TOP 5 THINGS TO KNOW ABOUT ADMINISTRATOR RIGHTS AND SECURITY

ASK ANY WINDOWS ADMINISTRATOR OR SECURITY PROFESSIONAL AND YOU WILL FIND WIDESPREAD SUPPORT FOR LOCKING DOWN PCS BY REMOVING USERS' ADMINISTRATIVE PRIVILEGES.

Why then have so many IT organisations been unable to implement better controls in their desktop environments? The truth is that removing admin rights is only one part of an application control solution.

1.  THE DIFFERENCE BETWEEN AN ADMINISTRATOR AND A STANDARD USER

When users log into a Windows computer, they can either log in with administrator rights or standard user rights.  Administrator rights allow users the ability to make wide changes to the computer, including creating or deleting accounts and changing account types and passwords.  Most importantly, administrator rights allow users the freedom to install any software they wish.  A standard user is granted no special privileges and does not have administrative control over the computer.

The "Principle of Least Privilege" that has been widely adopted by organisations as a security best practice restricts standard user privileges to only those necessary to perform certain job functions.

In a Windows Least Privilege environment, administrators have control of installs on standard user's computers and often times network resources as well.

2.  ADMIN RIGHTS ARE USED BY MALICIOUS HACKERS

Administrator rights are exploited by unauthorised users, hackers, and malware to compromise computer systems by altering standard desktop images, changing security settings, or installing unauthorized software. By removing administrator rights from users and granting only the minimum privileges necessary for the performance of an authorized task, a company can limit the damage that can result from a security breach or malicious user. But removing admin rights is not effective against all the varied attacks that are in the wild today.

For instance, there has been an increase in zero-day, "Advanced Persistent Threat" attacks that seek out admin rights credentials and then use them to escalate privileges and install malware to steal sensitive information.

3.  REMOVING ADMIN RIGHTS CAN IMPEDE USER'S WORK

Removing admin rights can limit a user's ability to open emails, change settings, or even start their computer. If users are unable to continue to do the work they need to do, there will be complaints, and it will require the IT staff to spend a lot of time addressing the problems that arise.

Removing privileged accounts can be problematic because, depending on the organisation, any number of legacy or custom-built applications can only be accessed with administrator rights. In addition, many vendors release software which requires admin rights to install.  As a result, a company either refuses to use the majorsoftware packages in the market (including those by Microsoft), or the company develops costly procedures to submit requests for installations, updates, removals, etc.

While it is tempting to establish policies that restrict software installation, by doing so, you can defeat the very reason that computers were brought into the company—to accomplish work efficiently.

• Users who have a real business need to install applications to do their jobs won't have that right, which hampers creativity and exposure to new resources.

• Without sufficient permissions, a user would not even be able to install basic work necessities such as a print driver.  Many basic applications will not run without an elevated set of permissions.

• Client software components that Web sites upgrade on a regular basis (such as Flash, Acrobat Reader and Web conferencing software) cannot be updated, potentially obstructing user access to important business content or causing lost productivity, as users look for workarounds. It's nearly impossible for organisations to have the latest clients packaged for software distribution so that they can be delivered to users as needed, and standard user access does not allow exceptions.

4.  RUNNING USERS AS "STANDARD USERS" DOES NOT PREVENT THEM FROM INSTALLING AND RUNNING UNKNOWN APPLICATIONS

A typical first approach that administrators take in securing workstations is to set the NTFS permissions on the workstation's hard drive so that users have only the minimum necessary set of permissions.

Although it is always a good idea to give users minimum permissions, this technique by itself is completely ineffective in regard to preventing users from installing or executing unauthorised softwares

One major issue with relying solely on user rights restrictions is that a user has to have rights to their profile directory.  A profile directory stores a user's documents and all of their user-specific application settings. Since a profile is a required part of Windows, and a user has to have rights to their profile directory, a user could place an executable file into their profile directory and run it from there.

There are ways around some of these profile-related security issues. Administrators could redirect a profile so that it is stored on a server rather than on each individual workstation.  Once the profile folders have been redirected, different administrator utilities can search profile folders for unauthorised executables.

Another option is to implement mandatory profiles.  Mandatory profiles are designed so that any changes that a user makes to their profile directory are automatically overwritten with a clean and pristine copy of an approved profile when a user logs off.

Despite these tools,profile redirection or mandatory profiles will not completely prevent users from running unauthorized software.  Regardless of where a profile is located, a user must still have write
permissions to it in order for applications to function correctly.

