Modern IT organizations recognize the cost savings to be gained by empowering users to source and install their own applications, and least privilege provides the layer of security required to grant the use of admin privileges, required for nearly all software installations, without giving the user a full administrator account.
When it comes to downloads, simply defining the application may not always be enough. Considering that one of the most common cyber-attack vectors is tricking users into installing ‘spoof’ software, knowing – and better yet – having control over where users can download and install from on the internet is invaluable in maintaining a secure perimeter, without sacrificing productivity.
Privilege Guard 3.6 (Edit: now Defendpoint) is the first privilege management solution to offer software download tracking – the ability to identify where an application or installation was downloaded from, and define policy based on the download location.
Why track downloads? Predominantly, users download software first and then install or execute it later. By tracking the download of the file itself, you can selectively elevate, block or just monitor its execution when the user chooses to do so, and without reliance on the user running it automatically after it downloads. It also avoids elevating the web browser based on URL, which would introduce a huge security risk, although this would be pointless where the user downloads the software before installing it, which is the more common course of action.
Implementing Software Download Tracking in Privilege Guard is simple, and can be very quickly applied to your existing policies to bolster their effectiveness in managing downloaded apps and installations.
To enable it, simply create a new Application Validation rule, or edit an existing rule. A new validation option will be visible, called Match Source URL:
Match Source URL can be used either on its own or in combination with any other application validation rule, giving you ultimate control over when privileges are granted. The rule above demonstrates applying a policy to the Adobe Reader Installer package, specifically targeting a package which is published (signed) by Adobe Systems Incorporated, and has been downloaded from the Adobe download site.
Here are a couple of examples of how you can utilize Software Download Tracking in your organization…
Allow users to download regularly updated apps
Regularly updated applications such as Adobe Reader and Sun Java Client can be difficult to manage or repackage through delivery systems such as System Center, due to the frequency of their updates. This makes them prime candidates for allowing users to self-install updates. However, these packages are obtainable through many download sites, and search engine results can often bring up many options, some genuine, many unsavoury.
Software Download Tracking policies allow you to empower users to elevate the installation of common software packages, specifically targeting those that are downloaded from genuine locations, such as adobe.com, java.com, etc.
You can take this one step further by actively blocking any attempted installation that did not originate from a trusted location, or the location itself is unknown.
End User Messaging and flexible rules may be used to trigger users to update software, by blocking the execution of older software versions and using embedded hyperlinks in the message to refer them to the correct download location to get the latest version.
Allow users to download from an internal app store
App stores are being used more commonly within organizations, providing users with a repository of known, trusted and compliant software packages. Software Download Tracking can be used to ensure that only applications and installations that were downloaded from an internal URL, such as an intranet, are able to install. Privilege Guard already supports installations from file shares, so the ability to also control this based on URL provides another level of control.
Software Download Tracking adds a new layer of flexibility, enabling applications to be securely elevated, blocked or monitored based on their download location.
Edit: Privilege Guard has now evolved into the brand new security suite, Defendpoint, which encompasses Privilege Management, Application Control and Sandboxing. For more information, please visit www.avecto.com/defendpoint.
Kris Zentek, Senior Product Manager
Kris Zentek is a Senior Product Manager at BeyondTrust, focusing on Endpoint Privilege Management solutions. Based in the UK, he has over 20 years of experience working in the cybersecurity industry.