Securing the Enterprise on Windows 7

Market migration trends continue to prove Windows 7 to be the OS of choice over Vista as XP support nears its sunset date. However; Windows 7 brings little relief for enterprises planning to deploy end-users without administrator rights, the recommended best practice for better security and compliance. In a recent Microsoft vulnerability analysis, it was found that 90 percent of Critical Windows 7 operating system vulnerabilities are mitigated by having users log in as standard users.

For enterprises where desktop security is an important initiative, Windows 7 lacks the necessary granularity to effectively manage enterprise-wide privileges, putting enterprises in an uncomfortable position. They must either adopt the recommended security practice of removing administrative rights, which will overwhelm their help desk with support calls and hamper productivity, or grant end users privileges that can provide access points for malware, hackers, and insider threats. A solution that elevates applications to run for users without admin rights will enable companies to adopt this best security practice.

UAC

Windows 7 introduced the 4-position UAC slider that can only be operated if the user has administrator rights. Standard users are still not allowed to run applications that require elevated privileges without responding to a prompt asking for the local administrator username and password. Providing the user with these credentials gives the user complete control of the computer and all security decisions. The alternative would be the unfeasible solution where individual requests to an administrator who would input credentials every time. In essence, UAC remains a pre¬emptive run-as security option built into the OS.

With PowerBroker for Desktops, a user can run all necessary applications without being prompted for admin credentials. The UAC slider tool would be set to no-prompt mode so user will not need admin credentials. The enterprise will be secure by allowing system administrators to assign permission levels to Windows applications and processes via Group Policy that will manage granular privilege access for standard users without giving them admin credentials.

There are significant cost savings for companies who run all users as standard users prior to migrating to Windows 7. According to Gartner, there is a significant reduction in TCO between a managed desktop where the user is an administrator, compared with a desktop where the user is a standard user due to fact they have less applications to manage which affects the costs incurred during application remediation and repackaging.

AppLocker

The built-in white listing feature, AppLocker will quickly identify applications for quick approval or denial but still require users to authenticate as an admin for applications that require that level of permission, even if they are white listed. Those users granted admin credentials can circumvent AppLocker allowing all applications to run and opening up the enterprise to serious security risks.

Users running with standard user rights still need a solution to allow apps requiring admin rights to run/install without having the admin user name and passwords. Applocker and PowerBroker for Desktops complementary solutions, however using AppLocker alone to secure the enterprise is not enough. PowerBroker for Desktops transparently allows those applications that AppLocker has white listed to run for the user without the user having admin rights.

Windows 7 MED-V & XP Mode virtualization

To resolve application compatibility issues that still exist after Windows 7 Application Compatibility testing (AppCompat v5.5), Windows 7 ships with an option to launch XP in virtual mode. MED-V and XP VM resolves application incompatibility by running these applications in an XP VM which only moves the exploitable security vector from the Windows 7 host to the XP VM. Admin credentials must still be given to the user running in XP VM to run applications that require elevation.

PowerBroker for Desktops is key to solving compatibility issues. PowerBroker for Desktops 4.7 is a Windows 7 certified compatible solution that will allow enterprises to remove administrator rights in a Windows 7 environment to improve security and meet compliance requirements. PowerBroker for Desktops allows users to run all authorized applications by transparently granting administrative privileges to the specified applications and activities that require them. This empowers IT to eliminate the risk of intentional, accidental and indirect misuse of privileges on desktops without impacting productivity and grants end user’s the necessary privileges to do their job. The latest version of PowerBroker for Desktops enables wildcard characters in policy rules and allows the enterprise to manage when policies are activated based on timing, frequency or network access.

There will always be a need for the user to provide administrator credentials on Windows platforms. PowerBroker for Desktops 4.7 makes the transition to a Windows 7 environment easier and more secure with new policy rules to simplify the process of granting elevated privileges. PowerBroker for Desktops 4.7 is essential for a secure migration to Windows 7 in large enterprises.

PowerBroker for Desktops Highlights in Windows 7

• Enables end users without admin rights to run all apps
• Allows restricted users to self-install approved apps and web plugins
• Operates transparently to the end user – no pop-ups or consent dialogues in Win7 environments
• Centralizes control – network admins make security decisions – end users do not
• Supports Windows 7, and 64-bit platforms

PowerBroker for Desktops

"PowerBroker for Desktops has enabled us to remove administrator rights from approximately 3000 managed clinical computers in the hospital, virtually eliminating malware on these machines and addressing HIPAA compliance requirements. All of the users on these computers now follow the security best practice of least privilege,” said Scott Sands, IS Technical Development, Beth Israel Deaconess Medical Center. “As we look to deploy Windows 7 in the future, it’s reassuring to know that BeyondTrust will help us secure desktops running the new operating system and continue to ensure that users will be able to run the applications and installs our users need without administrator rights or UAC prompts."