Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

5 Tips for Flexible Desktop Lockdown

October 20, 2017

  • Blog
  • Archive

Desktop lockdown shouldn’t hinder a user from performing their day to day role. Rather, locking down desktops should provide a secure environment in which the user can effectively go about their tasks, without giving them the frustration of being 'locked out'. Here we've provided 5 tips to help you on your way to achieving flexible desktop lockdown.

1. Implement Least Privilege

If you are serious about desktop lockdown then you really need to adopt least privilege. If users are logging on with admin rights (or power user rights) then locking down desktops becomes an almost impossible and thankless task.

If the only thing stopping you from implementing least privilege is that users need to run problem applications, perform basic admin tasks, such as connecting printers, or install approved software, then consider a privilege management solution to enable desktop lockdown. Privilege management solutions allow individual applications to be elevated under a standard user account, making it possible to remove admin rights from users.

2. Review and Secure Access Control Lists (ACLs)

The access control lists (ACLs) on files and registry settings should be addressed before you get too concerned with applying the various group policy settings that can be used for desktop lockdown. Many of the group policy settings simply hide features in the explorer shell and other applications, and are not necessarily securing the underlying desktop build.

Assuming you have implemented least privilege, you should ensure that users only have read and execute access to the operating system files and installed applications. If any applications run from the network then make sure that write access is also restricted on the relevant network shares.

The modification of ACLs on files and registry settings can be centralized through group policy security settings.

3. Restrict Software Installation

Probably one of the biggest security and stability threats to the desktop build is the installation of unapproved software. Implementing least privilege will remove a large percentage of unapproved software installations, as most will require admin rights to install.

However, this still leaves you with a couple of potential problems. Firstly, how do you eliminate unapproved software that doesn't require admin rights to install? Secondly, how do you allow a user to install approved software under a standard user account? The first of these problems can be solved with an application control solution, which I will cover in the next tip. The second problem requires a privilege management solution, which I covered in the first tip, implement least privilege.

If you decide to invest in a privilege management solution then ensure that this solution can handle elevated software installations and the installation of ActiveX controls in Internet Explorer.

4. Implement Application Control

Many unapproved applications can run as standalone executables or install with standard user rights. In order to eliminate these applications from the desktop build you will need to consider an application control tool.

If you are looking for an application control tool for Windows 7 then you should seriously consider AppLocker, as this is a standard part of Windows 7 and may be managed centrally through group policy. If your desktops are running Windows XP or Windows Vista, or you have a mixed environment, then consider Software Restriction Policies (SRP), although it lacks the flexibility of AppLocker and is more difficult to manage.

If you find that SRP or AppLocker are not adequate then there a number of third party solutions available that provide flexible application control. Some privilege management solutions also include application control, which will enable you to utilize a single solution to control the applications that run and the privileges assigned to them.

5. Audit and Refine Desktop Lockdown Policies

In addition to compliance, auditing is crucial to refining desktop lockdown policies. You are unlikely to implement a perfect set of lockdown policies on your first attempt, but don’t let this discourage you.

Ensure that the solutions you use for privilege management and application control have comprehensive auditing capabilities. Understanding which applications have run with elevated rights and those that have been blocked from running will enable you to fine tune your lockdown policies for desktops.

Look for solutions that provide good end user messaging, as this will eliminate end user confusion, when a user has been prevented from running a privileged or unapproved application. In addition, mechanisms that allow a user to provide a reason for requiring access to a blocked application can help to remove the end user frustration that may result from inadvertently over-locking a user.

Mark Austin

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.