Posted in Active Directory, Application Control, Desktop Lockdown, Least Privilege, Privilege Guard | Leave a comment

Unsecured PCs Can Put Your Critical Infrastructure at Risk

Posted on February 21, 2012 by Russell Smith

In an ideal world, critical IT systems should never rely on the security of lesser devices. But in practice, computer networks are complicated and many dependencies exist, some of which are more desirable than others, and eliminating all unwanted dependencies is a difficult task.

Windows member servers – i.e. those joined to an Active Directory (AD) domain – and workstations depend on domain controllers (DCs) to manage certain aspects of their security. This is a necessary dependency where a less important device relies on a more critical system.

Unwanted security dependencies tend to appear on networks unexpectedly. For instance, a PC becomes infected with a virus because the user was tricked into running a malicious executable, and an unpatched vulnerability is exploited. As a result, the Exchange Server is also infected and subsequently shut down by the virus. Though we can argue both the PC and server should have been patched, in this situation the server was unlikely to have been infected if the PC had remained secure.

I was recently reminded about the DNS Changer trojan that first appeared in 2008 and mutated into various different forms. The virus attempts to change a PC’s DNS settings to redirect internet traffic, and failing that, scans the local network in an effort to discover the admin credentials and change the DNS configuration of gateway routers. This is an unfortunate example of where a critical network device becomes dependent on a PC for its security, in turn compromising the integrity of all devices connected to the router. Another variant of the trojan sets up a DHCP server on infected PCs and attempts to intercept DHCP requests on the local network and respond with bogus DNS settings to devices looking for valid DNS configuration.

To change DNS configuration on Windows, administrative rights are required; so a standard user account stops DNS Changer dead in its tracks. Secondly, with application whitelisting in place, DNS Changer wouldn’t be able to run at all, preventing it from scanning the network for vulnerable devices.

While SANS Internet Storm Center issued reactive advice at the time to block traffic to IP addresses known to host the malicious DNS servers, a proactive approach to prevent PCs being infected in the first place is always preferable. Antivirus should also be capable of stopping DNS Changer, but why rely solely on AV to protect your systems, especially with the speed at which malware mutates and sophisticated techniques used to evade detection.

Users often think that what happens on their network-connected PC or other device cannot affect the security of other systems, let alone critical servers and network hardware. But as you’ve read in this blog post, users and management should understand that once a device is connected to the network it does not exist in isolation, and least privilege security and application whitelisting technologies, such as those provided by Avecto Privilege Guard, are needed to protect the IT infrastructure at large.

Posted in Privilege Guard | Leave a comment

Policy Filtering for Computers and Remote Clients

Posted on February 20, 2012 by Kris Zentek

For version 3.0, we have redesigned the how Policy Filters are configured and applied. Two distinct benefits came out of this.

  1. Granular targeting is now a lot more intuitive in terms of applying combinations of Policy Filters.
  2. It is now a lot easier for us to add additional filters to Privilege Guard.

The new Computer Filter allows you to target Privilege Guard Policies based on the hostname or the IP Address of the endpoint. This can be used as an alternative to, or in combination with, Group Policy based computer targeting. Continue reading

Posted in Desktop Lockdown, Privilege Guard | Comments Off

Allow Standard Users to Unlock Shared Workstations

Posted on February 8, 2012 by Kris Zentek

It is not uncommon for office based computer users to lock their desktop at the end of the working day, instead of shutting it down, maybe just force of habit from bygone days of long logon times. If they are using a Windows domain joined desktop, this poses a problem, because only they can unlock it again and so the desktop is rendered unusable by other users.

If you operate a hotdesk or other shared workstation environment then there’s a good chance your users are regularly experiencing this problem, and historically there were three solutions:

  1. Call IT Support and ask them to ‘unlock’ the desktop for you (local administrators are the only users who can force the logged-on session to logoff).
  2. Hard reset the desktop (which can lead to data corruption, data loss, etc).
  3. Grant computer users local admin rights.

None of these solutions were ideal, as they all came at a cost – either through increased helpdesk calls, or the hidden costs of users possessing excessive rights.

A new feature added to Privilege Guard 3.0, Shared Workstation Unlock, allows you to set policy on which end users are able to unlock a shared workstation or who is not allowed to unlock a workstation. So as well as empowering standard users, you can also restrict local administrators. Continue reading

Posted in Privilege Guard | Comments Off

UI Enhancements in Version 3.0

Posted on February 7, 2012 by Kris Zentek

Time to show off the new Management Console in Privilege Guard 3.0!

One of the many key differences that set Privilege Guard apart from the rest of the field is our UI and how policies are configured. Not being one to rest on our laurels, we’ve listened a lot to our customers, and injected a lot of innovation onto the 3.0 UI. I hope you’ll agree that the results are impressive!

