Desktop lockdown shouldn’t hinder a user from performing their day to day role. Rather, locking down desktops should provide a secure environment in which the user can effectively go about their tasks, without giving them the frustration of being 'locked out'. Here we've provided 5 tips to help you on your way to achieving flexible desktop lockdown.
1. Implement Least Privilege
If you are serious about desktop lockdown then you really need to adopt least privilege. If users are logging on with admin rights (or power user rights) then locking down desktops becomes an almost impossible and thankless task.
If the only thing stopping you from implementing least privilege is that users need to run problem applications, perform basic admin tasks, such as connecting printers, or install approved software, then consider a privilege management solution to enable desktop lockdown. Privilege management solutions allow individual applications to be elevated under a standard user account, making it possible to remove admin rights from users.
2. Review and Secure Access Control Lists (ACLs)
The access control lists (ACLs) on files and registry settings should be addressed before you get too concerned with applying the various group policy settings that can be used for desktop lockdown. Many of the group policy settings simply hide features in the explorer shell and other applications, and are not necessarily securing the underlying desktop build.
Assuming you have implemented least privilege, you should ensure that users only have read and execute access to the operating system files and installed applications. If any applications run from the network then make sure that write access is also restricted on the relevant network shares.
The modification of ACLs on files and registry settings can be centralized through group policy security settings.
3. Restrict Software Installation
Probably one of the biggest security and stability threats to the desktop build is the installation of unapproved software. Implementing least privilege will remove a large percentage of unapproved software installations, as most will require admin rights to install.
However, this still leaves you with a couple of potential problems. Firstly, how do you eliminate unapproved software that doesn't require admin rights to install? Secondly, how do you allow a user to install approved software under a standard user account? The first of these problems can be solved with an application control solution, which I will cover in the next tip. The second problem requires a privilege management solution, which I covered in the first tip, implement least privilege.
If you decide to invest in a privilege management solution then ensure that this solution can handle elevated software installations and the installation of ActiveX controls in Internet Explorer.
4. Implement Application Control
Many unapproved applications can run as standalone executables or install with standard user rights. In order to eliminate these applications from the desktop build you will need to consider an application control tool.
If you are looking for an application control tool for Windows 7 then you should seriously consider AppLocker, as this is a standard part of Windows 7 and may be managed centrally through group policy. If your desktops are running Windows XP or Windows Vista, or you have a mixed environment, then consider Software Restriction Policies (SRP), although it lacks the flexibility of AppLocker and is more difficult to manage.
If you find that SRP or AppLocker are not adequate then there a number of third party solutions available that provide flexible application control. Some privilege management solutions also include application control, which will enable you to utilize a single solution to control the applications that run and the privileges assigned to them.
5. Audit and Refine Desktop Lockdown Policies
In addition to compliance, auditing is crucial to refining desktop lockdown policies. You are unlikely to implement a perfect set of lockdown policies on your first attempt, but don’t let this discourage you.
Ensure that the solutions you use for privilege management and application control have comprehensive auditing capabilities. Understanding which applications have run with elevated rights and those that have been blocked from running will enable you to fine tune your lockdown policies for desktops.
Look for solutions that provide good end user messaging, as this will eliminate end user confusion, when a user has been prevented from running a privileged or unapproved application. In addition, mechanisms that allow a user to provide a reason for requiring access to a blocked application can help to remove the end user frustration that may result from inadvertently over-locking a user.