In the case of a mandatory profile, a user can write to a local copy of the mandatory profile, and that copy is later overwritten by a clean copy of the mandatory profile when the user logs out.  While a user is logged in though, they have write access to their profile directory.

To see why this is a problem, think about the way Internet Explorer works.When a user visits a Web page, the contents of that page (HTML code, images, etc.) are downloaded to a cache directory. If a user happened to visit a maliciousWeb page, anymalware that might exist on the page is also written to the cache directory, where it would then be executed.

If the user had a mandatory profile, the contents of the profile directory would eventually be overwritten,but by that time the problem downloads have already occurred.

In terms of IT management,NTFS permissions policies lack a centralised management component,meaning that there is no'big picture' of organization users available.  Microsoft does not offer a built-in console that allows you to set NTFS permissions across all of your workstations. Even if they did, performing blanket lockdowns at the NTFS level could make it difficult to install new applications or software patches.

5.   APPLICATION WHITELISTING IS A GENTLER FORM OF "LOCKDOWN"

Application Whitelisting solutions address these issues and provide organisations with more flexibility and granularity for all users regarding the applications that can and cannot be run.  Users can be left running as administrators, allowing them to update client software as needed, including Web applications.

Software that's detrimental can be automatically blacklisted, but resources (and/or subscription models) may be needed to keep the list current.  Depending on the user, new software can be allowed or blocked by policy.

In either case, it is always logged, so that the organisation can centrally monitor all workstations. In addition to security protection,Application Whitelisting solutions provide operational benefits by preventing the arbitrary introduction and execution of unknown code on endpoints, even for administrators.

There are several security and operational reasons that organisations may want to use ApplicationWhitelisting solutions:

• To ensure that unlicensed software isn't being used

• To manage known PC configurations so that enterprise software is easier to deploy and maintain

• To restrict users from running software that could be detrimental to enterprise systems or the network

• To prevent users from adding applications that will require increased support and cost, and

• To prevent users from visiting a maliciousWeb site and inadvertently executing zero-day attacks.

Origin IT has all the resource and experience your business requires to address administrator-related issues and IT Support for your organisation. Please contact us for more information: www.originit.co.nz

SOCIAL MEDIA: THE 5 BIGGEST THREATS TO YOUR BUSINESS
--------------------------------------------------------------------------------------------------------------------------

Social media platforms such as Twitter, Facebook and LinkedIn increasingly are being used by enterprises to engage with customers, build their brands and communicate information to the rest of the world.

But social media for enterprises isn't all about "liking," "friending," "up-voting" or "digging." For organizations, there are real risks to using social media, ranging from damaging the brand to exposing proprietary information to inviting lawsuits.

 Here are five of the biggest social media security threats:

5. MOBILE APPS
The rise of social media is inextricably linked with the revolution in mobile computing, which has spawned a huge industry in mobile application development. Naturally, whether using their own or company-issued mobile devices, employees typically download dozens of apps because, well, because they can.

 But sometimes they download more than they bargained for. In early March, Google removed from its Android Market more than 60 applications carrying malicious software. Some of the malware was designed to reveal the user's private information to a third party, replicate itself on other devices, destroy user data or even impersonate the device owner.

And all because this new game is supposed to be even better than Angry Birds!

4. SOCIAL ENGINEERING
A favorite of smooth-talking scammers everywhere, social engineering has been around since before computer networks. But the rise of the Internet made it easier for grifters and flim-flam artists to find potential victims who may have a soft spot in their hearts for Nigerian royalty.

Social media has taken this threat to a new level for two reasons: 1) People are more willing than ever to share personal information about themselves online via Facebook, Twitter, Foursquare and Myspace, and 2) social media platforms encourage a dangerous level of assumed trust. From there it's a short step to telling your new friend about your company's secret project. Which your new friend really might be able to help with if you would only give him a password to gain access to a protected file on your corporate network. Just this once.

3. SOCIAL NETWORKING SITES
Sometimes hackers go right to the source, injecting malicious code into a social networking site, including inside advertisements and via third-party apps. On Twitter, shortened URLs (popular due to the 140-character tweet limit) can be used to trick users into visiting malicious sites that can extract personal (and corporate) information if accessed through a work computer. Twitter is especially vulnerable to this method because it's easy to retweet a post so that it eventually could be seen by hundreds of thousands of people.


2. YOUR EMPLOYEES
You knew this was coming, but even the most responsible employees have lapses in judgment, make mistakes or behave emotionally. Nobody's perfect all of the time.

