the image is captured and reused to build all future clients. During the build, certain types of software and configuration settings will installed and on completion the client is usually added to an Active Directory Domain.The problem comes when a user has local admin rights, they have the ability to reconfigure these default settings and remove many of the built in security features such as the firewall and UAC. Also a common issue is the interruption of security scans, software updates and other maintenance tasks designed to help keep the client running smoothly.To prevent these issues we need to ensure that the desired configurations are set as part of Group Policy, which ensures a regular refresh of the client settings even when they are off the domain. It is not a fool proof option a savvy users will be able to find ways around many of the limitations imposed by the policies.
By implementing DirectAccess (instead of VPN solutions) we gain access to the PC every time it connects to the internet. A secure tunnel is created back to the corporate network without the user initiating any software or log-in details. This provides a better method for regularly deploying software and settings for roaming clients.
I would also recommend implementing a method of automated error reporting such as Desktop Error Monitoring, a part of the MDOP offering. This will divert all Doctor Watson type errors to a centralised server to provide client health information (this is what Microsoft does on a global scale for all publicly connected and enabled clients that have opted in for the feature)
|Software Management||Domain joined computers are easier to manage when we start to involve Group Policy for configuration items and Software Management agents to remotely deploy applications, updates and security patches. Many of the core software products will be purchased, packaged, maintained and deployed by a central IT Administration group. These should account for the majority of the software required by the users and can be delivered in many ways from traditional physical installation to virtual or hosted.The problem usually comes when the software is either freeware, personal or specialised and only required by a very few individuals. This type of software can generally be obtained and installed by the user.Due to this, your software management agents should be capable of scanning the clients health and reporting back a list of installed software including its version number . This is useful to the IT administrators as they can see a consolidated view of the types of software being installed and look for trend analysis of products that cause issues on the clients or in the environment|
|Infrastructure Security||Providing users access to the corporate network through VPN solutions, using identification and authorisation of the users credentials is a good start, similar to the physical security of posting a security guard the front door. But what about limiting access to resources based on not only the user identity but also their role, and how they are gaining access to the environment – they type of device, the health of that device and their location (corporate office or a coffee shop?)One of the key aspects to infrastructure security is to treat your client network security the same internally as you do externally. Scanning the health of clients before granting access to resources, preventing the removal of data unless it is secured, and provisioning resources through secure channels that ensure a controlled and consistent experience regardless of device type or location.Firewalls and Antimalware, software updates and security patches – these are the fundamental building blocks of a secure network. Scanning and testing both servers and clients on a regular basis is not only good practice but common-sense, and using more than one AV scan engine (see Forefront) enables wider range of testing so a higher chance of success. A more sophisticated approach is to scan the data whilst in transmission, detecting not only virus signatures but also behavioural patterns, which can lead to the detection of new threats. To test that you are successfully capturing potential threats you need to ensure you are looking at the internal network as well as the perimeter – most breaches are found to come from an internal source.|
In summary then, whilst it is not ideal to allow the majority of your user base to run with local administrator rights, it certainly can be done in a manageable way to mitigate some of the risks. If you are missing any of these key pieces of the security and management jigsaw puzzle then you need to consider your options. Mitigate the risk, reduce the impact and enable damage control if the worst should happen.
For reference, here is a list of the links used above, by product:
- Microsoft Security Intelligence Report
- User Account Control (UAC)
- Configuration Manager (SCCM)
- Remote Desktop Services (RDS)
- Application Virtualisation (App-V)
- Microsoft Desktop Optimisation Pack for SA (MDOP)
- Desktop Error Monitoring (DEM)
- Forefront Endpoint Protection
- Unified Access Gateway (UAG)
- Threat Management Gateway (TMG)
- Bitlocker to Go
- Security Compliance Manager
Security baselines and settings packs:
- Windows Server 2008 R2 Security Baseline
- Microsoft Office 2010 Security Baseline
- Windows 7 setting pack
- Windows Internet Explorer 8 setting pack
Senior Premier Field Engineer | APAC Premier Field Engineering Services | Microsoft Corporation
Was really worth reading – no?