As a core requirement of the new code, least privilege
Transcription
As a core requirement of the new code, least privilege
Avecto | Bitesize Article How to Simply Achieve PSN Compliance Russell Smith, author of ‘Least Privilege Security for Windows 7, Vista and XP’. The PSN Code of Practice includes In this bite size article, Russell Smith provides a quick and easy step-by-step guide to ticking the box of PSN Compliance to satisfy your audit requirements. configuration controls that require government departments to: L ockdown software according to policy, and assign the minimum privileges required to use a PSN service P revent the execution of unauthorized As a core requirement of the new code, least privilege security is the practice of assigning only the permissions users require to perform their roles. software Prevent unauthorized changes to the Russell Smith standard build of network device direct access to IT support, as is increasingly In November 2012, the UK government Ensure that users give permission before the case with many local authorities and Public Services Network (PSN) Code of active content can be executed. government departments which prefer to issue notebooks to facilitate mobile working. Practice replaced the Government Secure Intranet Code of Connection (GSi CoCo). Based on ISO 27001, the new code is Step 1 Lockdown Policy and Least Legacy applications often fail to run without Privilege Security administrative permissions, applications outcome based so that government Least privilege security and OS lockdown cannot be patched manually, hardware with departments can comply how they see can be achieved by removing administrative unsigned drivers cannot be installed, and fit, rather than check a list of technical permissions from end users. Least privilege some Windows features cannot be run. requirements. can also be achieved by using Protected Administrator (PA) accounts in Windows Microsoft’s Application Compatibility Toolkit The Requirements Vista and later, but neither of these solutions (ACT) can be used to deploy compatibility As a core requirement of the new code, least can fully satisfy the PSN requirements. shims that solve some of the issues privilege security is the practice of assigning Protected Administrator accounts offer some encountered with legacy applications only the permissions users require to protection by removing administrative running under standard user accounts. perform their roles. Though least privilege privileges from end users most of the time, However, compatibility shims require testing security is widely accepted as best practice, but Windows User Account Control (UAC) and development time, and cannot be used Windows users often work with full doesn’t provide any centralized policy-based to solve privilege-related issues on the fly. administrative rights because of the control of how elevated privileges are used. Avecto Privilege Guard enables government difficulties associated with running legacy applications, adding new hardware and There are many scenarios where removing departments to overcome the limitations of working with some Windows features under administrative rights can prove problematic Windows privilege management to set a standard user account. for end users, especially where there is no sophisticated policies that modify the privileges of running processes. Applications, Windows XP Software Restriction Policy Windows features, Windows Store Apps (SRP) provides basic application whitelisting (previously Metro apps), scripts, batch files, functionality but has never been widely and ActiveX Controls can all be launched adopted as it is considered difficult to deploy with a unique set of assigned rights, and manage. Windows Vista introduced a without giving users administrator accounts. new technology called AppLocker, which Privilege Guard can be deployed and considerably reduces the effort required to managed using Active Directory Group implement and manage application Policy or McAfee ePolicy Orchestrator. whitelisting. Windows 8 updates AppLocker Avecto Privilege Guard allows IT to quickly and easily implement least privilege and comply with the PSN code requirements, without the limitations usually associated with standard user accounts. to support Windows Modern UI (previously Whilst Microsoft modified UAC in Windows 7 Metro) apps. Russell Smith to minimize the number of prompts users see when running as a Protected Privilege Guard’s application whitelisting PSN compliance with Avecto Privilege Guard Administrator, standard users will continue to feature offers IT several advantages over Vista and later versions of Windows offer be confronted by these UAC prompts, AppLocker. Not only does Privilege Guard basic functionality that makes working with generated by Explorer from applications have more flexible creation of rules to match standard user accounts more realistic, but using Component Object Model (COM). authorized software, it provides a unified features such as Protected Administrator Privilege Guard’s auditing feature can be system for all supported versions of Windows accounts and UAC elevation prompts don’t used to eliminate generic UAC prompts and and a means to monitor the software run on provide enough control for government either replace them with informative, a network and the privileges in use. These departments to comply with the PSN code branded messaging or silently elevate features combine to increase the prospect of whilst ensuring that users have the flexibility processes so that users can continue a successful application whitelisting project, required to perform their roles effectively. working without contacting IT. The difficulties and reduce costs with simplified management. Avecto Privilege Guard allows IT to quickly and easily implement least privilege and of supporting notebook users when away from the office has traditionally been a block to the adoption of least privilege security. Step 3 Dealing with Active comply with the PSN code requirements, Content without the limitations usually associated For example, notebook users don’t always The ActiveX Installer Service (AxIS) was with standard user accounts. Privilege Guard have connection to the network but may introduced in Windows Vista and provides allows government departments to need to perform an operation that is blocked on demand installation of per-machine implement security best practices while by policy. The challenge/response ActiveX Controls, using elevated privileges ensuring that authorized changes can be authorization feature in Privilege Guard on the user’s behalf. The concept of per-user actioned in a timely manner, even for remote provides a mechanism that allows IT to ActiveX Controls was also introduced, users without network connectivity. respond in situations where policy can’t be allowing IT to package in-house controls so updated, giving government departments that they can be installed by standard users. About the Author confidence that they can meet users’ needs The Windows ActiveX Installer Service limits Russell Smith is the author in any situation. IT to specifying trusted host URLs from of Least Privilege Security which users are able to install all available for Windows 7, Vista and XP Remove Admin Rights controls. So for example, if Adobe is listed Application whitelisting is a in policy as a trusted host URL, users can includes details about the applications of technology that blocks the execution of install Flash, Shockwave and any other Avecto’s Privilege Guard software for software not listed in a centrally defined controls Adobe publishes. AxIS can’t be Windows least privilege management. Smith policy. Removing administrative privileges restricted to the installation of specific is also contributing editor for Microsoft Best from end users is not enough to block all ActiveX Controls from a given host. Practices at CDW’s Biztech magazine and a Step 2 published by PACKT, which regular contributor to leading industry journal unauthorized software, as a lot of applications are packaged to install to user profiles Avecto Privilege Guard allows IT to define Windows IT Pro. He holds a diploma of (sometimes referred to as portable exactly which controls can be installed, and higher education from the University of applications), rather than the protected in conjunction with Privilege Guard’s London and is a Microsoft Certified Systems Program Files folder and restricted parts of challenge/response authorization feature, Engineer (MCSE). With over 10 years the system registry. Additionally, application IT can quickly allow users to install controls experience securing and managing Windows whitelisting enables government that are not defined in policy. Other active Server systems for Fortune Global 500 departments to be sure that only authorized content, such as scripts and batch files can companies and small to mid-size enterprises, scripts, batch files and other types of active also be allowed or blocked at a granular level. Smith is also an experienced trainer. content can run. Americas +1 978-703-4169 UK +44 (0)845 519 0114 [email protected] Follow us on twitter Americas 125 Cambridge Park Drive, Suite 301, Cambridge, MA 02140 USA UK Hobart House, 3 Oakwater Avenue, Cheadle Royal BusinessPark, Cheadle SK8 3SR UK www.avecto.com Follow us on Google+