But dealing with an indiscreet comment in the office is one thing; if the comment is made on a work-related social media account, then it's out there, and it can't be retrieved. Just ask Ketchum PR Vice President James Andrews, who two years ago fired off an infamous tweet trashing the city of Memphis, hometown of a little Ketchum client called FedEx (FDX), the day before he was to make a presentation to more than 150 FedEx employees (on digital media, no less!).

The tweet was discovered by Fedex employees, who emailed angry missives to Ketchum headquarters protesting the slight and wondering why FedEx was spending money on a snooty New York PR firm while employees were dealing with a 5% salary cut during a severe recession. Andrews had to make a very public and humiliating apology.

Remember, this wasn't some low-level employee not tuned into the corporate mission. This was a high-level communications executive who damaged his company's brand and endangered an account. Imagine what a disgruntled low-level employee without as much invested in his job might be able to do with social media tools and a chip on his shoulder.

1. LACK OF A SOCIAL MEDIA POLICY
This one's totally on you. Without a social media policy for your enterprise, you are inviting disaster. You can't just turn employees loose on social networking platforms and urge them to "represent." You need to spell out the goals and parameters of your enterprise's social media initiative. Otherwise you'll get exactly what you're inviting - chaos and problems.

Who is allowed to use social media on behalf of the organization and what they're allowed to say are the two most obvious questions that must be addressed in a social media policy. You need to make all this clear or employees will make decisions on their own, on the fly. Does that sound like a good thing?
 

Two more imperatives related to social media policy:

1) Organizations must conduct proper training for employees, if only to clear up issues regarding official social media policies, and

2) A social media initiative needs a coordinator and champion. And that means a social media manager.
  
Report courtesy Chris Nerney @ CIO.com

Virtual computing solutions for the virtual work-style

Two distinct forces are reshaping the way business and IT operate: the tightened budgets of the still-unpredictable economic environment and a workforce that is becoming ever more dynamic and demanding. Businesses are therefore seeking a solution that fosters, if not enables, the virtual work-style—enabling their employees to be productive anytime, anyplace—while also taking measures to leverage IT as a business enabler.

Virtual computing can make the borderless workplace drastically simpler and more effective, for workers as well as IT management. The consumerisation of IT is eliminating the need for corporate ownership of devices, networks and data centres, freeing employees to use the device they want—wherever they may be—and have access to any applications required. Meanwhile IT gets more control over what really matters, such as security, data and cost.

Virtual computing not only improves corporate agility, employee flexibility and productivity but also increases security, facilitates self-service and promotes scalable computing capacity— all while diminishing overhead.

The following are the key enablers supporting the virtual work-style.

• Embracing device and network independence:

Research shows that users of tablet devices such as the iPad increasingly want to use them for work purposes, feeling that it makes them more productive. Because virtualisation enables any device to become a fully functioning desktop, the iPad and other such devices that foster telework and mobility offer the same functionality as office-bound devices, with the ubiquitous access permitted only by a mobile device.

• Securing the service, not the endpoint:

Another benefit of device and network independence is being able to focus on securing sensitive information and transactions rather than endpoints. Companies are finding this simpler security approach to be both less expensive and more effective.

• Delivering self-serve user experiences:

Do- it-yourself consumer services such as Amazon.com and iTunes have led people to crave similar control over IT processes when they’re at work. Products that provides these same capabilities from within the enterprise—equipping employees to handle basic jobs such as installing and updating applications on their own. The end results are lower management costs and happier, more productive employees.

• Providing capacity on demand:

It’s inefficient to maintain a large infrastructure that infrequently needs to support peak requirements. Using virtualisation and cloud computing to virtualise data centers, organisations can instead scale their IT resources up and down as needed. That saves money while increasing agility.

• Adopting pay-as-you-go pricing:

Taking a page from the subscription-based payment methods common among software as a service (SaaS) solutions, companies are exchanging fixed-price licensing for variable-pricing models in which they pay only for the services they use. Many organisations are using these technologies to bring exciting concepts such as these to life. These technologies  play a key role in building flexible virtual computing solutions that are device and network-neutral. They also help companies transmit private information over public infrastructure safely and speedily.

The modern workplace rapidly developing today is a dynamic and agile business environment—far different from what it was even very recently. Virtual computing is the flexible platform needed to support and drive this brave new business world.

Report courtesy Cisco Systems

For expert advice regarding any aspect of Virtualisation please don't hesitate to contact Origin IT for expert consultation from our Consultants