[ISN] Standard desktops, special needs

From: InfoSec News (alerts@private)
Date: Tue May 29 2007 - 22:17:42 PDT


http://www.gcn.com/print/26_12/44351-1.html

By Rutrell Yasin
GCN
05/28/07 issue

Officials at Vandenberg Air Force Base, Calif., have found a way to 
manage user privileges in an enterprise Windows environments while 
adhering to requirements for a standard desktop PC configuration 
mandated by the Air Force and the Office of Management and Budget.

The system lets users run specialized — but authorized — applications 
not included in the standard configuration without undue intervention by 
a system administrator.

OMB issued guidelines in March that require federal agencies to comply 
with standard Windows XP and Vista security requirements by Feb. 1, 
2008. Having preloaded, secure configurations of Windows software on 
desktop PCs will let agencies tighten security and better manage desktop 
systems.

The OMB requirements, based on similar initiatives by the Air Force, 
will require agencies to restrict administrator rights on all desktop 
computers. OMB is expanding on the work of the Air Force, Army, Defense 
Information Systems Agency, National Institute of Standards and 
Technology, National Security Agency and Homeland Security Department to 
develop a standard Windows configuration.


Early start

Vandenberg started to comply with the Air Force’s standard desktop 
configuration in January. Before the move, base officials knew they had 
to develop a way to deploy desktop systems without administrative 
privileges while allowing users to run or install all authorized 
applications.

“Before this migration, there were certain groups of users that had 
administrative privileges on their machine so they could run these 
special applications,” said Mike De Bruin, senior systems engineer at RS 
Information Systems, an on-site contractor at Vandenberg, who manages 
user privileges for a squadron at the base.

The Air Force has many homegrown applications, he said. “You have your 
standard apps like Microsoft Office, and there are a lot of customized 
applications [that] required administrative privileges to run,” he said.

De Bruin’s squadron considered a couple of options before picking a 
solution that would let him manage 500 users and 450 desktop PCs. 
Currently, the standard desktop configuration environment is for Windows 
XP Service Pack 2.

One workaround would have required someone with administrative rights to 
log on to a user’s computer and then personally monitor the situation 
while the user ran the application.

Another option would have required the administrator to log on to the 
user’s computer from the administrative system and give the user rights 
for one session.

The administrator would not have to stand at the user’s computer and 
monitor activity, but every time the user needed to use the application, 
the administrator would have to repeat the process, De Bruin said. If 
the user needed access to the application several times a day, that 
could become a cumbersome task.


One to many

Some squadrons on base are still opting for one of these scenarios. But 
De Bruin found the answer to his administrative rights dilemma in 
Privilege Manager software from BeyondTrust.

The squadron needed software that could work with Microsoft’s Group 
Policy, a feature of Windows that helps the squadron achieve a standard 
desktop configuration.

Group Policy and the Active Directory services infrastructure in Windows 
Server 2003, for example, let IT administrators automate one-to-many 
management of users and computers. Administrators can efficiently 
implement security settings, enforce IT policies, and distribute 
software consistently across a given site, domain or range of 
organizational units.

Using Privilege Manager, administrators can download a small application 
onto users’ desktops that integrates with Group Policy.

“You point it to the right application on the [user’s] computer,” he 
said. The software lets IT administrators filter privileges in many 
different ways — by times of day or specific computers, IP addresses, 
users or organizational units, De Bruin said. For example, “I am able to 
get granular to make sure that the accounting people have admin rights 
for accounting applications” instead of users who should not have 
access, he said.

“Unless you get granular, you’re just opening up security holes,” he 
said.



_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue May 29 2007 - 22:35:05 PDT