Black List Video
One of the greatest impediments to successful desktop lockdown is the ability for organizations to be flexible in their software implementations and at the same time ensure that standard desktop configurations are maintained. In more and more organizations, users have become accustomed to having complete control of their systems. This level of control has allowed them to install unauthorized, and sometimes, malicious software. This both increases the organizations risk and cost associated with maintaining a secure desktop configuration. In many cases, this also has the unintended side effect of non-compliance with specific regulatory requirements, such as PCI-DSS, SOX, GLBA, & HIPAA.
Arellia's Application Control Solution provides software privilege and rights management so you can control how applications function in your environment. The solution allows you to manage sensitive resources and functions and control access to them. By demoting or escalating rights and privileges of applications, they can be run without administrative privileges or escalating older applications to the administrator in order for them to function.
Proactively Control you Applications
Arellia Application Control Solution software provides administrators with a policy-driven mechanism for identifying the software programs running on computers under management, and controlling the running of software programs at execution. Application Control can improve system integrity, security and manageability, which will ultimately lower the total cost of ownership and satisfy corporate and regulatory compliance.
Application Control Solution gathers highly accurate application installation information from the environment based on MD5 and SHA1 hashes. This method of application determination increases accuracy over methods that utilize only .EXE file naming and version information discovery.
Privilege and Rights Management
You can significantly tighten security and limit vulnerability exposure with Application Control Solution by defining the associated rights with which applications are launched and the privileges associated with the application. In a locked down environment, elevated rights can be assigned to specific older applications, allowing them to run successfully. In an open environment, rights can be reduced on applications including Internet-facing applications to reduce the chances that malicious code can be run in your environment.
Application Authorization
Application Control Solution effectively controls what applications are allowed to be run in the environment. Execution management provides protection from malicious applications such as peer-to-peer software, spyware, and key loggers.
Desktop lockdown and manageability means different things to different organizations. Depending upon who you talk to within an organization, you will hear practices like; applying patches in a timely manner, applying and enforcing group policies, installing endpoint security solutions, and user education. Each of these is correct to a certain extent, however, they leave out the most "un-obvious" Security Risk that almost every organization has, and a risk that that is rarely accounted for: The local Administrator account!
Every machine has a local Administrator account and group that is created at the time the system is built. In many cases, the account name and password is usually the same on every system, in fact, it is a common practice to assign the same local administrator name and password to every workstation in a Window's domain. This is especially true for environments that leverage any form of "image distribution" to provision their systems. The practice of assigning the same local administrator name and password to every workstation in a domain is arguably the largest security hole any company can have. If someone gains access to this common account's password they would have full administrator access to all other machines in the organization with that same account. (Remember - all of the systems very likely have the same Administrative password).
Industry best practices provide five general guidelines to improve security surrounding local accounts:
1- Remove the obvious
2- Implement strong passwords
3- Change passwords periodically
4- Regularly audit accounts
5- Appropriately entrust users and groups
Local Security Solution from Arellia is the only product built into a system management platform that provides an effective and centralized solution to achieve these best practices:
1 - Removal of obvious administrator accounts is accomplished
through centralized inventory and provisioning of authorized and
protected accounts.
2 - Strong passwords are automatically generated using strong
password guidelines, such as long password length, full use of
character types (uppercase, lowercase, numbers and non-alphanumeric
characters (!, ?, etc.)
3 - Passwords are periodically changed based on an admin defined
schedule and using collections can be handled differently for
clients and servers
4 - Auditing and remediation of non-authorized accounts is handled
through group enforcement - automatically and without manual
intervention
5 - Validation of accounts based on system type or predefined
collections is easy to accomplish with built-in compliance
reports
Cracking the local administrator common password can be done in seconds using rainbow tables and a boot device. If all workstations and in some cases, servers, use the same built-in administrator account and password, once a single machine has been compromised, an ordinary user will now have unfettered access to all systems.
Local Security Solution from Arellia provides centralized management that quickly and easily provisions and manages local administrative users and groups within the environment. Local Security Solution's automated policy enforcement of group membership and randomization of administrative passwords across systems secures the corporate network from malicious attacks. Local password management eradicates stale and duplicate passwords, maintains authorized local accounts, and randomizes passwords on each desktop to block anonymous data access and the ability to bypass access controls. Password randomization is important to having a secure environment after provisioning users and groups. All passwords on the client are encrypted using 128 bit encryption. This encryption is maintained throughout all client / server communications as well as during storage of the password in the database. The only time passwords are exposed in clear text is during the display of the password in the console using the "Show Managed Password" command. All "Show Managed Password" command requests are logged in the database for notification and reporting purposes.
