Alternatives to Desktop Lockdown

This is another post based on notes from the Gartner Information Security Summit. Neil MacDonald gave a talk titled Five Alternatives to Desktop Lockdown: Balancing Control and Creativity.
Desktop Lockdown has failed.
But so has complete freedom.
So what do you do?
From an operational perspective, desktop lockdown was performed to reduce the number of disk images the helpdesk had to maintain. It reduced application conflicts and visits by the helpdesk. IFrom a security perspective, lockdown was performed to prevent malware and prevent users from disabling security applications.
Lockdown has failed for a number of reasons. In XP, the locked down experience is lacking. You can’t change the timezone or install a printer driver. Its not workable for the traveling user.
Locking down computers failed because new technologies bypass local controls. For example it doesn’t prevent the user from using Google Apps and other forms of cloud computing in a insecure manner. Being a standard user doesn’t even prevent all software installs. Google Chrome installs as a standard user. Microsoft was pressured to make Silverlight install without administrative rights. As long as the software only writes to your user profile and your portion of the registry, it can install as a standard user. Malware writers will not be deterred by lack of admin rights.
Its almost a cliché at this point but the consumerization of IT has led to a new workforce. Generation Y digital natives. They may not be better at not falling for fake AntivirusXP but they expect full access all the time.
Does IT really know what people need to do their jobs? Locking down was supposed to be a means to an end, not an end itself. Protecting the data is the primary goal.
Saying that lockdown has failed, does not mean that complete freedom has succeeded.
The cost of managing end user computers are far greater for unmanaged computer. The risk of virus attacks is much greater with administrative rights.
So what do you do? The talk reviewed multiple alternatives.
Alternative 1De-Privilege Admins – UAC
UAC prompts to elevate rights when admin rights are needed.
As you already know, that can be annoying if you have a lot of applications that are poorly written and need admin rights. Also depending on the user this can barely be a speedbump in stopping malware.
Alternative 2White list
While basic whitelisting is currently available in Windows XP and later as well as most Endpoint Protection (AV) applications, newer offerings from companies like Bit9 make it easier to whitelist. They maintain the lists so you dont have to manually update each time a new version is released. They also can use reputation services that make a judgment about any new/unknown files.
One user when told we were considering this technology stated as an engineer they install all sorts of software and really important work would stop if he couldn’t install every random file he found on the Internet.
Host Based Intrusion Detection Systems (HIPS) also fall into this category. They are much more complex, and can cause instability issues depending on how it is integrated.
Alternative 3Remote Presentation
In this scenario users log into a remote server such as vmware or terminal server. Of the local computer and the remote session one is managed and one is unmanaged.
This scenario requires solid network connectivity. It also isn’t clear how the network is protected from the unmanaged computer.
Alternative 4 Multiple Virtual Machines running locally
Unlike the previous example, the user can work with remotely. The virtual machines are on the local computer.
The major drawback to this approach is licensing cost, patching, and extra hardware cost.
In the future the hypervisor may make it to the desktop for better performance, but we are not there yet.

Alternative 5
Workspace Virtualization
In this alternative the risky applications are put into their own sandbox.
Ringcube, Creedo, and InstallFree are three vendors in this space.
Alternative 6 Hybrid
A few from column a and a few from column b.
Alternative 7Employee Owned PCs
I’ve read the articles on companies that are providing dollars for people to buy and support their own computer. I also read about a smaller company where the owner considered the computer like a toolbox. The craftsman provides his own tools. Not a great analogy because a craftsman power saw isn’t going to get infected and DDoS the network. (Although cheap worker provided power tools could break spectacularly in a particularly liable fashion).
The analogy provided during the presentation was a road. A trucker provides the truck. He can buy the truck he wants, but it must meet certain requirements. Then while used on the road he must obey traffic laws. Officer Friendly is waiting to write a speeding ticket.
Those are seven alternatives to desktop lockdown. I think that application whitelisting will become the most mainstream the fastest. Although virtualization is moving fast. XP mode within Windows 7 is virtualization. I believe Macs have a virtual MS Windows. The question I would have is what gets virtualized. Every Internet facing application?
For the longest time, vender’s made me feel like I was at the only company in America to allow Administrator rights to users. (Neil MacDonald, if you head this way I’d love to know what percentage of companies in general and Federal Contractors in particular lock down the computers by restricting admin rights as required by the FDCC). It is very interesting to hear about some other solutions. Obviously antivirus is not working but we still need to provide protections.

One Comment

  1. To start, allow me to point out that your internet site is fantastic. I love the theme that you have. It was very easy on the eyes. Appreciate your article too. Definitely subscribed to your feed to make sure I won’t be missing out on any updates. Excellent job! Toast to a productive business

Comments are closed.