We have a diverse range of customers, including large corporations managing hundreds of thousands of desktops. The Privilege Guard policies for such large rollouts, as you can imagine, are quite complex, so it’s important to understand how we can continue to simplify their initial creation and on-going maintenance.

The entire console has been given an overhaul, and here are just a few of the highlights… Continue reading

Posted in Privilege Guard | Comments Off

Privilege Guard 3.0 is here!

Posted on February 2, 2012 by Kris Zentek

I am pleased to announce that version 3.0 is now available for download. This release is the product of many months of development, and is packed with new features and enhancements. Keep an eye on our blog over the coming days and weeks as we explore them in more detail.

For now, make sure you read up on What’s new in Privilege Guard 3.0

We at Avecto pride ourselves on being a dynamic, agile software house, and for listening to and working closely with our customers. Collaboration is key to maintaining Privilege Guard’s position as the leading solution for delivering least risk desktops and servers, and my thanks go to everyone who contributed to version 3.0. Continue reading

Posted in Event Forwarding, Privilege Guard, WinRM | Comments Off

Privilege Guard 3.0 Reporting Pack Preview

Posted on December 23, 2011 by Mark Austin

Last week I gave you a sneak preview of Privilege Guard 3.0, which will be released at the start of the New Year. We will also be releasing two new add on modules for Privilege Guard, and today I want to give you a preview of the Reporting Pack module.

A critical component of any privilege management solution is the audit trail, which can be used to generate compliance reports and fine tune policies. Privilege Guard logs a variety of events to the local application event log on each endpoint and these events can then be centrally collected using Microsoft Event Forwarding.

Event Forwarding uses Windows Remote Management (WinRM) and enables you to collect events from remote computers and store them in the forwarded event log of a central event collector server. It is an extremely scalable architecture, which is why the Privilege Guard Reporting Pack has been built around this technology. The new Privilege Guard Event Collector software is simply installed on one or more event collector servers and it will automatically aggregate Privilege Guard events and upload them to a SQL Server. Continue reading

Posted in Application Control, Desktop Lockdown, Group Policy, Least Privilege | Comments Off

Desktop Misadventures

Posted on December 22, 2011 by Russell Smith

Bradley Manning – the Private who’s accused of downloading 110,000 U.S. State Department cables to his PC, copying them to a removable drive and then passing the information to Wikileaks – has been in the news again this week as his trial begins. The incident highlights a massive security failing by the U.S. military. In the first instance, Manning’s ability to view classified data that he had no need to access, and secondly the capability to copy the information undetected from his workstation. While a somewhat extreme case of the unpleasant consequences desktop privileges can have for an employee, I recently stumbled across a post in an IT forum that demonstrated a similar problem – but in the corporate world.

A rather distraught software developer was accused of stealing data from his previous employers. The company claimed he circumvented the USB monitoring system when copying files to a flash drive because IT couldn’t find any evidence in the logs that the files had been transferred to the removable drive. As a software developer, he had admin rights on his PC and the company is now threatening legal action. Continue reading

Posted in Privilege Guard | Comments Off

Privilege Guard 3.0 Sneak Peek

Posted on December 15, 2011 by Mark Austin

As we approach the end of 2011, the Avecto product development team have been busy putting the finishing touches to Privilege Guard 3.0, along with two brand new modules for Privilege Guard – the Privilege Guard Reporting Pack and the Privilege Guard McAfee ePO Integration Pack. On the run up to Christmas we’ll be giving you a sneak preview of all this exciting new technology, which you can get your hands on at the start of the New Year.

First up is Privilege Guard 3.0, with a new look management console that is both striking to look at and wonderfully intuitive. As you move beyond the obvious visual enhancements, you will find full search capabilities, which allow you to quickly locate policy items and navigate to them with ease. Continue reading

Posted in ePO, Least Privilege, McAfee, Privilege Guard | Comments Off

Protecting Against Kernel-mode Rootkits with Avecto and McAfee

Posted on November 21, 2011 by Mark Austin

Kernel-mode rootkits install themselves deep inside the operating system. They often use cloaking techniques to hide themselves and other malware to prevent detection or removal. The introduction of kernel patch protection in 64-bit Windows made it more difficult for kernel-mode rootkits to infect the operating system, but the threat has not been completely removed, and rootkits have already penetrated 64-bit Windows.

Running up-to-date anti-virus software, and keeping Windows and other software updated with all of the latest security patches, should prevent infection from most known malware threats. However, the risk of a zero-day attack that includes a kernel-mode rootkit continues to pose the most serious security threat. The ability of a zero-day rootkit to hide itself from security software can make subsequent detection and removal extremely difficult, often resulting in re-imaging of the operating system, assuming that it is even possible to detect the malware infection. The fact that a kernel-mode rootkit could go undetected makes it difficult to fully assess the true scale of the problem. Continue reading